Use sign-in rules to determine which users and devices have access to
Prisma Access Browser
. The Sign-in Rules page displays information about existing
sign-in rules:
Priority
—The priority order for rule enforcement.
Mode
—Indicates whether the rule is active or disabled.
Name
—Identifies and describes the rule.
Users
—The users and user groups associated the each rule.
Device groups
—The device group associated the each rule.
Network & Location
—The specific networks and geolocations associated
with the rule.
Action
—The action
Prisma Access Browser
takes for users and devices matching
the rule:
Allow
,
Block
, or
Prompt
the user.
Updated
—Last updated date for the rule; hover to see the full
timestamp.
When you create a sign-in rule, you define the scope of the rule. When a user
attempts to access
Prisma Access Browser
, the browser compares the scope of the rules
in order until it finds a rule match for the user/device and then it enforces the
corresponding access rule. In some cases, you may want the sign-in rules you define
to block
Prisma Access Browser
if they match the scope of the rule. For example,
suppose the scope of the rule is set to match a device group for devices with a
specific OS and you do not want to allow access to devices that are still running
that OS. In that case, you would set the sign-in rule to block access for users that
match to it. In other cases, you might want allow users that match the sign-in rule
access to
Prisma Access Browser
. For example, suppose the scope of the rule allows
users in a specific user group and in a device group that only allows devices
running a specific OS version, a specific client certificate, and has active
endpoint protection. In this case you might want the matching sign-in rule to allow
access to
Prisma Access Browser
. The way you create your user groups and device groups
(including the corresponding device posture rules you enforce at the device group
level) informs how you will want to create your sign-in rules.
When a user attempts to access the browser,
Prisma Access Browser
evaluates the sign-in
rules in top-down order until it finds a match for the user and device and then it
enforces the corresponding sign-in rule. If the user/device do not match any of the
defined sign-in rules,
Prisma Access Browser
enforces the
Defualt
sign-in rule allow rule.
There are two ways to create sign-in rules: one for managed devices and one for
unmanaged devices, as described in the following sections.
Create a Sign-in Rule for Managed Users
To create a sign in rule for managed users:
Select
Manage
Prisma Access Browser
Policy
Sign-in Rules
and click
Add rule
.
Enter a
Name
for the rule.
Set an
Action
, which can be
Active
or
Disabled
.
You can change the
Action
at any time. You may want
to keep the rule disabled until you are ready to launch the new
rulebase.
Click
Next: Scope
and then define the match criteria
for the rule.
Select one or more values to define the scope of the sign-in rule. You
can select one or more of the following options:
Users/User groups
—Select the users and user groups that
you want to match this sign-in rule to access
Prisma Access Browser
.
Device groups
—Select the device groups to
match this sign-in rule for access to
Prisma Access Browser
.
Networks
—Select the public networks the
device must be attached to in order to access
Prisma Access Browser
.
Use one of the following formats to specify the network:
94.45.21.1
or
129.144.9.8/29
Location
—Select the geolocation from which to
allow sign-in to
Prisma Access Browser
. If location services are not
enabled on the device,
Prisma Access Browser
uses the GeoIP.
Click
Next: Action
.
Set the action for the sign-in rule:
Allow
—Allow access to
Prisma Access Browser
for
users and devices that match the defined rule scope.
Block
—Block access to
Prisma Access Browser
for
users and devices that match the defined rule scope.
Prompt
—Notify users that match the sign-in
rule scope that their
Prisma Access Browser
is blocked by default, but
allow them to bypass the block and continue to the browser.
Save
the rule.
Create a Sign-in Rule for Unmanaged Users
Unmanaged device users are responsible for their own devices. Whenever they face
a posture compliance issue, the user must manage the issue on their own because
they do not have access to the corporate IT department. To help unmanaged users
better navigate access issues, you can create a special type of sign-in rule
that provide information about the compliance issue that is preventing access to
Prisma Access Browser
.
The following limitations apply to this feature: the
default rule action is either Block or Prompt. Each user has only one allow rule
in one device group.