Set up access rules to manage when and how users can login to Cirro.

Before You Start

  • Create an Alert Action - Alerts are generated when an access rule is triggered, and can be HTML or email in nature.

View Access Rules

  • Click Secure Connect then Access Rules.

There are two types of access rules:

  • Before Connection - rules which must be met to be able to login (e.g., time of day, IP address)

  • After Connection - rules which must be met once you are logged in (e.g., Log user with Secure Connect role).

Column Description Icons
Description User supplied name of rule. The numbered circles indicate order of execution. 0 Enabled

1 Disabled
Rule generated text describing the rule. expand the rule
contract the rule
Alert Linked alert action. Click Alert Actions to edit the action.  

Access Rules can be applied prior to login or afterwards.

Field Description Values
Rule Description User supplied rule name. Alphanumeric string with no spaces
Type When the rule is to be applied, chosen on creation. Before Connection
After Connection
Action The action to execute for the connection. Allow
Deny
Log
Rule Action Applies to the field values that follow. When
Always

From here you construct access rules using a simple spoken-word syntax:

Rule Criteria Description Modifiers
Allow/Deny The rule permits the actions or prevents them Allow (without logging)
Allow And Log
Deny (with logging)
Deny Without Log
When/Always Criteria that applies in specified circumstances or in all of them When
Always
User Cirro user Is
Is Not
Role Cirro role Is
Is Not
Target System List of datasources in Cirro Is
Is Not
Client Hostname or IP address (can be partial). Uses subnet notation in form nnn.nnn.nnn.nnn/nn Is
Is Like
Day of Week Days of week (Monday to Sunday) Is
Is Not
Is Between
Is Not Between
Time of Day Time in 24-hour format, HH:MM:SS (leading zeroes required) Is
Is Not
Is Between
Is Not Between

Before Connection Scenarios

Some scenarios in which you’d create a Before Connection rule are:

  • You want to restrict login IP addresses to a specific hostname or IP range - you’d do this where you’re logging into an external service to perform analytics.

  • You want to set login times to one or more user accounts

You can set up alert action notifications for either of these scenarios, but they aren’t required.

New rules are automatically added at the bottom of the list, but you can also click Add Rule Below on any rule to insert below it.

Restrict Login IP addresses

This scenario will allow only a specific IP range to login to Cirro. IP addresses outside this range will be immediately rejected.

You’ll need the IP address(es) of the service in question.

  • Click Secure Connect then Access Rules.

  • Click Before Connection

  • Name the rule.

  • Choose Allow, When, Client Network, IS.

  • Enter the IP address(es) (e.g., 192.168.1.0/24)

  • Choose a Triggered Notification if you have one ready.

  • Click OK when you’re finished.

Login Times

In this scenario, you’ll allow a selected user to login to Cirro only between the hours of 8am and 6pm.

  • Click Secure Connect then Access Rules.

  • Click Before Connection

  • Name the rule.

  • Choose Allow, When, User, Is

  • Choose one or more usernames.

  • Click Add Condition.

  • Choose Time of Day, Is Between.

  • Enter the times in 24-hour format (e.g., 08:00 and 18:00).

  • Choose a triggered notification if you have one ready.

  • Click OK when you’re finished.

After Connection Scenarios

After connection rules require the creation of Alert Actions to generate email or HTML notifications when rule criteria are met.

Edit an access rule

  • Click Secure Connect then Access Rules.

  • Click Edit on your access rule and make the desired modifications.

Delete access rules

  • Click Secure Connect then Access Rules.

  • Click Delete on any access rule.

  • Click Yes on the confirmation message.

See also

Leave Comments

Login to Disqus to leave comments and questions

Email Cirro if you've got problems, or click Raise Issue at the right side of the page to raise a support request.