Skip to main content

Mission: Context-Aware Security

Rohit Kalbag
Updated
Abstract

 Admission Rules enforce device posture, geographic and time-based conditions that must be successfully met before a user qualifies for access to specific protected resources.

Overview

In a robust Zero Trust framework, establishing user identity is only the first step. To achieve true Zero Trust, access decisions must continuously evaluate the context of the access request. In Cipherscale, this context is enforced through Admission Rules, which are conditions that must be successfully met before a user qualifies for access to specific protected resources.

Admission rules act as mandatory prerequisites. While an Access Policy makes the final decision to allow or deny access to a destination, the Admission Rule qualifies whether the request is even eligible to be evaluated by that policy. Because context is universally applicable, the exact same Admission Rules can be used across all access types, including Private Access, SaaS Access, and Internet Access.

Note

Admission rules with criteria can be used only with Allow policy actions. Refer [Reference] Relationship between Access Policies and Admission Rules

Administrators can build Admission Rules based on three primary categories of context: Location, Time, and Device Posture.

Location Context

Location context rules define criteria based on the geographic or network origin of the user's device. They define which countries and IP subnets are included in or excluded from the rule.

  • IP Address: The admission rule can include or exclude specific IPv4 CIDR ranges.

  • Country: The admission rule can include or exclude a specific country from which the request originates.

Time Constraints

Time constraint rules define criteria based on when the request is made, ensuring sensitive resources are only available during designated operational windows.

  • Day of the Week: Defines the specific days (e.g., Monday through Friday) in the rule

  • Time of Day: Defines exact Start Time and End Time blocks within a specified timezone.

    Note

    Administrators can set a default timezone for admission rules across the system in the Settings section.

Device Posture (Device Context)

Device posture rules define the specific characteristics, identity, and security health of the hardware attempting to connect. This ensures that even authorized users cannot access corporate assets from compromised or unmanaged devices when the admission rule is linked to the appropriate access policies. Administrators can check the following device contexts:

  • Operating System: Define that the device is running an approved OS (Windows, macOS, Android/Chromebook, iOS, or Linux) and a specific OS version.

  • Certificate Check: Verify the presence of a digital certificate on the device containing a specific "Common Name" (CN) string.

  • Disk Encryption: Check whether the device's disk encryption is turned ON (including checking if a specified BitLocker volume is encrypted).

  • Antivirus: Ensure that specified antivirus software is actively running on the device.

  • Application Process: Detect the application environment by checking if a specific running process name is present on the device.

In Cipherscale, you use the Intent Bar to layer sophisticated constraints—such as device health (posture), geographic location (geofencing), and time-of-day windows—onto your existing Access Policies.

How the AI Handles the Admission Rule Prompt

An admission rule is purely a condition evaluator — it doesn't allow or deny anything on its own. It simply asks: "Is this condition met?" If yes, the policy it's attached to applies. If no, the policy is ignored. Refer [Reference] Relationship between Access Policies and Admission Rules

So when you write:

Create an admission rule that allows access only from the US and Canada

The word "allows" is just natural language shorthand. The AI strips away the access control language and focuses purely on the condition being described — in this case, a country location check for US and Canada. The resulting admission rule would look like this:

  • Name: US and Canada Only

  • Condition: COUNTRY: {ONLY: [US, Canada]}

That's all it creates. The actual allowing or denying of access is the job of the Allow policy that references this admission rule. Without a policy attached, the admission rule does nothing.

Configuring Location Context Admission Rules

  • You must provide at least one of: Country context OR IP subnet context

  • Country mode (NOT/ONLY) and the country list always go together — you can't have one without the other

  • IP ranges must be in CIDR notation (e.g.,10.0.0.0/8, not just 10.0.0.0)

  • Both country and IP context can be used together in one rule (AND logic). For example, "Create an admission rule that allows access from anywhere except Russia and China, and not from IP range 3.3.3.0/24"

The Intent: What the AI Needs for Configuring Location Context Admission Rules

  • Rule Name (optional): A descriptive label for the admission rule (max 40 characters). If not provided, the AI will generate one based on the condition

    Note

    No special characters like . or @.

  • At least one location condition (required): Either a Country restriction OR an IP restriction (or both)

  • Mode (Required if using country): Either NOT (block listed countries) or ONLY (allow only listed countries)

  • Country list (Required if using country): One or more country names to block or allow

  • IP range(s) (Required if using IP): One or more IP ranges in CIDR notation 10.0.0.0/8, 192.168.1.0/24

  • Additional condition types: You can combine the location rule with Time and/or Device Posture constraints.

