HTTP Access

Use HTTP Access policies to control outbound HTTP/HTTPS access based on targeting plus URL rules.

How Matching Works (high level)

URL filters:

normalize URLs (lowercase, query strings stripped)
support wildcard matching like https://*.example.com/*
apply only to HttpAccess events

Step-by-Step: Create an HTTP Access policy (via Advanced JSON)

Navigate to Endpoint Privilege Manager → Policies

Click Create Policy Button

This will spawn the Create Policy modal form.

Define Policy Attributes

Choose a aptly discriptive name for your new policy.

Choose any existing policy type available in the UI for your new policy(this is just a starting template since Update Settings is set in JSON).

Choose a status for your new policy. We recommend monitor mode when initially setting up a policy.

Add one or more Controls by clicking on the "Add Control" button and then selecting the controls that you would like to see applied to your new policy.

Choose a User Group, a Machine Collection, and an Application Collection.

Configure Policy Targeting

Configure any targeting you want in the UI (collections/users/machines/apps/platforms). Who or What does your policy apply to?

Open the Policy’s Advanced Mode (JSON view)

To open the Policy's Advanced Mode, click on the "Advanced Mode" link in the bottom left corner of the Policy Form.

Redefine Policy Type in JSON

Set: PolicyType to "HttpAccess"

Configure URL Filtering

Configure URL filtering using the policy’s URL filter field(s) in JSON (exact JSON key names vary by implementation, but the evaluator uses URL patterns and wildcards as described)

Save the Policy

Example JSON Snippets

Example 1: Allow Only Specific Domains (allowlist)

{
  "PolicyName": "HTTP Access - Allow Example Domains",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "ALLOW"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access allowed by policy.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 25,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    },
    {
      "RuleName": "ApplicationCheck",
      "ErrorMessage": "This application is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckFile(false)"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://example.com/*",
      "https://*.example.com/*",
      "https://login.microsoftonline.com/*"
    ],
    "Default": "DENY"
  }
}

What this intends: allow matching URLs; deny everything else (Default: "DENY").

Example 2: Block Specific Domains (denylist)

{
  "PolicyName": "HTTP Access - Block Social Media",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "DENY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access blocked by policy.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 60,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://*.social.example/*",
      "https://social.example/*",
      "https://*.facebook.com/*",
      "https://*.instagram.com/*",
      "https://*.tiktok.com/*"
    ],
    "MatchAction": "DENY"
  }
}

What this intends: when a URL matches any pattern, deny it.

Example 3: Block a Domain Only for a Specific App (app-scoped)

{
  "PolicyName": "HTTP Access - Block Example.com in Browser Only",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "DENY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access blocked for this application.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 55,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    },
    {
      "RuleName": "ApplicationCheck",
      "ErrorMessage": "This application is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckFile(false)"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://example.com/*",
      "https://*.example.com/*"
    ],
    "MatchAction": "DENY",
    "Notes": "Use ApplicationCheck targeting to scope enforcement to a specific browser/app."
  }
}

In this shape, app scoping is done via the existing ApplicationCheck targeting you already use elsewhere (the HTTP match then happens via Extension.UrlPatterns).

Example 4: Monitor-Only HTTP Access (no block, just notify)

This is useful when you want to stage rollout: match URLs and display a notification without enforcing deny.

{
  "PolicyName": "HTTP Access - Monitor Sensitive Domains",
  "PolicyType": "HttpAccess",
  "PolicyId": "REPLACE_WITH_ID",
  "Status": "on",
  "Actions": {
    "OnSuccess": {
      "Controls": [
        "NOTIFY"
      ]
    },
    "OnFailure": {
      "Command": ""
    }
  },
  "NotificationMessage": "HTTP access to a monitored domain was detected.",
  "NotificationRequiresAcknowledge": false,
  "RiskLevel": 40,
  "Operator": "And",
  "Rules": [
    {
      "RuleName": "UserCheck",
      "ErrorMessage": "This user is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckUser()"
    },
    {
      "RuleName": "MachineCheck",
      "ErrorMessage": "This Machine is not included in this policy",
      "RuleExpressionType": "BuiltInAction",
      "Expression": "CheckMachine()"
    }
  ],
  "UserCheck": [],
  "MachineCheck": [],
  "ApplicationCheck": [],
  "DayCheck": [],
  "DateCheck": [],
  "TimeCheck": [],
  "CertificationCheck": [],
  "Extension": {
    "UrlPatterns": [
      "https://*.bank.example/*",
      "https://*.payroll.example/*"
    ],
    "MatchAction": "NOTIFY"
  }
}

Frequent Quick “drop-in” Edits

PolicyId: keep the ID generated by the UI.
Status: "on" or "off" depending on rollout.
UserCheck, MachineCheck, ApplicationCheck: fill these arrays using the same targeting entries your console normally writes.
Extension.UrlPatterns: your allow/deny patterns.

Validation tips

Test with an explicit URL first, then widen with wildcards.
Remember query strings are stripped during normalization, so patterns should usually avoid query parameters.

PreviousCustom NextUpdate Jobs

Last updated 8 days ago