Creating Policy Rules

Creating rules are building logic to check client access to the site against defined conditions when the user is trying to access the site. The TAC Access Policy Engine ensures compliant devices are only able to access the sites and applications. This feature is critical to an organization in order to maintain strict compliance of their corporate environment. The Access Policy Engine requires client side to install TAC client services on client workstations to detect device status. Device detection ensures only authorized and verified devices are able to access the sites and applications.

Select Global policy or the policy that you created under User Defined to configure rules and actions in the right side pane. Policy Engine has many steps that take you through each window in the right pane, thereby reducing the need to open multiple windows on your system.

Click on Add Rules ( add icon) in the Policy window in right side to add new rules to the created policy.

The top control bar is for specific actions and those functions will be active based on your configuration.

Under Rule Settings, you can change the rule name by modifying the Name Field.

The enabled checkbox brings the rule alive.  By unchecking the enabled check box, the rule will no longer be active for the policy.  You may select “negative” checkbox if you want to build negative logic to your rule construction. This option will invert the rule and mark the rule construction as Boolean false.  Selecting this option will give the opposite result of the rule, and the logical construction will evaluate the final result based on the defined conditions and logics.

Creating a rule uses the logical method construction of IF, THEN and ELSE.

IF Section:  This section indicates a list of conditions separated by a logical operator.

THEN Section: Represents an editable list of actions that are performed after executing the rule. If the result of the test condition is positive, it processes the action in THEN section and/or if Negative checkbox is checked in Rule Settings and, if condition meets inverted output of the condition, then also actions in this section will be processed.

The ELSE Section: Represents an editable list of actions that are performed after executing the rule. If the result of the rule condition did not meet the output that is expected in THEN section, then actions defined in ELSE section will be processed.

Click on Add Rule (icon) in the toolbar to add conditions for the Rule. It will move you to the Conditions Wizard where you can define conditions for your rules.

Condition Wizard

The Condition Wizard allows you to create conditions for your access policies.  The rule will be taken into effect if the defined conditions are met. Condition Wizard has two main access policy categories:

  • Functions: Functions will provide access to registry and file system such as reading the registry key and comparing it against the given values. The same is true for file system and checking to see if file exists. For better security TAC only allows you to check registry parameters under software key in HKLM and HKCU in the registry.
  • Objects: Objects will check its access policy against defined objects. Objects have three subcategories: Common; Device; Gateway. Each subcategory contains items that the condition checks against the defined rule.

Creating a Condition

 The Condition Wizard walks you through the process step-by-step, allowing you to easily build logic by selecting what each step requires.

To create a condition, select the specific object in step 1. A short description is available for each object. Click  to proceed to Step 2.

In Step 2, select Object Properties for the object you selected in Step 1.  Click Next.

Select Expression in Step 3. Click Next.

Select Condition Value in Step 4. Click  to save and close.

 You can see your conditions set in the top of the condition box in the Condition Wizard.

After defining the condition, you will return to the Rule window.  The defined condition will be shown under IF. You may set multiple conditions to process the rule. Select Condition Operator –“AND” or “OR” – from the dropdown to combine and unite two or more conditions. The default is “AND.”

Next, defining actions are required to perform in the rule if the conditions are satisfied. The available actions are:

Execute Inline policy: This action is necessary when you want to create a fairly complex logic with a different set of logical operations. In simple terms, if the condition is met or satisfied, execute this policy; just like a rule within a rule. For example:  To allow access, you must verify that you have either McAfee or Kaspersky antivirus and that it has been updated in the last 7 days.  In this instance, add the condition “Antivirus updated last 7 days.”  Execute inline policy open firmware policy editor.  Create a rule with the two conditions: “IF McAfee is installed OR Kaspersky is installed, THEN allow.

Set Flag: Flag is a variable string.  You set a value and call it in other rules to justify the condition.

Remove Flag: Remove Flag removes the flags set in another rule or removes strings with the value defined in the field in a rule to justify the condition.

Execute policy: You can select this action if you need to execute a policy that is available in the configuration created using the Policy Engine.  In addition to Global policy, Custom policies created by the admin can be selected from the dropdown list. To use this action, you must have policies configured previously.  You are not allowed to select the current editable policy.

