Prisma Access Browser
Manage Prisma Access Browser Policy Rules
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Manage Prisma Access Browser Policy Rules
Learn how to manage policy rules for Prisma Access Secure Enterprise Browser (Prisma Access Browser).
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To see the rules from Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyRules.
You can use rules to specify the users, user groups, and device groups that
will be impacted by the various policies you create. These rules govern access to
web applications, security policies, and customization options. By utilizing rules
you can precisely control user access to organizational tools and components.
Each Rule is composed of different parameters and controls so that you can
create finely tuned Rules for each use case. Each Rule type has its specific
contents and requirements.
You have three available Rule types in the Prisma Access Browser. The
components are displayed on each tab's Policy Rules page.
For each Rule type, the Rules are evaluated according to their priority.
The first Rule that matches all the requirements creates the trigger that will be
enforced. When this happens, the browser stops looking for Rules.
Example with Access & Data Control rules:
Rule 1: Scope - Mike (a member of the General Contractors Users
group)
Web application - linkedin.com
Access to the named web application AllowedData controls - File
Download - Blocked
Rule 2: Scope -Gowri (a member of the General Contractors Users
group)
Web application - linkedin.com
Access to the named web application - AllowedData controls - File
Upload - Allowed When contains - email address.
Rule 3: Scope - Summer Interns Users Group
Web application - linkedin.com
Access to the named web application -Blocked
Rule 4: Scope - General Contractors Users Group
Web application - linkedin.com
Access to the named web application - AllowedData controls - File
Upload- Blocked
Mike will be allowed to access linkedin.com, however, he’ll be blocked when
he tries to download a file since his action matches Rule 1.
When he tries to upload a file, the Policy Engine will see that Rule 1 does
not apply. It then will move on to check the next Rule. Rule 2 does not apply due to
the Data controls. Rule 3 does not apply to Mike, as he is outside the Rule's scope.
Rule 4 will block Mike from uploading on linkedin.com.
As long as there is no matching rule, the Policy Engine will keep checking.
When it reaches the end of the list, the action will proceed according to the
default rule, as there is no other rule to apply.
Rule | Scope | Access to linkedin.com | Download | Upload | When contains |
1 | Mike | Allowed | Blocked | ||
2 | Gowri | Allowed | Allowed | email address | |
3 | Summer Interns | Blocked | - - - - - - | - - - - - - | |
4 | General Contractors | Allowed | Blocked |
Mike wants to download a file from linkedin.com.
- Rule 1 applies, and the download is Blocked. Policy Engine stops looking for rule matches.
Mike wants to upload a file to linkedin.com.
- Rule 1 does not apply (The rule is for downloads). Policy Engine continues.
- Rule 2 does not apply (Mike is out of scope). Policy Engine continues.
- Rule 3 applies, and the upload is Blocked. Policy Engine stops looking for rule matches.
Gowri wants to upload a file to linkedin.com.
- Rule 1 does not apply (Gowri is out of scope). Policy Engine continues.
- Rule 2 applies - but only if the upload includes an email address; if not, Policy Engine continues.
- Rule 3 does not apply (Gowri isn't a Summer Intern). Policy Engine continues.
- Rule 4 applies, and the upload is Blocked.
Control the Rules List
- Edit - Opens the rule for editing.
- Display Presents the items from the Rule Menu. This menu provides the following options:
- Set to Monitoring (Access & Data Control Rules only) - Allows admins to toggle the rule mode if needed. Monitoring allows admins to see the effects of the rule before it is actually enabled.
- Set to disabled / enabled - Toggles the rule on or off.
- Clone - Creates a copy of the rule.
- Delete - Delete the rule.
Edit Rules
On occasion, rules need to be edited based on changing circumstances and
conditions. You can edit all rule types in the Prisma Access Browser.
- On the Policy Rules page, filter the list to display the rules of a particular type, and if needed, continue the filtering to make it easier to find the rule that needs to be edited.Click the pencil icon (edit).Edit the rule based on the new requirements.
Delete Rules
There are rare occasions when a rule needs to be deleted. It could be that the rule is no longer required, or that a new rule covers the same requirements, or that the underlying scope is not longer applicable.NOTE: When a rule is deleted, it is no longer available, and any conditions that the rule established will no longer exist.- On the Policy Rules page, filter the list to display the rules of a particular type, and if needed, continue the filtering to make it easier to find the rule that needs to be deleted.Open the Rule Menu and select Delete.Delete at the prompt.The rule will be removed from the list.