Authorizing user access to application resources

You can control the resources that an authenticated user can access within an application.

To do this, associate an authorization policy to each of the users, either individually or by associating the policy to a group of users. The authorization policy must specify the following:

  • Rule. The resource to which access must be authorized. This can be specified by using basic or advanced expressions.
  • Action. Whether access to the resource must be allowed or denied.

By default, access to all resources within an application is DENIED to all users. However, you can change this default authorization action to ALLOW access to all users (by setting the session parameters in session profile or by setting the global session parameters).

Warning

For optimum security, Citrix recommends that you do not to change the default authorization action from DENY to ALLOW. Instead, it is advised to create specific authorization policies for users who need access to specific resources.

To configure authorization by using the CLI

  1. Configure the authorization policy.

    ns-cli-prompt> add authorization policy <name> <rule> <action>

  2. Associate the policy with the appropriate user or group.

    • Bind the policy to a specific user.
      ns-cli-prompt> bind aaa user <username> -policy <policyname>

    • Bind the policy to a specific group.
      ns-cli-promptbind aaa group <groupName> -policy <policyname>

To configure authorization by using the GUI (Configuration tab)

  1. Create the authorization policy.

    Navigate to Security > AAA - Application Traffic > Policies > Authorization, click Add and then define the policy as required.

  2. Associate the policy with the appropriate user or group.

    Navigate to Security > AAA - Application Traffic > Users or Groups, and edit the relevant user or group to associate it with the authorization policy.

Sample authorization configurations

Here are some example configurations to authorize user access to some application resources. Note that these are CLI commands. You can do similar configurations using the GUI, although you must not enclose the expression within quotes (“).

  • add authorization policy authzpol1 "HTTP.REQ.URL.SUFFIX.EQ(\"gif\")" ALLOW

  • bind aaa user user1 -policy authzpol1

  • add authorization policy authzpol2 "HTTP.REQ.URL.SUFFIX.EQ(\"png\")" DENY
  • bind aaa group group1 -policy authzpol2

Authorizing user access to application resources