Access Policies

Navigate to Access Policies and click New Policy.

Basic Settings

• Name & description — a descriptive label for the policy.
• Action — Allow or Deny.
• Priority — 0 to 10,000; lower values are evaluated first.
• Enabled — toggle the policy on or off without deleting it.

Scope

Choose what the policy applies to:

• Organisation — applies to all resources in the org.
• Group — applies to a specific resource group.
• Resource — applies to a single resource.
• VPN Access — controls VPN peer access and routing.

Subjects

Optionally restrict the policy to specific User IDs (max 100) or Team IDs (max 50). Leave empty to apply to all users in the organisation.

Network & Geo

• Source IPs (allow) — CIDR allowlist, one per line.
• Source IPs (deny) — CIDR blocklist.
• Countries (allow / deny) — ISO 3166-1 alpha-2 codes.

Time Window

• Valid from / Valid until — schedule a policy to be active only during a specific period.

Endpoint Posture Business+

• Minimum posture score — 0–100; the endpoint must meet or exceed this score.
• Required posture tags — all listed tags must be present.
• Blocked posture tags — the policy does not apply if any of these tags are found.

Session Limits

• Max session duration — automatic disconnection after this period (presets: 30m, 1h, 4h, 8h, 24h). Set to 0 for unlimited.

SSH

• Shell access — allow or block interactive shells.
• SFTP — allow or block file transfer.
• TCP forwarding — allow or block port-forwarding tunnels.

Database

• Read-only mode — block all write operations.
• Denied operations — block specific SQL operations (e.g. DELETE, DROP, ALTER, TRUNCATE).
• Allowed schemas — restrict access to named schemas only.

VPN

• Allowed / Denied CIDRs — control which network ranges peers can route to.
• Max peers — per-user peer limit (most restrictive wins).
• Exit node / Split tunnel — allow or block these VPN modes.
• Allowed platforms — restrict to specific OS types (macOS, Windows, Linux).

Data masking rules control how sensitive database columns are displayed in query results. Navigate to Access Policies → Data Masking to manage rules.

Masking Strategies

Rules can target columns by exact name or pattern (glob syntax like *email* or regex with a ~ prefix like ~^ssn_). Optionally scope rules to a specific schema.table. For partial and custom strategies you can configure show first N, show last N, and the mask character (default *). A live preview shows how masked values will appear.

Masking rules can be scoped to the organisation, a specific policy, or a specific resource. Rules scoped to a policy are deleted when that policy is removed.

Access review campaigns provide periodic certification of user access. Navigate to Access Reviews to create and manage campaigns.

Creating a Campaign

1. Name & scope — provide a name, optional description, and choose a scope (organisation, team, or group).
2. Reviewer assignment — assign reviews to direct managers, resource owners, or specific reviewers.
3. Schedule — set a start date/time and deadline (deadline must be after start).
4. Reminders — configure reminder frequency (0–30 days, default 3).
5. Auto-revoke — optionally revoke unreviewed access after the deadline.

Campaign Lifecycle

Campaigns go through Draft → Active → Completed (or Cancelled). A draft campaign must be explicitly activated to generate review items from the configured scope. During the active phase, reviewers approve, revoke, or flag each access item. Active campaigns can be cancelled (outstanding items are not automatically revoked). Results can be exported as CSV from active or completed campaigns.