Policy modeling tool

Having multiple applications and several access policies can make it difficult for admins to understand the exact end-user app access result that is if the end user is allowed or denied access to an application based on all the configurations.

The policy modeling tool (Access policies > Policy modeling) solves this problem by giving the administrators full visibility into the expected app access results (allowed/allowed with restriction/denied) based on their existing configurations. Admins can check the access results for any user based on conditions such as device type, device posture, geo-location, network location, user risk score, and workspace URL.

To analyze the access policy configuration, perform the following steps.

  1. In the Secure Private Access console, click Access Policies and then click the Policy modeling tab.
  2. Add the following details:
    • Device type: Select the device type of the end user. (Desktop is selected by default.)
    • Domain: Select the domain associated with the user.
    • User name: Select the user name for which you want to analyze the applications and associated policies. This is applicable only if you have selected the Users tab.
    • Machine name: Enter the machine name based on which you want to analyze the applications and policies. This is applicable only if you have selected the Machines tab.
    • URL: Enter the app URL on which you want to analyze the access policy. This is applicable only if you have selected the URL tab.
    • Type: Select the app type.
    • IP:Port: Enter the IP and port number of the TCP/UDP app for which you want to analyze the access policy.

      The Type and IP:Port fields are applicable only if you have selected the IP/Port tab.

  3. You can also simulate a set of conditions/constraints on the end user and their devices.

    Note:

    Add the exact user conditions to fetch accurate results.

  4. Click Simulate conditions.
  5. Select the condition (Device posture, Geo-location, Network location, User risk score, and Workspace URL) and then select the associated value.
  6. Click the + sign to add more conditions.
  7. Click Apply.

The Application Access section displays a list of applications, associated policies, and rules for the selected user in a tabular format. You can edit the access policy, if necessary, by clicking the edit icon next to the application name. For details on editing an access policy, see Configure an access policy.

Policy modeling

Drilldown into access policies

In the Application Access section, you can click the eye icon next to the application to view the complete list of policies associated with the application. The Access Details page displays the list of all access policies and the priority order associated with the policies. This drilldown feature helps admins understand why a specific policy was applied and why others were not, providing a comprehensive view of the configuration.

For example, an app An-web has four configured policies:

Policy order

  1. The first two policies, in order of priority, did not match the conditions set by the admin, so they were not applied.
  2. The third policy, however, matched all conditions and was therefore applied.
  3. The fourth policy was not evaluated because it had a lower priority than the matched policy.

The following figure displays the Access Details page for Allowed access action.

Policy access allowed

The following figure displays the Access Details page for Allowed access with restriction action.

Policy access with restriction

Policy modeling tool