An access policy is the core enforcement mechanism in Cipherscale. It defines who can access what, under which conditions, and with what action (Allow or Deny).
Overview
An access policy is the core enforcement mechanism in Cipherscale. It defines who can access what, under which conditions, and with what action (Allow or Deny). Every access request is evaluated against the list of active policies before traffic is permitted or blocked.
Instead of navigating a complex matrix of firewall rules, you use the Intent Bar to state who gets access to what. The AI handles the heavy lifting of mapping these identities to the correct resources and configuring the Access Policies. Access Policies become more effective when they are linked to Admission Rules, which evaluate the context in which access is requested. Refer to Mission: Context-Aware Security and [Reference] Relationship between Access Policies and Admission Rules
The Two Actions
Allow grants access to a resource when all policy conditions are met. It supports custom admission rules, meaning you can attach conditions such as location, time, or device posture to refine when the Allow applies.
Deny blocks access unconditionally. It can only use the default "Admission without Restrictions" rule — no custom conditions can be attached. It is used to explicitly block specific users, groups, or devices regardless of other policies.
Priority and Policy Matching
Policies are evaluated in priority order, according to the priority number assigned to the policy starting from 1 (highest or topmost). When an access request comes in, Cipherscale walks down the policy list "Top-Down" hierarchy and stops at the first policy that matches the request. Match is based on the source and destination. This is known as first-match enforcement.
This makes policy ordering critical. A few key principles to keep in mind:
-
Deny policies should generally be placed above Allow policies when you want to explicitly block specific users or devices that would otherwise be caught by a broader Allow policy below
-
More specific policies should sit above broader ones — for example, a policy targeting a specific user should be ranked higher than one targeting all groups
-
A policy that is never reached has no effect — if a broader Allow policy sits above a more specific Deny, the Deny will never be evaluated for users that match the Allow first
The Default Behavior
If no policy matches an access request, access is denied by default. Cipherscale operates on a zero-trust principle — nothing is permitted unless explicitly allowed by a matching policy.
Admission Rule Interaction
An admission rule does not grant or deny access on its own. It acts as a gate on an Allow policy — if the admission rule condition is not met, the Allow policy is skipped entirely and evaluation continues to the next policy in the list. This means a user may fall through to a lower-priority policy if their device or location doesn't satisfy the admission rule of a higher-priority Allow policy.
Key Things to Remember
-
Deny policies are unconditional — they always block regardless of device or location
-
Allow policies with admission rules are conditional — they only apply when the rule's conditions are satisfied
-
Policy order determines outcome — always review priority when troubleshooting unexpected access behavior
-
The default is always deny — if no policy matches, access is blocked
1. Creating a New Access Policy
Interaction Flow
Maximize your efficiency by navigating to SaaS Access / Private Access / Internet Access and choose Access Policy from Details Ribbon before entering prompts. You’ll gain instant visibility into the Detail Panes to verify Copilot’s actions and receive tailored Prompt Catalysts to help guide your next steps.
Different information is needed for the AI intent based on the type of access the policy applies to.
The Intent: What the AI Needs for Creating Access Policies for Private Access
-
Action (Required) — Allow or Deny
-
Source (Required) — at least one of: all users, all groups, all devices, specific users, specific groups (by name), or specific devices (by name)
-
Destination (Required) — at least one specific private resource, or "all private resources"
-
Admission rule (Optional) — which condition set to apply; defaults to "Admission without Restrictions" if omitted; Deny policies can only use the default rule
-
Policy name (Optional) — if not provided, one will be generated based on the destination
-
Description (Optional) — a short summary of the policy's purpose
The Intent: What the AI Needs for Creating Access Policies for SaaS Access
-
Action (Required) — Allow or Deny
-
Source (Required) — at least one of: all users, all groups, all devices, specific users, specific groups, or specific devices
-
Destination (Required) — at least one specific SaaS resource, or "all SaaS resources"
-
Admission rule (Optional) — which condition set to apply; defaults to "Admission without Restrictions" if omitted; Deny policies can only use the default rule
-
Policy name (Optional) — if not provided, one will be generated based on the destination
-
Description (Optional) — a short summary of the policy's purpose
The Intent: What the AI Needs for Creating Access Policies for Internet Access
-
Source (Required) — at least one of: all users, all groups, all devices, specific users (by email), specific groups (by name), or specific devices (by name)
-
Mode (Required) — one of: LOCAL (direct internet access from the device), RESTRICTED (block all internet access), or INTERNET_ACCESS_POINT (route internet traffic through a gateway)
-
Destination resource (Optional) — the internet access point resource to route traffic through; only applicable when mode is INTERNET_ACCESS_POINT
-
Admission rule (Optional) — which condition set to apply; defaults to "Admission without Restrictions" if omitted
-
Policy name (Optional) — if not provided, one will be generated based on the destination
-
Description (Optional) — a short summary of the policy's purpose
Note
The Default Internet Access Policy is a system-managed policy that guarantees all users, groups, and devices have constant access to the local internet. It holds a reserved, special-purpose priority level, exclusively for this default policy, which is always treated as the last (bottom) access policy. All your created policies automatically receive a higher priority. Consequently, the default policy is positioned below all custom policies in the evaluation order, serving as a foundational fallback that remains active regardless of other policies. It’s important to note that this policy cannot be modified or deleted, as its primary purpose is to prevent accidental disruptions to internet access for all users.
