The policy script operates in addition to the regular authentication options, Intranet Only and Require Strong Authentication. Either the script or these options can determine that an application is blocked or that stronger authentication is needed.
You can reference three kinds of data in a policy script to determine whether a user can access an application or if the user needs to provide more authentication credentials.
- Application: You specify an attribute of the application to indicate which application you’re referring to. For example, to use the type of web application, you’d use
application.Get("WebAppType"). When referring to an application, you use a get function for the same attributes that are columns in the Application table. You can see these columns in the Data Dictionary, which is available in the Reports page when building a report.
- Context: You can use the context from which the user is accessing the application, such as whether they’re in the corporate intranet, the user’s IP address, or when the user was last authenticated by the Privileged Access Service.
- Client: You can use some attributes of the browser client, such as operating system and browser type.
You can also invoke modules, to access information specific to that module. For example, you can invoke the User module, which allows you to reference user attributes such as the user name or if the user is in a particular role.
You can pass certain data to the script and the script can return whether or not the application access is granted or if authentication is required or not.
Note: The policy script runs whenever a user tries to launch the application or whenever the Admin Portal refreshes.