Note

The Admission Rule won't be enforced until it's assigned to at least one Access Policy. Refer to Mission: Crafting Access Policies

Location Context Admission Rule Creation Prompts

  • "Create an admission rule that blocks access from Russia and China"

  • "Create an admission rule that allows access only from the US, UK, and Canada"

  • "Create an admission rule that restricts access to IP range 10.0.0.0/8"

  • "Create an admission rule allowing only IPs from 192.168.1.0/24 and 10.0.0.0/8"

  • "Create an admission rule that blocks access from North Korea and Iran, and only allows IPs from 203.0.113.0/24"

Listing and querying about location context admission rules

  • "List all admission rules"

  • "Show me the details of the admission rule called 'US Only'"

  • "Which admission rules have location context conditions?"

  • "Show me all admission rules that block specific countries"

  • "Which policies are using the 'Not from Russia' admission rule?"

Updating location context admission rules

  • "Update the 'US Only' admission rule to also allow access from Canada"

  • "Add Germany to the blocked countries list in the 'Blocked Countries' admission rule"

  • "Change the 'Not from Russia' admission rule to also block China"

  • "Update the 'Office Network Only' admission rule to include the IP range 172.16.0.0/12"

  • "Rename the admission rule 'US Only' to 'North America Only' and add Canada and Mexico"

Deletion of location context admission rules

  • "Delete the admission rule called 'US Only'"

  • "Remove the 'Not from Russia' admission rule"

  • "Delete all admission rules that have location context conditions"

Configuring Time Context Admission Rules

The Intent: What the AI Needs for Configuring Time Context Admission Rules

  • Rule Name (optional): A descriptive label for the admission rule (max 40 characters). If not provided, the AI will generate one based on the condition

    Note

    No special characters like . or @.

  • Days (Required): Which days the rule applies (e.g., weekdays, Monday to Friday, specific days like Tuesday and Thursday)

  • Start and end time (Required): The time window (e.g., 9AM to 5PM)

  • Timezone (Optional): The timezone the times are relative to (e.g., UTC, EST, PST). If not provided, default time zone from settings will be used.

  • Multiple Time Windows (optional): More than one time range within the same day (e.g., 9AM to 12PM and 2PM to 5PM)

  • Additional condition types (optional): You can combine with location rule and/or Device Posture constraints.

Note

The Admission Rule won't be enforced until it's assigned to at least one Access Policy. Refer to Mission: Crafting Access Policies

Time Context Admission Rule Creation Prompts

  • Create an admission rule for weekdays from 9AM to 5PM UTC

  • Create an admission rule for Monday, Wednesday and Friday from 8:30AM to 4:30PM EST

  • Create an admission rule for weekdays from 9AM to 12PM and 2PM to 5PM UTC

  • Create an admission rule named "After Hours" for weekdays from 6PM to 11PM and weekends from 8AM to 11PM UTC

Listing and querying about time context admission rules

  • List all admission rules with time context conditions

  • Show me the admission rule named "Business Hours"

  • Which admission rules have time-based restrictions?

Updating time context admission rules

  • Update the admission rule "Business Hours" to extend the end time to 6PM UTC

  • Update the admission rule "Business Hours" to also include Saturday from 9AM to 1PM UTC

  • Update the admission rule "Business Hours" to add a second time window from 7PM to 9PM UTC

  • Change the timezone of admission rule "Business Hours" from UTC to EST

Deletion of time context admission rules

  • Delete the admission rule named "Business Hours"

Configuring Device Posture Admission Rules

The Intent: What the AI Needs for Configuring Device Posture Admission Rules

  • Rule Name (optional): A descriptive label for the admission rule (max 40 characters). If not provided, the AI will generate one based on the condition

    Note

    No special characters like . or @.

  • OS type (required): Which operating system the condition applies to (e.g., macOS, Windows, iOS, Android). This is always mandatory as the parent for all device posture checks.

  • OS version (optional): Minimum, maximum, or exact version requirement (e.g., macOS 15 or later, Windows 11 or later)

  • Disk encryption (optional): Whether the device's disk must be encrypted

  • Antivirus software (optional): A specific antivirus product that must be installed and running

  • Multiple OS types (optional): Applying conditions across more than one OS (e.g., macOS and Windows)

  • Additional condition types (optional): You can combine the rule with Time and/or Location constraints.

