Creating a custom policy

Policies can be thought of as advanced, identity and application-aware firewall rules. Policies define who has access to your services (Sockets).

Each time a user tries to access a Socket, our platform will evaluate all policies that are attached to the Socket. The verdict is the cumulative result of all policies. If no policies match or no policies are attached to a Socket, no access will be granted.

📘

Organization wide policies and regular policies

A policy can, optionally, be marked as an Organization wide policy. This means it will automatically be applied to all Sockets in your organization.
A regular policy needs to explicitly linked to a Socket.

JSON format

The JSON below shows an example policy. As you can see it has two high-level sections:

  1. Actions, ie, what action is allowed
  2. Conditions, ie. under what condition is it allowed

In the example below, the actions include

  • database
  • ssh
  • HTTP

meaning access to SSH, database and HTTP sockets are allowed.
In the condition section, we have three categories.

  1. Who
  2. Where
  3. When
{
     "version": "v1",
     "action": [
         "database",
         "ssh",
         "http"
     ],
     "condition": {
         "who": {
         "email": [
             "[email protected]"
         ],
         "domain": [
             "example.com"
         ]
         },
         "where": {
             "allowed_ip": ["0.0.0.0/0", "::/0"],
             "country": [
                "NL",
                "CA",
                "US",
                "BR",
                "FR"
             ],
             "country_not": [
               "BE"
             ]
         },
         "when": {
             "after": "2022-10-13",
             "before": null,
             "time_of_day_after": "00:00:00 UTC",
             "time_of_day_before": "23:59:59 UTC"
         }
     }
 }

In Summary the policy above allows access to SSH, Database and HTTP services under the following conditions:

  • The user identity needs to either have authenticated with an email ending in example.com or as [email protected]
    AND
  • The IPv4 address the user is visiting from should be in the range 0.0.0.0/0 (any IPv4 address).
    AND
  • The users should come from one of these countries: NL, US, CA, BR, FR
    AND
  • The time of day should be any time between 00:00:00 UTC and 23:59:59 UTC (any time)
    AND
  • This policy is valid after 2021-12-31, there is no end date.
3026

Visual Policy editor

Next up we need to attach this Policy to one or more Sockets. This can be done from the Policy Tab in the Policy view.

2904

Attach a Policy to one or more Sockets.