Allow:  Select this action if the action should be allowed for the output of the condition.

Deny: Select this action if the action should be denied for the output of the condition.

 Define actions under “THEN” and “ELSE” section.  If criteria of the conditions in IF section are satisfied or positive ELSE, then the test result is negative.  The administrator can use the same actions multiple times and can prioritize them by using below keys next to each action:

To select an action, select the appropriate checkbox of the action. Details of each action are as follows:

Execute Inline Policy

 Executing the Inline Policy requires additional configuration and will be used to construct complex logic for your environment. To configure Inline policy, click on Edit in Execute Inline policy.  It will open embedded Inline Policy designer.  Unlike other policies, the name of the Inline Policy cannot be changed.

Here you can create rules under Inline Policy by using the same steps used to create rules. Click addon  to add rule.

 In the rule wizard, define rule properties, such as Rule Name, Enable or Negative.

Click on addto add conditions to the IF section. Define your conditions.

Select the actions in THEN and ELSE sections. You have the choice of selecting many actions in addition to the Inline policy. You can nest Inline policies by selecting Execute Inline Policies in each rule.  However, this is very advanced and complex logics.  The user must have an overall view of the policies and logics they build to get the final result. 

After defining rules for Inline policy click on to save the policy. You will return to the main Rule window.

Note:    Inline policy is mostly used in predefined policies to control URL path and query string parameters such as URL sets. These predefined polices will have Predefined URL set for SharePoint, Exchange, etc. and less use in creating custom policies in real world.

Set Flag 

Set flag is a string that has value set. The flag can be used in other rules to get the result of the defined flags’ corresponding rule and then it will process the action.

Select the checkbox Set Flag.  Type a string in the Key field and define a value in the Value field. There are no restrictions in Key and Value fields. Those are variable strings that the administrator uses to set flag for the condition.

Below is the example for Set Flag:

 Rule #1:

If (user is Admin or user is Admin2) SetFlag (“UserAdmin”, “1”)

Rule #2:

If (Flag [“UserAdmin”] = “1”) then Allow

Else Deny.

Rule 1 will buffer the result of condition in UserAdmin Flag with a value set. In Rule 2, it calls the Flag with the value that call the output of corresponding flags’ condition and allows the action. If the called Flag in Rule 2 does not match, Deny action will preside. This option minimizes creating the same rule for other purposes and just calls the flag to execute the corresponding condition of the flag.

Remove Flag

Similar to Set Flag action, this will remove the flag which was previously set in other rules.

 Execute Policy

This action allows you to select already created policy using Policy Engine. Select Execute Policy and select the policy from the dropdown list.

Allow:  This action will allow if the conditions in the rule are satisfied.

Deny:  This action will deny if the conditions in the rule are satisfied.

NOTE:  When defining actions, the administrator should be very cautious and well thought-out as misconfigured rules may give unexpected results for end users.

Next, click on to save the rule. This will exit you from Rule Wizard and bring you back to Policy window.

 You may edit, remove or move the rules, conditions later using the control bar of the window.

You can see the rules that are created listed under the Policy window.  When you select the rule, it will provide a summary of the rule structures in the bottom. This view makes it easier to read the rules, rather than to tear off designer rules and analyze its contents.

Next, click on  to save the policy. It will exit the Policy window and bring you to the Solution page.

 Click on to save the configuration. This will validate your rule structure.  If there are any miss-configurations, an error will be displayed in saving.  Otherwise, you will get the following confirmation:

Note:  It is important to click Save in all windows to save the changes. Failure to do so in any of the windows may result in the loss of changes in the configuration.

Additionally, defining rule is a one-way process.  If you start to move on by creating policy -> Rule ->conditions, the pervious window goes inactive and remains grayed out until you save the current window or close it. You are not allowed to do changes in the Policy window if you are in Add Rule window or Add Condition window. It is necessary to save or exit the child windows to access the top windows in the Policy Engine. This ensures no data loss happens in generating policy in the Policy Engine.

Once you click in solution window, the Policy Engine can be closed. Otherwise you will see the prompt shown below:

Click Yes to discard the changes.  Click No to go back and save the changes.

Read more:

How to apply a policy to a Site or Application