Create a new access policy group (Modern view)

Target

This article is intended for administrators who perform initial setup and operational management of HENNGE Access Control.

Purpose

This article explains how to create a new access policy group in HENNGE Access Control.

Notes

1. The content of this article is based on product specifications as of April 2024 and may be subject to change without notice.

2. HENNGE Access Control administrator privileges are required for actual screen confirmation and configuration changes.

3. Refer to the following article for how to access the admin console:
 Accessing HENNGE Access Control admin console

4. The maximum number of characters for inputtable access condition expressions is 4096 characters.

Detailed Explanation / Procedure

Creating a new access policy group in HENNGE Access Control is done in the HENNGE Access Control management screen's left menu under [Users] - [Access Policy Group].
APG_no1.png

How to Create a New Access Policy Group

1. Access the HENNGE Access Control management screen's left menu [Users] - [Access Policy Group].

2. Click [Add] in the upper right corner.

3. Configure each item and click [Submit].

4. Assign the created access policy group to users.

Assigning Access Policy Groups to Users (Modern View)

Access Policy Group Settings

APG_no2_replace2.png

※ The displayed items may vary depending on your contract.

1. Basic Settings

1.1. Display Name

This setting value becomes the name of the access policy group.

※ The display name must be 256 characters or less.

1.2. Authentication Cookie Expiration

This setting value has two meanings:

If the user checks [Remember Me] on the login screen: The time for which the login status is maintained by cookies in the browser.

※ Authentication cookies are set in the browser, and the login status is maintained within the expiration period set in this setting, even if the browser is restarted. However, this excludes cases where the user logs out from the screen.

※ If [Remember Me] is not checked on the login screen or is not displayed, the maximum retention time of the user's login session is determined.

※ The default is 168 hours, and a value between 1 hour and 9,600 hours can be set. If left blank, logging out will be enforced when the browser is closed.

1.3. Conditions for Allowing Access

If you select [Always Allow], all access is permitted.

If you select [Allow under the following conditions], you must describe the access condition expressions. Access will only be permitted under the conditions described.

Common settings:

・IP Control: ip4:xxx.xxx.xxx.xxx

・HENNGE Device Certificate Control (all login types): device_cert:any

For more detailed description methods, please refer to the following article:
How to Write Access Condition Expressions

If you select [Never Allow], all access is denied.

2. One-Time Password Settings

2.1. Conditions for Not Requiring OTP

If you select [Never Require OTP], OTP will not be required.

If you select [Do Not Require OTP under the Following Conditions], describe the conditions under which OTP is not required.

When you describe condition expressions, OTP will not be required only for access under the conditions described.

Common Settings:

・IP Control: ip4:xxx.xxx.xxx.xxx

・HENNGE Device Certificate Control (all login types): device_cert:any

For more detailed description methods, please refer to the following article:
How to Write Access Condition Expressions

If you select [Always Require OTP], OTP will be required at all times.

2.2. Conditions for Allowing OTP Shared Key Changes

If you select [Always Allow], OTP shared key changes are always allowed.

If you select [Allow Changes under the Following Conditions], you can describe condition expressions that allow users to issue OTP (One-Time Password) from Authenticator applications like HENNGE Lock.

When you describe condition expressions, OTP shared key changes will only be allowed for access under the conditions described.

Common Settings:

・IP Control: ip4:xxx.xxx.xxx.xxx

・HENNGE Device Certificate Control (all login types): device_cert:any

For more detailed condition expression description methods, please refer to the following article:
How to Write Access Condition Expressions

If you select [Never Allow], OTP shared key changes will never be allowed.

※ The highlighted area will become unclickable.
OTP.png

Additionally, if you set [Never Allow] for [Conditions for Allowing OTP Notification Email Address Changes], the [OTP (One-Time Password) Settings] will be hidden in the user interface.
otp.png

2.3. Conditions for Allowing OTP Notification Email Address Changes

If you select [Always Allow], changes to the OTP notification email address are allowed at all times.

If you select [Allow Changes under the Following Conditions], you can describe condition expressions that allow users to set or change the OTP (One-Time Password) notification email address.

When you describe condition expressions, changes to the OTP notification email address will only be allowed for access under the conditions described.

Common Settings:

If you select [Never Allow], it will not always display the device certificate you own.

3.2. Conditions for Allowing Device Certificate Revocation ※ Only applicable for HENNGE Device Certificate contracts

If you select [Always Allow], it will always allow the revocation of device certificates.

If you select [Allow under the Following Conditions], describe the condition expressions that allow users to revoke their HENNGE Device Certificates.

When you describe condition expressions, it will only allow the revocation of device certificates for access under the conditions described.

"HENNGE Device Certificate Revocation" screen: 

hdc-disable.png

Common Settings:

・IP Control: ip4:xxx.xxx.xxx.xxx

・HENNGE Device Certificate Control (all login types): device_cert:any

For more detailed condition expression description methods, please refer to the following article:
How to Write Access Condition Expressions

If you select [Never Allow], it will not always allow the revocation of device certificates.

4. HENNGE Secure Browser Settings

4.1. Conditions for Allowing Access to Secure Browser Settings ※ Only applicable for HENNGE Secure Browser contracts

If you select [Always Allow], it will always allow access to the Secure Browser Settings.

If you select [Allow under the Following Conditions], describe the condition expressions that allow users to view and access the "HENNGE Secure Browser Settings" screen.

When you describe condition expressions, it will only allow access to the Secure Browser Settings screen for access under the conditions described.

"HENNGE Secure Browser Settings" screen: 

HSB.png

Common Settings:

・IP Control: ip4:xxx.xxx.xxx.xxx

・HENNGE Device Certificate Control (all login types): device_cert:any

For more detailed condition expression description methods, please refer to the following article:
How to Write Access Condition Expressions

If you select [Never Allow], it will not always allow access to the Secure Browser Settings screen.

4.2. Conditions for Allowing Changes to Unread Mail Check Settings ※ Only applicable for HENNGE Secure Browser contracts

If you select [Always Allow], it will always allow changes to unread mail check settings.

If you select [Allow under the Following Conditions], describe the condition expressions that allow users to access the "Unread Check Settings" screen of HENNGE Secure Browser.

When you describe condition expressions, it will only allow changes to unread mail check settings for access under the conditions described.

"HENNGE Secure Browser Unread Check Settings" screen (for Microsoft 365):
mceclip0.png

Common Settings:

・IP Control: ip4:xxx.xxx.xxx.xxx

・HENNGE Device Certificate Control (all login types): device_cert:any

For more detailed condition expression description methods, please refer to the following article:
How to Write Access Condition Expressions

If you select [Never Allow], it will not always allow changes to unread mail check settings.

4.3. Automatic Device Authentication ※ Only applicable for HENNGE Secure Browser contracts

This setting controls whether to perform automatic device authentication for HENNGE Secure Browser.

※ If you enable automatic device authentication, user requests for HENNGE Secure Browser usage will be automatically approved.

The following settings are possible:

・Default: Use the setting value of [Domain Settings] - [Secure Browser Related] - [General] - [Automatic Device Authentication].

・Enabled: Perform automatic device authentication.

・Disabled: Do not perform automatic device authentication, and the administrator will perform device authentication in the management screen.

5. Allowed Service Providers

Set up access control settings for services linked in the HENNGE Access Control management screen [System] - [Service Provider Settings].

The following settings are possible:

・Allow access to linked services: Check the box.

・Disallow access to linked services: Uncheck the box.

Related Articles 

HENNGE Access Control Administrator Help

          
Was this article helpful?