Interaction Flow
Access Policy Creation Prompt Examples
-
Create a private access policy that allows the HR group to access the HR Portal resource during business hours
-
Create a SaaS access policy that allows all users to access Salesforce with updated OS and disk encryption required
-
Create a private access policy that denies the Contractors group access to the Finance Database resource
-
Create an internet access policy that allows all users direct local internet access on weekdays from 9AM to 5PM UTC
-
Create an internet access policy that allows the Engineering group to route all internet traffic through the gateway
-
Create a SaaS access policy that allows only Windows devices from the US to access Google Workspace
-
Create a private access policy that allows userjohn@company.comto access the Dev Server resource
-
Create a private access policy that denies usercontractor@company.comaccess to all private resources
Access Policy Read Prompt Examples
-
List all access policies sorted by priority
-
List all private access policies
-
List all SaaS access policies
-
List all internet access policies
-
Show me the access policy named "Access to HR Portal"
-
Which policies are assigned the admission rule "Business Hours"?
-
Which policies apply to the HR group?
-
Which policies reference the Finance Database resource?
-
Show me all Deny policies
-
Show me all Allow policies with custom admission rules
Access Policy Update Prompt Examples
-
Update the policy "Access to HR Portal" to also include the Finance group as a source
-
Update the policy "Access to Salesforce" to use the admission rule "Updated OS with Encryption"
-
Update the policy "Access to Dev Server" to also include the Staging Server resource as a destination
-
Update the policy "Access to HR Portal" to apply to all groups instead of just the HR group
-
Update the policy "Access to Google Workspace" to also allow iOS devices
-
Change the admission rule on policy "Access to Finance App" to "Weekdays 9AM to 5PM UTC"
-
Remove the Engineering group from the source of policy "Access to Dev Server"
Access Policy Deletion Prompt Examples
-
Delete the access policy named "Access to HR Portal"
-
Delete all Deny policies for the Contractors group
-
Delete the access policy named "Access to Salesforce"
Navigate to the Access section to which the access policy applies (e.g., SaaS Access) using the Navigation Menu and use the Access Policy tab on the Details Ribbon to verify the Copilot actions or view the current system state.
The Access Policies Data Grid for Internet Access: Click Access Policies on the Details Ribbon to view the data grid listing Access Policies with their Name and Priority, Source, Internet Mode, and Admission Rule. The copy icon appears when hovering over an Access Policy's name, making it easy to copy and paste it into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching rows.
The Access Policies Data Grid for SaaS and Private Access: Click Access Policies on the Details Ribbon to view the data grid listing Access Policies with their Name and Priority, Source, Action, Destination, and Admission Rule. The copy icon appears when hovering over an Access Policy's name, making it easy to copy and paste it into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching rows.
A Specific Access Policy's Data Grid: To view details for a specific Access Policy, click that policy's name. You will see details that were displayed earlier . To go back to the SaaS Applications Data Grid, click SaaS Applications from the breadcrumb.
Here is a list of troubleshooting tips for resolving access policy issues in Cipherscale:
-
Check Policy Priority and Order: When multiple access policies apply to a request, Cipherscale enforces the policy that is matched first based on the arranged order. If a user is unexpectedly blocked, check if a "Deny" policy is placed at a higher priority than their "Allow" policy. You may need to edit the order so that the correct policy is matched first.
-
Verify Linked Admission Rules: Every access policy must have an associated Admission Rule. An access policy is only enforced if the user successfully meets the prerequisite criteria of this linked admission rule, such as having the correct device posture, connecting from an allowed location, or accessing during an approved time window.
-
Confirm "Source" Assignments: Ensure that the specific User, Group, or Device you are trying to grant or restrict access for is correctly included as a "Source" value within the access policy.
-
Ensure a Gateway is Attached: Even if an access policy is perfectly configured and active, it will not be enforced if the destination resource (Private, SaaS, or Internet) does not have a Gateway assigned to it. Check that an online gateway is linked to the resource and has reachability.
-
Leverage AI Root Cause Analysis (RCA): Instead of manually parsing logs, you can use the AI-native conversational interface to instantly diagnose issues. By asking a plain-English question like, "Why can't User A access the Production Database?", the AI will automatically correlate your access policies, admission rules, real-time logs, and gateway reachability to surface the specific failure point.
Comments
0 comments
Article is closed for comments.