HTTP Access Policy Type

Use HTTP Access policies to control outbound HTTP/HTTPS access based on targeting plus URL rules.

How Matching Works (high level)

URL filters:

normalize URLs (lowercase, query strings stripped)
support wildcard matching like https://*.example.com/*
apply only to HttpAccess events

Step-by-Step: Create an HTTP Access policy (via Advanced JSON)

Navigate to Endpoint Privilege Manager → Policies

Click Create Policy Button

This will spawn the Create Policy modal form.

Define Policy Attributes

Choose a aptly discriptive name for your new policy.

Choose any existing policy type available in the UI for your new policy(this is just a starting template since Update Settings is set in JSON).

Choose a status for your new policy. We recommend monitor mode when initially setting up a policy.

Add one or more Controls by clicking on the "Add Control" button and then selecting the controls that you would like to see applied to your new policy.

Choose a User Group, a Machine Collection, and an Application Collection.

Configure Policy Targeting

Configure any targeting you want in the UI (collections/users/machines/apps/platforms). Who or What does your policy apply to?

Open the Policy’s Advanced Mode (JSON view)

To open the Policy's Advanced Mode, click on the "Advanced Mode" link in the bottom left corner of the Policy Form.

Redefine Policy Type in JSON

Set: PolicyType to "HttpAccess"

Configure URL Filtering

Configure URL filtering using the policy’s URL filter field(s) in JSON (exact JSON key names vary by implementation, but the evaluator uses URL patterns and wildcards as described)

Save the Policy

Important note about field names

The attached docs clearly describe how URL filtering works, but they do not provide a canonical, copy/paste JSON schema for where URL patterns live in the policy JSON (i.e., the exact property name/path used in exported server policies vs. local policy templates). The “Raw Policy Template Format” shows a generic Filters: [ { UserCheck..., MachineCheck..., ApplicationCheck... } ] structure, but doesn’t include an explicit URL example.Administrators

So, the examples below are representative and align with the documented behavior (PolicyType + URL patterns + optional user/machine/application targeting). You’ll want to adjust the URL pattern field name to match what your Admin Console generates in the Advanced tab.

Example JSON Snippets

Example 1: Allow Only Specific Domains (allowlist)

{
  "PolicyName": "HTTP Access - Allow Example Domains",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "ALLOW"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access allowed by policy.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 25,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    },
    {
      "RuleName": "ApplicationCheck",
      "ErrorMessage": "This application is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckFile(false)"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://example.com/*",
      "https://*.example.com/*",
      "https://login.microsoftonline.com/*"
    ],
    "Default": "DENY"
  }
}

What this intends: allow matching URLs; deny everything else (Default: "DENY").

Example 2: Block Specific Domains (denylist)

{
  "PolicyName": "HTTP Access - Block Social Media",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "DENY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access blocked by policy.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 60,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://*.social.example/*",
      "https://social.example/*",
      "https://*.facebook.com/*",
      "https://*.instagram.com/*",
      "https://*.tiktok.com/*"
    ],
    "MatchAction": "DENY"
  }
}

What this intends: when a URL matches any pattern, deny it.

Example 3: Block a Domain Only for a Specific App (app-scoped)

{
  "PolicyName": "HTTP Access - Block Example.com in Browser Only",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "DENY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access blocked for this application.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 55,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    },
    {
      "RuleName": "ApplicationCheck",
      "ErrorMessage": "This application is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckFile(false)"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://example.com/*",
      "https://*.example.com/*"
    ],
    "MatchAction": "DENY",
    "Notes": "Use ApplicationCheck targeting to scope enforcement to a specific browser/app."
  }
}

In this shape, app scoping is done via the existing ApplicationCheck targeting you already use elsewhere (the HTTP match then happens via Extension.UrlPatterns).

Example 4: Monitor-Only HTTP Access (no block, just notify)

This is useful when you want to stage rollout: match URLs and display a notification without enforcing deny.

{
  "PolicyName": "HTTP Access - Monitor Sensitive Domains",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "NOTIFY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access to a monitored domain was detected.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 40,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://*.bank.example/*",
      "https://*.payroll.example/*"
    ],
    "MatchAction": "NOTIFY"
  }
}

Frequent Quick “drop-in” Edits

PolicyId: keep the ID generated by the UI.
Status: "on" or "off" depending on rollout.
UserCheck, MachineCheck, ApplicationCheck: fill these arrays using the same targeting entries your console normally writes.
Extension.UrlPatterns: your allow/deny patterns.

Validation tips

Test with an explicit URL first, then widen with wildcards.
Remember query strings are stripped during normalization, so patterns should usually avoid query parameters.

Last updated 4 days ago

Was this helpful?

hashtagHow Matching Works (high level)

hashtagStep-by-Step: Create an HTTP Access policy (via Advanced JSON)

hashtagNavigate to Endpoint Privilege Manager → Policies

hashtagClick Create Policy Button

hashtagDefine Policy Attributes

hashtagConfigure Policy Targeting

hashtagOpen the Policy’s Advanced Mode (JSON view)

hashtagRedefine Policy Type in JSON

hashtagConfigure URL Filtering

hashtagSave the Policy

hashtagImportant note about field names

hashtagExample JSON Snippets

hashtagExample 1: Allow Only Specific Domains (allowlist)

hashtagExample 2: Block Specific Domains (denylist)

hashtagExample 3: Block a Domain Only for a Specific App (app-scoped)

hashtagExample 4: Monitor-Only HTTP Access (no block, just notify)

hashtagFrequent Quick “drop-in” Edits

hashtagValidation tips