What are the customisable elements available in the Access Policy Groups feature for HDE Access Control?

For G Suite.

For Office 365.

Question:

What are the customisable elements available in the Access Policy Groups feature for HDE Access Control?

Answer:

In the access policy group, the items below are customizable. 

Authentication cookie expiration date

When checked the [Remember this login] in the login page, it is possible to set up the login-status-held period.

For the usage of the [Remember this login] feature, please refer to the article below.

- How does "Remember this login" option work in the Access Control Login Page?
How does "Remember this login" option work in the Access Control Login Page?

The condition for allowing the access

It is possible to set conditions for allowing access to G Suite or Office365 via Web browsers such as Gmail, Outlook Web Access (OWA).

Explanatory notes for conditional expression

  • Disabled
    Conditional expression to uniformly allow all accesses without any via-Web-browser-access restriction.
  • Enabled:false
    Conditional expression which uniformly forbids access via-Web-browser-access
  • Enabled:ip4:xxx.xxx.xxx.xxx
    Conditional expression which allows access from the described IP address via Web browser. IP address can be described by specifying the range.
  • Enabled:has_pass:true
    In this conditional expression, it determines the existence of [entry permission authentication cookie] within the access source browser via Web browser and consequently allows the access.
  • enabled:hsb:true
    Conditional expression which allows access via Secure Browser

Setting example:

For access via Web browser

  • from the browser where the existence of IP address or entry permission cookie is determined
  • from a secure browser

The setting example for allowing the access is as follows;

ip4:xxx.xxx.xxx.xxx or has_pass:true or hsb:true

Condition which requires no OTP input

For access via Web browser, designate a conditional expression which requires to input OTP (One Time Pass-cord) besides login data (user ID/password).

However, the conditional expression designated in the [Condition which requires no OTP input] will not be enabled when some conditional expression has already been designated and enabled in the above [The condition for allowing the access]. It means that in order to operate with the 2-factor-authentication by OTP, the [The condition for allowing the access] needs to be disabled. 

For the usage and operation of OTP, please refer to the article below.

■OTP issuance and expiration data

What is the method to issue the One-Time Password & How long is its validity period?

Explanatory notes for conditional expression:

  • Disabled
    This conditional expression is that; for access via Web browser, OTP input is NOT required.
  • Enabled:false
    This conditional expression is that; for access via Web browser, OTP input is uniformly required.
  • Enabled: ip4:xxx.xxx.xxx.xxx
    This conditional expression is that; for access via Web browser, if from the IP address other than the described IP address, OTP input is required. This IP address can be described by specifying the scope.
  • Enabled: has_pass:true
    This conditional expression is that; for access via Web browser, if no existence of entry permission cookie determined, OTP input is required. If existence of entry permission cookie determined, OTP input is NOT required.
  • Enabled: hsb:true

This conditional expression is that;

For access via Web browser, if from a browser other than secure browser, OTP input is required. If from a secure browser, OTP input is NOT required.

Setting Example:

For access via Web browser

  • from the browser where the existence of IP address or entry permission cookie is determined
  • from a secure browser

The setting example for allowing the access without requiring OTP input is as follows;

ip4:xxx.xxx.xxx.xxx or has_pass:true or hsb:true

Condition to permit changes on the OTP share key:

This is to set up conditions to display/not to display the usage setting menu for OTP generating application such as HDE OTP Generator/Google authentication system --(check for “receiving OTP via Smartphone” ) on the access control user setting page (*).

*For no OTP use, non-display setting is required.

 

  

 

Explanatory notes for conditional expression

  • Disabled
    Display the usage setting menu for receiving OTP.
  • Enabled:false
    Do not display the usage setting menu for receiving OTP.

Condition to permit access to secure browser setting page

This is to set up conditions to display/not to display the usage setting menu of secure browser on the access control user setting page (*).

*For no secure browser use, non-display setting is required.

Explanatory notes for conditional expression

  • Disabled
    Display the usage setting menu of HDE Secure browser.
  • Enabled:false
    Do not display the usage setting menu of HDE Secure browser.

Condition to permit changes on the unread item check settings

This is to set up conditions to display/not to display the setting menu of [unread item check on secure browser] on the access control user setting page (*).

The screenshot shows the menu display when using unread item notification settings on G Suite.

(The same conditional expression setting is available for the unread item check when using secure browser on Office365)

*For no secure browser use, non-display setting is required.

 

Explanatory notes for conditional expression:

  • Disabled
    Display the setting menu for unread item check on HDE secure browser.
  • Enabled:false
    Do not display the setting menu for unread item check on HDE secure browser.

Condition to permit access via application.

This is the setting only available for Office365

This is to set up conditions to permit access via applications such as Outlook/ Lync Client, and OnDrive. In this conditional expression, besides designating the condition by IP address, it is also possible to describe [user agent string (conditional expression uastr:) output from application of access source]. For designation of the conditional expression by specifying the user agent, however, the output string might change according to the specification change of the application side. Please be aware that it needs careful consideration before using it in your production environment.

 

Explanatory notes for conditional expression

  • Disabled
    All accesses are allowed in any cases.
  • Enabled:ip4:xxx.xxx.xxx.xxx
    Access from IP address xxx.xxx.xxx.xxx is allowed.
  • Enabled:(uastr:"%Outlook%" or uastr:"%MSRPC%")
    Access from Outlook client is allowed.
  • Enabled:(uastr:"%Apple-%" or uastr:"%Android%")
    It allows the Active Sync connection from the native application preinstalled in iPhone/iPad/Android.

(*) the URL for the access control user setting page is as follows;

- URL for the access control user setting page

https://ap.ssso.hdems.com/sso/[dedicated tenant name for you/your company]/login

          
Was this article helpful?

Frequently Asked Questions (FAQs)

Powered by Zendesk