Configure Private Access Policy Rules
Configure the policy rules to enforce controlled access on the private applications. You can create private access policy rules by applying criteria, operator, value, and action. You can define up to five levels of nesting within a parent rule. You will see an error if you don't enter the rule name or when the rule name exceeds 200 characters. The nested rule can themselves contain other nested rules, resulting in a hierarchy of rules.
Skyhigh Private Access applies the access policy rules using the first-match principle and runs from top to down. The rule set evaluates to true or false based on the criteria, value, and action specified in each rule. So make sure to provide valid inputs in all these fields. Rules are triggered when all their conditions are evaluated to true. Within a parent rule, you can use drag and drop to move a rule from one level to another level.
NOTE: Before creating an access policy rule, you should first configure the device profile and private applications.
Create and Configure a Private Access Policy
- Go to Settings > Policy > Access Control > Private Access Policy.
- Click New Rule.
The options for selecting the elements of the new rule appear below the existing rules. - Complete the following fields to create an access policy rule:
- Name. Enter a name for the policy.
- Criteria. Select a criterion from the list and click OK. Add multiple criteria to a single rule and view the logic applied to the selected criteria.
- Application. Select a private application created on the Private App page. For more details, see Add Application
- Application Tag. Select a private application group created on the Private App page. For more details, see Add Application
- Device Profile. Specify device attributes such as operating system, OS version, firewall policy, antivirus status, file path, and registry information (Windows devices). For more details, see Configure Device Profiles.
NOTE: Select Device Profile as a criterion to validate device posture.
- Location. Configure authentication methods based on location. A location can include one or more sites within a region or across multiple regions. For more details, see Location.
- Process Name. Enter the name of the process running on the client machine.
- User Name. Select a user from the list to apply the rule.
- User Group. Select a user or user group from the list to apply the rule.
Criteria For Client-Based Access For Clientless-Based Access Application 
Application Tag Device Profile 
Location Process Name User Name User Group
- Operator. Select the operator for the chosen criterion.
- Value. Enter a value based on the selected criterion.
- Action. Select the action to apply when the policy is triggered:
- Allow. Allow private application traffic.
- Block. Block private application traffic.
- Allow Web Policy. Apply configured Web Policy rules to private application traffic. For more information about Web Policy, see Web Policy.
- Allow with DLP. Apply Web Policy and DLP rules to private application traffic. For more information about DLP, see Data Loss Prevention.
- Isolate. Apply Remote Browser Isolation (RBI) to private application traffic. For more information about RBI, see Remote Browser Isolation (RBI).
- Enter. Create a new child rule.
NOTE:
- Private Access policy actions, such as Isolate, Allow with DLP, and Allow with Web Policy, are only supported for HTTP/HTTPS (TCP) traffic. If any of these actions are configured for other protocols (UDP, RDP, SSH, etc.) in the Private Access policy, Skyhigh Private Access will automatically block traffic for those other protocols.
- For UDP-based applications, only Allow action is supported. The other actions, such as Isolate, Allow with Web Policy, and Allow with DLP - the private access policy will automatically block traffic for these protocols.
- Use the On/Off toggle to enable or disable the rule (On to enable, Off to disable).
- Click
to view options such as:
- Add New Condition
- Add Nested Rule
- Delete the rule
- Click Add Nested Rule to create a child rule, if required.
- Add New Condition — Adds a new condition (criteria). Select a criteria from the list and click OK. You can specify multiple criteria for a single rule. You can also view the logic used for the selected criteria.
- Add Nested Rule — The
icon represents the nested rule. Click this icon to expand or collapse a nested rule. You can nest (up to four levels) rules inside a policy rule. You have to configure criteria, value, and action for this child rule. The Action option changes to Enter when you add a child rule. You can specify action to be performed for the child rules.
NOTE:
- If you test the SSH connection with PuTTY before authenticating to the Private Access Dashboard, your initialSSH connection will fail (Not Authenticated) and your browser will automatically launch forcing you to authenticate first. Once you complete the authentication, the next SSH connection you attempt will work.
- If for some reason you test and you can make the SSH connection without the SAML Authentication, then that means SCP Auth is being used to identify and authenticate the user.
- Configure criteria, value, and action for the nested rule.
- Repeat adding nested rules as needed (up to four levels).
- Save the policy changes.
- Click Publish to apply the changes to the cloud immediately, or continue editing and publish later.
- After publishing, access private applications using the Skyhigh Private Access Dashboard.
WARNING: Skyhigh recommends that you do not disable the Private Access policy in the policy tree. Disabling the policy skips policy evaluation and allows access to all private applications, regardless of the configured rules.
