# HTTP Access Policy Type

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FlVbjl8jxGvkYbI9aEhIo%2Fimage.png?alt=media&#x26;token=e5742f42-3b5e-40bf-9ed2-b91cb56c6a53" alt=""><figcaption></figcaption></figure>

Use **HTTP Access** policies to control outbound HTTP/HTTPS access based on targeting plus URL rules.

***

### How Matching Works (high level)

URL filters:

* normalize URLs (lowercase, query strings stripped)
* support wildcard matching like `https://*.example.com/*`
* apply only to HttpAccess events

### Step-by-Step: Create an HTTP Access policy (via Advanced JSON)

{% stepper %}
{% step %}
**Navigate to Endpoint Privilege Manager → Policies**

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FP3xJ0YWb05C1yW6pSSHf%2Fimage.png?alt=media&#x26;token=df08da15-73bb-4c2b-a143-adef8d7a0cf9" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
**Click Create Policy Button**

This will spawn the Create Policy modal form.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fjt36zB0v6IGHdOFM60o1%2Fimage.png?alt=media&#x26;token=61a352bb-a843-4479-a170-95f0fb1e077b" alt="" width="375"><figcaption></figcaption></figure>
{% endstep %}

{% step %}
**Define Policy Attributes**

Choose a aptly discriptive name for your new policy.

Choose **any existing policy type available in the UI** for your new policy(this is just a starting template since Update Settings is set in JSON).

Choose a status for your new policy. We recommend monitor mode when initially setting up a policy.

Add one or more Controls by clicking on the "Add Control" button and then selecting the controls that you would like to see applied to your new policy.

Choose a User Group, a Machine Collection, and an Application Collection.
{% endstep %}

{% step %}
**Configure Policy Targeting**

Configure any **targeting** you want in the UI (collections/users/machines/apps/platforms). Who or What does your policy apply to?
{% endstep %}

{% step %}
**Open the Policy’s Advanced Mode (JSON view)**

To open the Policy's Advanced Mode, click on the "Advanced Mode" link in the bottom left corner of the Policy Form.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FPZKrmkXDbJ6KXo3UTR71%2Fimage.png?alt=media&#x26;token=020cd153-3c6e-4234-992f-357e69da6d29" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}
**Redefine Policy Type in JSON**

Set: `PolicyType` to **`"HttpAccess"`**
{% endstep %}

{% step %}
**Configure URL Filtering**

Configure URL filtering using the policy’s URL filter field(s) in JSON (exact JSON key names vary by implementation, but the evaluator uses URL patterns and wildcards as described)
{% endstep %}

{% step %}
**Save the Policy**
{% endstep %}
{% endstepper %}

### Important note about field names

The attached docs clearly describe **how URL filtering works**, but they **do not provide a canonical, copy/paste JSON schema** for where URL patterns live in the policy JSON (i.e., the exact property name/path used in exported server policies vs. local policy templates). The “Raw Policy Template Format” shows a generic `Filters: [ { UserCheck..., MachineCheck..., ApplicationCheck... } ]` structure, but doesn’t include an explicit URL example.Administrators

So, the examples below are **representative** and align with the documented behavior (PolicyType + URL patterns + optional user/machine/application targeting). You’ll want to adjust the **URL pattern field name** to match what your Admin Console generates in the Advanced tab.

***

## Example JSON Snippets

#### Example 1: Allow Only Specific Domains (allowlist)

```
{
  "PolicyName": "HTTP Access - Allow Example Domains",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "ALLOW"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access allowed by policy.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 25,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    },
    {
      "RuleName": "ApplicationCheck",
      "ErrorMessage": "This application is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckFile(false)"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://example.com/*",
      "https://*.example.com/*",
      "https://login.microsoftonline.com/*"
    ],
    "Default": "DENY"
  }
}
```

**What this intends:** allow matching URLs; deny everything else (`Default: "DENY"`).

***

#### Example 2: Block Specific Domains (denylist)

```
{
  "PolicyName": "HTTP Access - Block Social Media",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "DENY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access blocked by policy.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 60,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://*.social.example/*",
      "https://social.example/*",
      "https://*.facebook.com/*",
      "https://*.instagram.com/*",
      "https://*.tiktok.com/*"
    ],
    "MatchAction": "DENY"
  }
}
```

**What this intends:** when a URL matches any pattern, deny it.

***

#### Example 3: Block a Domain Only for a Specific App (app-scoped)

```
{
  "PolicyName": "HTTP Access - Block Example.com in Browser Only",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "DENY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access blocked for this application.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 55,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    },
    {
      "RuleName": "ApplicationCheck",
      "ErrorMessage": "This application is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckFile(false)"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://example.com/*",
      "https://*.example.com/*"
    ],
    "MatchAction": "DENY",
    "Notes": "Use ApplicationCheck targeting to scope enforcement to a specific browser/app."
  }
}
```

In this shape, **app scoping is done via the existing `ApplicationCheck` targeting** you already use elsewhere (the HTTP match then happens via `Extension.UrlPatterns`).

***

#### Example 4: Monitor-Only HTTP Access (no block, just notify)

This is useful when you want to stage rollout: match URLs and display a notification without enforcing deny.

```
{
  "PolicyName": "HTTP Access - Monitor Sensitive Domains",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "NOTIFY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access to a monitored domain was detected.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 40,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://*.bank.example/*",
      "https://*.payroll.example/*"
    ],
    "MatchAction": "NOTIFY"
  }
}
```

### Frequent Quick “drop-in” Edits

* `PolicyId`: keep the ID generated by the UI.
* `Status`: `"on"` or `"off"` depending on rollout.
* `UserCheck`, `MachineCheck`, `ApplicationCheck`: fill these arrays using the same targeting entries your console normally writes.
* `Extension.UrlPatterns`: your allow/deny patterns.

### Validation tips

* Test with an explicit URL first, then widen with wildcards.
* Remember query strings are stripped during normalization, so patterns should usually avoid query parameters.