Engineer's Note: Access Rules are Clearlogin's new replacement for Security Filters and Access Policies.
As of today (March 14, 2016), all current accounts' Security Filters and Access Policies have been automatically migrated to this new standard. Unless you need to add or modify a configuration that you already had, there is no need for administrator intervention.
Access Rules are designed to make managing Identity Source permissions much easier for your IT administrators.
Before creating a new Access Rule, you should have the following in mind:
A. Will this Access Rule be used to allow or deny users?
B. Which users am I allowing or denying access (individual users, groups of users, etc.)?
C. Do I need to restrict access from or to certain IP addresses?
D. Is Multifactor Authentication necessary/required?
E. Will this Access Rule only apply at certain times of the day/week?
Now that you have answered those questions, it's time to create your Access Rule(s):
- Log into https://admin.clearlogin.com and on the left sidebar, select Settings and then click on Access Rules.
- Click on the green plus button that says Add New Access Rule.
- Under Name, enter a brief description of what this Access Rule will be doing (IE: allowing or denying access to specific users). Under the Policy dropdown menu, select whether or not you are Allowing Access or Denying Access with this Access Rule. Under Multifactor Authentication (MFA) select your MFA method if any (otherwise, make sure "Not Required" is selected).
- Next up is the Who section. By default, you will see that the Everyone search filter is enabled. If this Access Rule does not apply to all users, click on the red X button to remove the Everyone search filter. Note: The Everyone search filter applies to all configured Identity Sources.
There are four ways to configure which users your Access Rule will apply to if it doesn't apply to everyone. Of course each of the below methods will only work if you have a matching Identity Source:
A. LDAP Filters which can be configured by clicking on the purple plus button that says LDAP Filter. For more on LDAP filters, click here.
B. Clearlogin Directory (CLD) Filters which can be configured by clicking on the purple plus button that says Clearlogin Directory Filter. For more on CLD Filters, click here.
C. Google Apps Filters which can be configured by clicking on the purple button that says Google Group.
D. Clicking in the Specific Users text field and either typing in each user's e-mail address or by selecting each one in the dropdown list that appears after clicking the field.
You are welcome to use any combination of the above within an Access Rule to define which users the Access Rule will apply to.
- After configuring your search filters you will be presented with the When section. The When section is asking when should everything configured on this page apply. By default it's set to 24 hours/day, 7 days/week.
If you don't want your Access Rule to apply at all times, click on the red X button next to the Time Window and then click on the purple plus Add Time Window button to create a new Time Window.
You can configure multiple Time Windows if needed.
- Next we have the Where section. Where is used to define what IP addresses your users will be allowed access from.
Just like with the previous sections, Where is set to all or "everywhere" by default. This is defined by the "0.0.0.0" CIDR (Classless Inter-Domain Routing) address.
Naturally you can click on the red X button next to a CIDR in order to remove it. Make sure to do this if you don't want this Access Policy to apply to everywhere.
Click on the purple plus button that says Add CIDR in order to add your own. You can of course add multiple CIDR's.
Generally a CIDR would be used to restrict access to certain locations (IE: only allowing your users to log in from your organization's office), but it can also be used to restrict access from certain locations (IE: not allowing your users to log in from home). This is determined by whether you selected "Allow Access" or "Deny Access" under Policy in the What section.
For more information on CIDRs, click here.
You can also configure which Identity Sources this Access Rule will apply to from the Specific Identity Sources field. Clicking in the field will bring up a dropdown menu of Identity Sources that you currently have created. (IE: You may have Google Apps, Clearlogin Directory and Active Directory Identity Sources, but you may only want this Access Rule to apply to your Google Apps and Clearlogin Directory users.)
- Finally you should have arrived at How, the last section.
How is used to determine whether or not an Access Rule is Stackable and what it's Priority on the stack is. It can also be used to enable or disable an Access Rule by checking and unchecking the Enabled checkbox as pictured below.
Stackable rules will be applied, sorted by priority, until no rules are found or until a non-stacking rule is found. After applying the non-stacking rule, no further rules will be applied.
The Priority can be changed through the Priority dropdown menu. All Access Rules set to the same Priority will be handled at the same time.
By default, all Access Rules are not set to be Stackable, so make sure to check the Stackable checkbox if you want the rule to be Stackable.
- Congratulations! You have successfully created a new Access Rule!
Your new Access Rule should take effect immediately.
You can test your new Access Rule by using the Test All Access Rules box.