Citrix Broker SDK - Access Policy

Controls client-connection-based access to desktop groups.

The site's access policy defines rules controlling a user's access to 
desktop groups. Access checks are based on details of the user's connection 
from their user device to the site. Think of the access policy informally 
as a connection-based firewall.

The access policy comprises a set of rules. Each rule:

o   Relates to a single desktop group. 
o   Contains a set of connection filters and access right controls.

Multiple rules can apply to the same desktop group.

By default, users have no access to any desktop group within a site. A user 
gains access to a group when their connection's details match the connection 
filters of one or more rules in the access policy.

The access policy also grants control rights over desktop and application 
sessions. For example, it can specify which protocols are allowed for a 
connection from a given endpoint, and whether the user can restart their 
machine.

To use a resource published by a site, the user must have both access to the 
desktop group that contains it, and an entitlement to use the resource. 
Entitlements are typically granted by the site entitlement and assignment 
policies; see about_Broker_Policies for more information.

A single access policy rule relates to a single specified desktop group and 
comprises a set of connection filters and access right grants as described 
below.

Each rule can be individually enabled or disabled. A disabled rule is 
ignored when the access policy is evaluated.

o   Local/remote client (SmartAccess) filters 
o   Client IP address filters 
o   Client name filters 
o   User filters

All filters have an include and exclude form that can be individually 
enabled or disabled. For a rule to be considered when the access policy is 
evaluated, at least one connection include filter must be enabled. By 
default, all filters, both include and exclude, are disabled.

The detailed behavior of connection filters is covered later.

o   Allowed protocols 
o   Whether machine restart, or programmatic session logoff, is allowed

The detailed behavior of access right controls is covered later.

To gain access to a desktop group the user's connection must match the 
filter criteria of at least one access policy rule for that group.

To match a rule, a connection must match all the rule's enabled include 
connection filters and must not match any of the rule's enabled exclude 
filters. That is, entries in exclude filters take priority.

Because all rules are evaluated independently, if an exclude filter match 
prevents a connection gaining access to a desktop group through one rule, 
the connection may still gain access to the same group through a different 
rule.

The filters are described in pairs below, but within a single rule a match 
against any exclude filter prevents a connection from gaining access through 
that rule irrespective of which include filters within the rule were also 
matched.

o   AllowedConnections (include filter: Filtered, NotViaAG, ViaAG)

    This property controls the behavior of the include filter. The default 
    value is Filtered. The possible values are as follows:

    -- Filtered (default)

        The filter matches any user connection not through Access Gateway. 
        In addition, the filter may match user connections through Access 
        Gateway subject to the following: if the IncludedSmartAccessTags 
        property is empty, any such connection matches. However, if the 
        property is not empty at least one SmartAccess tag from the filter 
        property must match a SmartAccess tag supplied with the user's 
        connection.

    -- NotViaAG

        The filter matches only user connections not through Access 
        Gateway. The contents of the IncludedSmartAccessTags property 
        are ignored.

    -- ViaAG

        The filter matches only user connections through Access Gateway. 
        If the IncludedSmartAccessTags property is empty, any such 
        connection matches. However, if the property is not empty at 
        least one SmartAccess tag from the filter property must match a 
        SmartAccess tag supplied with the user's connection.

    -- AnyViaAG

        The filter matches only user connections through Access Gateway. 
        The contents of the IncludedSmartAccessTags property are ignored. 
        The behaviour of AnyViaAG is therefore the same as using ViaAG with 
        an empty IncludedSmartAccessTags property.

    The IncludedSmartAccessTags property referred to above forms part of the 
    include filter and is used if AllowedConnections is set to Filtered or 
    ViaAG. It comprises a simple list of Access Gateway tags that are 
    matched against those provided in the user's connection details.

o   ExcludedSmartAccessTags (exclude filter)

    A simple list of Access Gateway tags that are matched against those 
    provided in the user's connection details. If any tag in the list 
    matches one supplied with the user's connection, the user's connection 
    does not match the access policy rule containing the filter.

