Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Tenant Restriction

The tenant restriction rules block users from accessing sanctioned cloud services through their personal accounts, while allowing access to these services through the accounts that you configure.

The tenant restriction rules support the following sanctioned cloud services. To configure each tenant restriction rule, you need to know about the application-specific details mentioned below.

  • Amazon Web Services (AWS) — Allowed AWS Account IDs
  • Box — Allowed Box subdomains and allowed user email address domains
  • Dropbox — Allowed Dropbox Team IDs
  • Google — Allowed user email address domains
  • Microsoft Office 365 — Directory ID of your Azure Active Directory instance and allowed user email address domains
  • Slack — Allowed Slack Team IDs

To block access to personal accounts, you configure the accounts which users are allowed to access. Web requests sent to these accounts are allowed. All other requests are blocked.

  1. On the user interface for Secure Web Gateway, select Policy > Web Policy > Policy.
  2. From the policy tree, select Application Control > Tenant Restriction.
  3. Optionally configure criteria to limit the scope of this rule set.
  4. Select each tenant restriction rule that you want to apply. For each selection, configure the accounts which are not blocked by entering a string of one or more comma-separated values. Then click Save. Spaces are not allowed.
    • Block personal instances of Amazon Web Services Enter the AWS account IDs that are not blocked.
    • Block personal instances of Box
      1. Enter the Box subdomains that are not blocked. If your domain name is forestry.box.com, enter the subdomain: forestry.
      2. Enter the user email address domains that are not blocked.
    • Block personal instances of Google — Enter the user email address domains that are not blocked.
    • Block personal instances of Microsoft Office 365
      1. Enter the Directory ID of your Azure Active Directory instance.
      2. Enter the user email address domains that are not blocked.
    • Block personal instances of Dropbox — Enter the Dropbox Team IDs that are not blocked.
    • Block personal instances of Slack — Enter the Slack Team IDs that are not blocked.

Changes to the policy tree, rule sets, or rules are automatically saved. You can publish them to the cloud now or keep working and publish later.

  • Was this article helpful?