Manage Prisma Access Browser Policy Rules
Focus
Focus
Prisma Access Browser

Manage Prisma Access Browser Policy Rules

Table of Contents

Manage Prisma Access Browser Policy Rules

Learn how to manage policy rules for Prisma Access Secure Enterprise Browser (Prisma Access Browser).
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
  • Superuser or Prisma Access Browser role
To see the rules from Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyRules.
You can use Rules to specify the Users, User Groups, and Device Groups that will be impacted by the various policies they create. These rules govern access to web applications, security policies, and customization options. By utilizing rules, you can precisely control user access to organizational tools and components.
Each Rule is composed of different parameters and controls, so that you can create finely tuned Rules for each use case. Each Rule type has its specific contents and requirements.
The Rules are applied based on their priority, the order on the Policy Rules page. This means that the Policy Engine will check each Rule until an appropriate match is found. Once a match is found, the engine will stop the search.
You have three available Rule types in the Prisma Access Browser. The components are displayed on each tab's Policy Rules page.
For each Rule type, the Rules are evaluated according to their priority. The first Rule that matches all the requirements creates the trigger that will be enforced. Once this happens, the browser stops looking for Rules.
For example, the following Access & Data Control rules have been configured:
Rule 1: Scope - Mike (a member of the General Contractors Users group)
Web application - linkedin.com
Access to the named web application AllowedData controls - File Download - Blocked
Rule 2: Scope -Gowri (a member of the General Contractors Users group)
Web application - linkedin.com
Access to the named web application - AllowedData controls - File Upload - Allowed When contains - email address.
Rule 3: Scope - Summer Interns Users Group
Web application - linkedin.com
Access to the named web application -Blocked
Rule 4: Scope - General Contractors Users Group
Web application - linkedin.com
Access to the named web application - AllowedData controls - File Upload- Blocked
Mike will be allowed to access linkedin.com, however, he’ll be blocked when he tries to download a file since his action matches Rule 1.
When he tries to upload a file, the Policy Engine will see that Rule 1 does not apply. It then will move on to check the next Rule. Rule 2 does not apply due to the Data controls. Rule 3 does not apply to Mike, as he is outside the Rule's scope. Rule 4 will block Mike from uploading on linkedin.com.
As long as there is no matching rule, the Policy Engine will keep checking. When it reaches the end of the list, the action will proceed, as there is no rule to apply.
RuleScopeAccess to linkedin.comDownloadUploadWhen contains
1MikeAllowedBlocked
2GowriAllowedAllowedemail address
3Summer InternsBlocked- - - - - - - - - - - -
4General ContractorsAllowedBlocked
Mike wants to download a file from linkedin.com.
  • Rule 1 applies, and the download is Blocked. Policy Engine stops looking for rule matches.
Mike wants to upload a file to linkedin.com.
  • Rule 1 does not apply (The rule is for downloads). Policy Engine continues.
  • Rule 2 does not apply (Mike is out of scope). Policy Engine continues.
  • Rule 3 applies, and the upload is Blocked. Policy Engine stops looking for rule matches.
Gowri wants to upload a file to linkedin.com.
  • Rule 1 does not apply (Gowri is out of scope). Policy Engine continues.
  • Rule 2 applies - but only if the upload includes an email address; if not, Policy Engine continues.
  • Rule 3 does not apply (Gowri isn't a Summer Intern). Policy Engine continues.
  • Rule 4 applies, and the upload is Blocked.

Control the Rules List

Three control icons on the right side of each rule appear only when hovering over an existing rule. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyRules and hover over an existing rule.
  1. Edit - opens the rule for editing.
  2. Display the Rule Menu. This menu provides the following options:
    • Set to Monitoring (Access & Data Control Rules only) - allows admins to toggle the rule mode if needed. Monitoring allows admins to see the effects of the rule before it is actually enabled.
    • Set to disabled / enabled - toggles the rule on or off.
    • Clone - creates a copy of the rule.
  3. Delete - Delete the rule.

Edit Rules

On occasion, Rules need to be edited based on changing circumstances and conditions. Editing Rules in the Talon browser is a simple process that is available for admins for all Rule types.
  1. On the Policy Rules page, filter the list to display the rules of a particular type, and if needed, continue the filtering to make it easier to find the rule that needs to be edited.
  2. Click the pencil icon (edit).
  3. Edit the rule according to the new requirements.

Delete Rules

There are rare occasions when a rule needs to be deleted. It could be that the rule is no longer required, or that a new rule covers the same requirements, or that the underlying scope is not longer applicable.
NOTE: When a rule is deleted, it is no longer available, and any conditions that the rule established will no longer exist.
  1. On the Policy Rules page, filter the list to display the rules of a particular type, and if needed, continue the filtering to make it easier to find the rule that needs to be deleted.
  2. Open the Rule Menu and select Delete.
  3. Delete at the prompt.
  4. The rule will be removed from the list.