The priority of Access Policies is important, as Cipherscale enforces the first one that matches the source and destination, provided the Admission Rules are met.
Overview
Access Policies are evaluated in priority order, according to the priority number assigned to the policy, starting from 1 (highest or topmost). When an access request comes in, Cipherscale walks down the policy list "Top-Down" (with priority 1 being the top) and stops at the first policy that matches the request. The match is based on the source and destination. This is known as first-match enforcement.
This makes policy ordering critical. A few key principles to keep in mind:
-
Deny policies should generally be placed above Allow policies when you want to explicitly block specific users or devices that would otherwise be caught by a broader Allow policy below
-
More specific policies should sit above broader ones — for example, a policy targeting a specific user should be ranked higher than one targeting all groups
-
A policy that is never reached has no effect — if a broader Allow policy sits above a more specific Deny, the Deny will never be evaluated for users that match the Allow first
-
If no policy matches an access request, access is denied by default. Cipherscale operates on a zero-trust principle — nothing is permitted unless explicitly allowed by a matching policy.
Note
To avoid denying local internet access, a system-managed "Default Internet Access Policy" is assigned to a reserved, special-purpose priority level that always treats it as the last (bottom) access policy.
An Access Policy is always associated with an admission rule. An Admission Rule does not grant or deny access on its own. It acts as a gate on an Allow policy — if the admission rule condition is not met, the Allow policy is skipped entirely and evaluation continues to the next policy in the list. This means a user may fall through to a lower-priority policy if their device or location doesn't satisfy the admission rule of a higher-priority Allow policy. See [Reference] Relationship between Access Policies and Admission Rules
The AI prompt needs the following:
-
Policy Name (required): The name of the policy (or policies) you want to reorder. You must clearly identify which policy to move.
-
Desired priority direction or position (required): You must express where you want the policy to end up — either relatively (higher/lower than another) or absolutely (a specific order number).
-
Policy type (PRIVATE / SAAS / INTERNET)(optional): Helps narrow down which policy you mean if names are ambiguous. If omitted, I'll infer it from context or query all types.
-
Reference policy (optional): When using relative positioning (e.g., "higher than X"), naming the reference policy helps.
-
Exact order number (optional): You can specify an exact priority number instead of a relative position.
-
Policy ID (optional): Useful for disambiguation if multiple policies share similar names.
Interaction Flow
|
Step |
Participant |
Action/Content |
||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
1. Prompt |
Admin |
“Assign the access policy for 'Complex SaaS' that has source as 'All Groups' a priority lower than the policy that was just created.” |
||||||||||||||||
|
2. Draft |
AI Copilot |
"Let me check the current SAAS policies and their priorities first! I have all the information needed. Currently:
I'll reorder now so the "All Groups" policy gets a lower priority (higher order number) than the newly created Admins policy. Reorder 3 SAAS policies Reorder SAAS policies to establish correct priority: the All Groups policy moves to lower priority (order 3), the Admins policy moves up (order 2), and Stas's policy remains at highest priority (order 1)." {
Policy 1:"Allow Stas to access his SaaS",
Order:{
original:1,
delta:3
},
Policy 2:"Access to Complex SaaS (Admins)",
Policy 3:"Allow access to Complex SaaS (All Groups)"
}
Confirm or Cancel? |
||||||||||||||||
|
3. Validation |
Admin |
"Confirm." |
||||||||||||||||
|
4. Finalization |
AI Copilot |
"✅ Action confirmed, proceeding with execution of operation Done! Here's the updated SAAS policy priority order:
The "Allow access to Complex SaaS" (All Groups) policy is now at priority 3 — lower than the Admins policy at priority 2. This means:
|
Create an Access Policy with Priority
-
Create a private access policy that denies the Contractors group access to the Finance Database and place it at priority 1
-
Create a SaaS access policy that allows the HR group to access Salesforce and place it above all existing Deny policies
List or Ask Priority Questions
-
What is the current priority order of all private access policies?
-
What is the current priority order of all SaaS access policies?
-
What is the current priority order of all internet access policies?
-
Which policy has the highest priority for private access?
-
Which policy has the lowest priority for private access?
-
Are there any Allow policies ranked above Deny policies for private access?
Update the Priority for an Access Policy
-
Move the policy "Access to HR Portal" to priority 1
-
Set the policy "Deny Contractors" to a higher priority than "Access to All Resources"
-
Swap the priorities of "Access to HR Portal" and "Access to Finance App"
-
Move the policy "Denycontractor@company.com" above all Allow policies
-
Reorder private access policies so all Deny policies are evaluated before Allow policies
-
Move the policy "Access to Dev Server" down one priority level
-
Move the policy "Access to Salesforce" up two priority levels
Deletion Referenced by Priority
-
Delete the lowest priority private access policy
-
Delete the highest priority Deny policy for the Contractors group
Instead of using AI prompts, you can change the priority order by using the drag-and-drop UI by following these steps:
Verify the priority order by following the steps shown in Using the UI to Arrange Priority
Comments
0 comments
Article is closed for comments.