Using Permit Rules with a Deny Rule

You can create policies containing one or more Permit rules and then create the lowest priority rule in the policy as a Deny rule with no conditions. When an allow condition is matched, other rules are not processed and the user is granted access to the resource. The Deny rule is only processed if the user does not match one of the allow rules. Because all users match a rule with no conditions, the user is denied access to the resource.

The first rule in such a policy for the sales application would look similar to the following:

Conditions in Rule 1 are ANDed. It requires the user to match both conditions to access the resource. The priority is set to 1, so this rule is the first rule that Access Gateway processes.

The second rule would look similar to the following:

Because this rule has no conditions, any user who does not match the first rule does match this rule and access is denied. The priority of this rule is set lower than the Permit rule so that the Permit rule is processed first.