When you add Web applications to the catalog, you can create Web-application-specific access policies. For example, you can create an policy with rules for a Web application that specifies which IP addresses have access to the application, using which authentication methods, and for how long until reauthentication is required.

The following Web-application-specific policy provides an example of a policy you can create to control access to specified Web applications.

In this example, a new policy is created and applied to a sensitve Web application.


To access the service from outside the enterprise network, the user is required to log in with RSA SecurID. The user logs in using a browser and now has access to the apps portal for a four hour session as provided by the default access rule.


After four hours, the user tries to launch a Web application with the Sensitive Web Applications policy set applied.


The service checks the rules in the policy and applies the policy with the ALL RANGES network range since the user request is coming from a Web browser and from the ALL RANGES network range.

The user logs in using the RSA SecurID authentication method, but the session just expired. The user is redirected for reauthentication. The reauthentication provides the user with another four hour session and the ability to launch the application. For the next four hours, the user can continue to launch the application without having to reauthenticate.

For a stricter rule to apply to extra sensitve Web applications, you could require re-authentication With SecureId on any device after 1 hour. The following is an example of how this type of policy access rule is implemented.


User logs in from an inside the enterprise network using the password authentication method.

Now, the user has access to the apps portal for eight hours, as set up in Example 1.


The user immediately tries to launch a Web application with the Example 2 policy rule applied, which requires RSA SecurID authentication.


The user is redirected to an identity provider that provides RSA SecurID authentication.


After the user successfully logs in, the service launches the application and saves the authentication event.

The user can continue to launch this application for up to one hour but is asked to reauthenticate after an hour, as dictated by the policy rule.