    The exclude filter has no setting corresponding to the 
    AllowedConnections property so its behavior is determined only by the 
    ExcludedSmartAccessTags property.

SmartAccess filters are typically used to control local (through a LAN) and 
remote (through Access Gateway) access to a site. A common model is to 
define two access policy rules rules for a group, one for local access and 
one for remote. The remote rule might impose restrictions on the user device 
having appropriate antivirus software installed, and potentially exclude 
certain user groups who would be allowed access over the corporate LAN 
(see USER FILTERS below).

o   IncludedClientIPs (include filter)

    A simple list of numeric IP address ranges that are matched against the 
    user device. The filter matches if the device address falls within any 
    of the ranges in the list.

o   ExcludedClientIPs (exclude filter)

    A simple list of numeric IP address ranges that are matched against the 
    user device. If any entry matches the device address, the user's 
    connection does not match the access policy rule containing the filter.

An IP address range in these filters can be specified as a simple IP 
address or as a range using a conventional subnet mask.

o   IncludedClientNames (include filter)

    A simple list of names that are matched against the user device. The 
    filter matches if the device name matches any value in the list.

o   ExcludedClientNames (exclude filter)

    A simple list of device names that are matched against the user device. 
    If any entry matches the device name, the user's connection does not 
    match the access policy rule containing the filter.

Note: The form of the device name presented to the site depends on the site 
configuration. For example, by default in these filters you cannot use the 
form of the name presented by Web Interface.

o   AllowedUsers (include filter: Filtered, AnyAuthenticated, Any)

    This property controls the behavior of the include filter. The default 
    value is Filtered. The possible values are as follows:

    -- Filtered (default)

        The filter matches if the user's logon token contains one or more 
        users or user groups matching those specified in the IncludedUsers 
        property. The IncludedUsers property is a simple list of users or 
        user groups and is used only when the AllowedUsers property is set 
        to Filtered.

    -- AnyAuthenticated

        The filter matches any authenticated Microsoft Windows user. The 
        contents of the IncludedUsers property are ignored.

    -- Any

        The filter matches any user. The contents of the IncludedUsers 
        property are ignored. In the current implementation this value 
        is handled in the same way as AnyAuthenticated.

o   ExcludedUsers (exclude filter)

    A simple list of users or user groups. If any entry matches one in the 
    user's logon token, the user's connection does not match the access 
    policy rule containing the filter.

    The exclude filter has no setting corresponding to the AllowedUsers 
    property so its behavior is determined only by the ExcludedUsers 
    property.

The access right controls of an access policy rule determine rights that the 
user has over any desktop or application session that they obtain from the 
rule's desktop group.

The rights apply only if the user's connection matches the connection 
filters of a rule, and only if the user also has an entitlement to a desktop 
or application session from the associated desktop group.

The following properties define the access rights:

o   AllowedProtocols

    A simple list of communication protocols over which connections can be 
    made to resources published by the desktop group. For example, use this 
    to restrict protocols with high bandwidth requirements to connections 
    originating from a LAN.

o   AllowRestart

    For single-session power-managed machines, allows the user to restart 
    the machine (the machine is powered off using the capabilities of its 
    hypervisor). For multi-session machines the user's session is simply 
    logged off.

For a given connection, if multiple rules result in access being granted to 
a session from a desktop group, the user's rights are the combined rights of 
all the rules that matched for that group. The allowed protocol lists from 
all the rules are combined, and the user is granted restart rights if any 
one rule has AllowRestart set.

about_Broker_Policies 
about_Broker_AssignmentPolicy 
about_Broker_EntitlementPolicy 
New-BrokerAccessPolicyRule 
Get-BrokerAccessPolicyRule 
Set-BrokerAccessPolicyRule 
Rename-BrokerAccessPolicyRule 
Remove-BrokerAccessPolicyRule 
New-BrokerAssignmentPolicyRule 
New-BrokerEntitlementPolicyRule 
New-BrokerAppAssignmentPolicyRule 
New-BrokerAppEntitlementPolicyRule 
Add-BrokerUser