Introduction
The process for creating and managing portal and application access rules is nearly identical. They can be defined based on the following criteria:
- Identity provider (for portal access rules), or application (for application access rules)
- HelloID user groups
- Location (country)
- Network (IP address / range)
- Time and day of the week (logon hours)
- Period (between two dates)
- Browser and/or platform
- Two-factor authentication
This article will walk you through the available options. It applies to both types of access rules.
Add an Access Rule
- Go to Security > Policies > Portal Access Rules, or go to Security > Policies > Application Access Rules.
- Select the Add access rule button.
- Apply your desired settings on the relevant tabs, which are described below.
- Select the Save button to confirm.
- The new rule is now visible on the respective overview screen:
Perform Action
Select either the Permit Access or Deny Access rule type. Permit Access means the user will be granted access to the portal or application only if they meet all of the rule's conditions. Deny Access means the user will be denied access to the portal or application if they fail to meet any of the rule's conditions.
When Accessing
Select the identity provider(s) or application(s) to which this rule will apply. For portal access rules, leaving all IdPs deselected will apply the rule to all users logging in with all IdPs. For application access rules, leaving all applications deselected will not apply the rule to any applications.
By People
Select the HelloID user groups to which this rule will apply. To apply the rule to all users in all groups, leave the Apply this rule to specific user groups toggle turned off.
From Locations
Select one or more countries of logon origin to which this rule will apply. To apply the rule to all users in all countries, leave the Apply this rule to specific countries toggle turned off.
From Network
Enter the IP addresses (e.g., 192.168.1.1
) or IP address ranges (e.g., 192.168.1.1-192.168.1.254
) to which this rule will apply, separated by semicolons. Entered IP addresses and ranges may be used as an inclusion criteria (IP Restriction for these IP ranges) or as an exclusion criteria (Apply this rule on all IP Ranges except) using the respective radio buttons. To apply the rule to all incoming traffic regardless of IP address, select Do not use IP ranges to apply this rule.
The Use WAN IP Addresses from Active Agents dynamically specifies the IP addresses of all HelloID Agents which were active in the last 24 hours. This toggle follows the logic specified by the radio buttons. Agent IPs are combined with any manually entered IPs using OR logic. This option is useful if your HelloID Agents share a WAN IP address with users in an office. For example, you can use it to create an application access rule that bypasses multi-factor authentication for on-site users.
Note that Agent IPs included by the Use WAN IP Addresses from Active Agents toggle are not displayed on this screen. To manually check which Agent IP addresses are being used, go to the Agents menu and look at the IP column. All IP addresses (for all Agents in all Agent Pools) which were active in the last 24 hours are included.
At Time
Specify daily time frames within which this rule will apply. For example, you may want to only permit application access during regular business hours M-F. These settings use the time zone specified in Settings > Company. To apply the rule regardless of login time, leave the Apply a time restriction to the rule toggle turned off.
Between Dates
Specify the date range(s) within which the rule will apply. For example, you may wish to deny access during certain holidays or maintenance windows. To specify a date range, use the time/date selectors and then select the Add button.
Via
Specify the browser(s) or device(s) to which this rule will apply. To apply the rule regardless of browser or device, leave the Configure to apply this rule based on the web browser and or device toggle turned off.
Two-Factor
Specify the two-factor authentication method you wish to apply to this rule. This setting is only relevant for Permit Access rules. To disable two-factor authentication for this rule, leave the Activate Two-Factor toggle turned off.
The upper box labeled What type of two-factor do you want to enable enforces a single factor type, chosen by the administrator, which all users must use. The lower box labeled Let the user choose their MFA option lets the user choose among several possible factor types as specified in Security > 2FA Management. Learn more about the 2FA Management page here.
Users must enroll separately into enforced factors vs. user-selected factors. For example, if a user enrolls an authenticator app while Let the user choose their MFA option is selected, and then you switch to the enforced Use Authenticator App option, the user will have to re-enroll their authenticator app.
Note that only user-selected factors are displayed in the list of enrolled factors on the end user security overview.
If you're using an Azure AD OIDC IdP, you can enable AMR claims in Azure to override redundant two-factor MFA challenges in Application Access Rules.
Rule Name
Here, you may enter a custom rule name. You may also enable or disable the rules, and set a rule priority.
Rule priorities control the order in which rules are enforced when a user logs in. Rules are enforced in ascending order of priority; in other words, a lower number indicates a higher priority.
Prior to the introduction of rule priorities, HelloID automatically determined the order of rule enforcement. If you have not manually set any priorities, rule enforcement will continue to work this way. However, after you have set at least one priority for at least one rule, HelloID will switch to the priority system to determine the order of rule enforcement. In other words, if your rules are working as desired with no priorities set, you do not need to set any priorities. But if you have set at least one priority, you should also set the rest.
If you have not yet set any priorities, you will see a notice above your Access Rules overview that says: "We can auto fill in the priority for you according to the order of the list below. Click here to auto prioritize rules." Selecting this link will apply priorities to all rules in ascending order, according to the order of the rules displayed in the grid. After this, you can manually change priorities if needed.
Note that all Deny Access rules are processed before Permit Access rules, even if one or more Permit Access rules have a higher priority.
Edit or Delete an Access Rule
To edit or delete an access rule, go to Security > Policies > Portal Access Rules, or go to Security > Policies > Application Access Rules. Select the appropriate Edit or Delete link in the Actions column.
When editing a rule, consult the above section (Add an Access Rule) for information on the available tabs and settings.