When you add Web applications to the catalog, you can create Web-application-specific access policies. For example, you can create an policy with rules for a Web application that specifies which IP addresses have access to the application, using which authentication methods, and for how long until reauthentication is required.

The following Web-application-specific policy provides an example of a policy you can create to control access to specified Web applications.

In this example, a new policy is created and applied to a sensitve Web application.


To access the service from outside the enterprise network, the user is required to log in with RSA SecurID. The user signs in using a browser and now has access to the apps portal for a four hour session as provided by the default access rule.


After four hours, the user tries to launch a Web application with the Sensitive Web Applications policy set applied.


The service checks the rules in the policy and applies the policy with the ALL RANGES network range since the user request is coming from a Web browser and from the ALL RANGES network range.

The user signed in with the the RSA SecurID authentication method, but the session just expired. The user is redirected for re-authentication. The re-authentication provides the user with another four hour session and the ability to launch the application. For the next four hours, the user can continue to launch the application without having to re-authenticate.

For a stricter rule to apply to extra sensitive Web applications, you could require re-authentication with SecurId on any device after 1 hour. The following is an example of how this type of policy access rule is implemented.


User logs in from inside the enterprise network using the Kerberos authentication method.

Now, the user can access the apps portal for eight hours, as set up in Example 1.


The user immediately tries to launch a Web application with the Example 2 policy rule applied, which requires RSA SecurID authentication.


The user is redirected to RSA SecurID authentication sign-in page.


After the user successfully signs in, the service launches the application and saves the authentication event.

The user can continue to launch this application for up to one hour but is asked to re-authenticate after an hour, as dictated by the policy rule.