Set up access rules to manage when and how users can login to Cirro.

Why Create an Access Rule?

Access Rules are a second level of security which can be applied to further restrict access to your Cirro Server and configured Datasources. This is on top of any passwords, timed one-time passwords or authentication systems you’ve already set up.

Here’s a few use cases:

You can set any number of Access Rules, which you can set to trigger in a specific order.

Types of Access Rule

Cirro has two types of access rule:

  • A Before rule will trigger when an attempt is made to login.

  • An After rule triggers when login is successful.

Typically, you’d set a Before rule if you’re attempting to restrict access to Cirro or Datasources.

An After rule would be used to notify of login success via alert actions. Alert actions are notification messages that can be sent via email or HTTP enabled services like Slack.

View Access Rules

  • Click Secure Connect then Access Rules.

There are two types of access rules:

  • Before Connection - rules which must be met to be able to login (e.g., time of day, IP address)

  • After Connection - rules which must be met once you are logged in (e.g., Log user with Secure Connect role).

Column Description Icons
Description User supplied name of rule. The numbered circles indicate order of execution. 0 Enabled

1 Disabled
Rule generated text describing the rule. expand the rule
contract the rule
Alert Linked alert action. Click Alert Actions to edit the action.  

Create Access Rules

This is a summary of the user interface. See Access Rule Use Cases for actual examples.

New rules are automatically added at the bottom of the list, but you can also click Add Rule Below on any rule to insert below it.

  • Click Secure Connect then Access Rules.

  • Click on Before Connection or After Connection.

First, fill in the properties fields.

Field Description Values
Rule Description User supplied rule name. Alphanumeric string with no spaces
Action The action to execute for the connection. Allow
Allow and Log
Deny
Deny without Log
Rule Action Applies to the field values that follow. When
Always
  • Tick Enabled to activate the rule on save.

From here you can construct access rules using a simple spoken-word syntax:

Rule Criteria Description Modifiers
When/Always Criteria that applies in specified circumstances or in all of them. When allows additional criteria to be added. Always locks criteria off, but allows a Triggered Alert to be set. None
User Cirro user Is
Is Not
Role Cirro role (only available on AFTER rules) Is
Is Not
Target System List of Cirro Datasources Is
Is Not
Client IP Client IP address (can be partial). Uses subnet notation in form nnn.nnn.nnn.nnn/nn Is
Is Like
Day of Week Days of week (Monday to Sunday) Is
Is Not
Is Between
Is Not Between
Time of Day Time in 24-hour format, HH:MM:SS (leading zeroes required) Is
Is Not
Is Between
Is Not Between

Edit an access rule

  • Click Secure Connect then Access Rules.

  • Click Edit on your access rule and make the desired modifications. You can change any field

Field Description Values
Rule Description User supplied rule name. Alphanumeric string with no spaces
Action The action to execute for the connection. Allow
Allow and Log
Deny
Deny without Log
Rule Action Applies to the field values that follow. When
Always
  • Tick Enabled to activate the rule on save.

  • Click to add new conditions.

Rule Criteria Description Modifiers
When/Always Criteria that applies in specified circumstances or in all of them. When allows additional criteria to be added. Always locks criteria off, but allows a Triggered Alert to be set. None
User Cirro user Is
Is Not
Role Cirro role (only available on AFTER rules) Is
Is Not
Target System List of Cirro Datasources Is
Is Not
Client IP Client IP address (can be partial). Uses subnet notation in form nnn.nnn.nnn.nnn/nn Is
Is Like
Day of Week Days of week (Monday to Sunday) Is
Is Not
Is Between
Is Not Between
Time of Day Time in 24-hour format, HH:MM:SS (leading zeroes required) Is
Is Not
Is Between
Is Not Between
  • Click OK when finished.

Delete access rules

  • Click Secure Connect then Access Rules.

  • Click Delete on any access rule.

  • Click Yes on the confirmation message.

See Also