Note

The Admission Rule won't be enforced until it's assigned to at least one Access Policy. Refer to Mission: Crafting Access Policies

Disk encryption is only available for macOS and Windows. 

Antivirus checks require the product to be supported by Cipherscale. The AI will verify this during creation.

Process and certificate checks are temporarily unavailable.

Device Context Admission Rule Creation Prompts

  • Create an admission rule requiring macOS devices

  • Create an admission rule requiring macOS 15 or later

  • Create an admission rule requiring Windows 11 or later

  • Create an admission rule requiring macOS 15 or later with disk encryption enabled

  • Create an admission rule requiring Windows 11 or later with disk encryption enabled

  • Create an admission rule requiring macOS 15 or later or Windows 11 or later

  • Create an admission rule requiring macOS 15 or later with disk encryption and Avast antivirus

  • Create an admission rule requiring macOS 15 or later or Windows 11 or later both with disk encryption enabled

Listing and querying about device context admission rules

  • List all admission rules with device posture conditions

  • Show me the admission rule named "Updated OS"

  • Which admission rules require disk encryption?

  • Which admission rules have antivirus requirements?

  • Which admission rules apply to Windows devices?

Updating device context admission rules

  • Update the admission rule "Updated OS" to also require Windows 11 or later

  • Update the admission rule "Updated OS" to require macOS 16 or later instead of macOS 15

  • Update the admission rule "Secure Devices" to also require disk encryption on Windows

  • Update the admission rule "Secure Devices" to add Avast antivirus as a requirement for Windows

  • Remove the disk encryption requirement from the admission rule "Secure Devices" for macOS

Deletion of device context admission rules

  • Delete the admission rule named "Updated OS"

  • Delete the admission rule named "Secure Devices"

Interaction Flow

Step

Participant

Action/Content

1. The Prompt

Admin

"create an admission rule that allows only windows computers from USA during monday to friday 8am to 7pm EST"

2. The Draft

AI Copilot

"I'll create that admission rule for you. Let me first check if a similar one already exists.

No similar rule exists. Now I'll create the admission rule with Windows OS, USA country condition, and the weekday time window.

Creating the admission rule for Windows devices from the USA on weekdays 8AM to 7PM EST.

Create admission rule "Windows USA Mon to Fri 8AM to 7PM EST"

This rule enforces access control for Windows devices in the USA during business hours (Monday-Friday, 8AM-7PM EST) by combining OS, geographic, and time-based constraints with AND logic.

{
Rule Name:"Windows USA Mon to Fri 8AM to 7PM EST",
Operating System:"Windows",
Country:"United States",
Days:"Monday to Friday",
Time Range:"8:00 AM to 7:00 PM EST (UTC-5)",
Has Time Constraint:true
}

Confirm or Cancel?

5. Validation

Admin

"Confirm."

6. Result

AI Copilot

✅ Action confirmed, proceeding with execution of operation

The admission rule "Windows USA Mon to Fri 8AM to 7PM EST" has been created successfully with the following conditions:

  • OS: Windows (any version)

  • Country: USA only

  • Time: Monday to Friday, 8:00AM to 7:00PM EST

All three conditions must be met simultaneously for the rule to pass.

7. Follow Up

AI Copilot

Remember that this rule won't be enforced until it's assigned to an Allow policy. Would you like me to create one?

System State & Verification

As Admission Rules can be used with access policies for all three access types: SaaS, Private, and Internet, they appear in all three sections. Navigate to any of them using the Navigation Menu and use the Details Ribbon to verify the Copilot actions or view the current system state.

The Admission Rules Data Grid: Click Admission Rules on the Details Ribbon of either the Private Access, SaaS Access, or Internet Access, to view the data grid listing Admission Rules with their Name and linked Access Policies. The copy icon appears when hovering over an Admission Rule's name, making it easy to copy and paste it into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching entries.

A Specific Admission Rule's Data Grid: To view details for a specific Admission Rule, click that Admission Rule's name. You will see Data Grids for the associated Location Context, Time Context, Device Context, and Access Policies displayed. Each Data Grid will provide details of the applicable conditions that were configured. To go back to the Admission Rules Data Grid, click Admission Rules from the breadcrumb.

Troubleshooting

 You can use the AI-native conversational interface to diagnose access issues instantly. By asking a plain-English query like, "Why can't User A access Salesforce?", the AI will correlate access policies, admission rules, gateway reachability, and real-time logs to surface the exact point of failure

Comments

0 comments

Article is closed for comments.