The ACCESS::policy commands allow you to retrieve information about the access policies in place for a given connection.


ACCESS::policy agent_id
ACCESS::policy result

v11 Additions/Changes:
ACCESS::policy uri
ACCESS::policy result [-sid <sid>]

v11.4 Additions:
ACCESS::policy evaluate -sid <session-id> -profile <apm-profile-name> [<session-variable-key> <session-variable-value>+]

ACCESS::policy agent_id

  • Returns the identifier for the agent raising the ACCESS_POLICY_AGENT_EVENT.

ACCESS::policy result

  • Returns back the result of an access policy. The result will be one of following:
    • allow
    • deny
    • redirect

ACCESS::policy uri

  • Returns TRUE (1) if current request URI is internal to ACCESS (v11+ only). Otherwise returns FALSE (0).

ACCESS::policy evaluate

  • Executes an access policy using an APM profile and an existing APM session. The flags sid and profile are required, and the profile selection should include the folder path (“/Common/access-policy-name”). The policy will evaluate in clientless mode (i.e., no logon pages or message boxes). You can insert multiple session variable keys and values that will be used during policy evaluation.


when RULE_INIT {
    # Set a static username and password for testing.
    set static::username user1
    set static::password password1
    # When we accept a connection, create an Access session and save the session ID.
    set flow_sid [ACCESS::session create -timeout 600 -lifetime 3600]

    # Under the previously saved session ID for the created session, use the "/Common/test" access
    # policy to evaluate the connection. Set the session variables "username", "password", and "landinguri"
    # to something so the policy has something to evaluate.
    ACCESS::policy evaluate -sid $flow_sid -profile /Common/test session.logon.last.username $static::username session.logon.last.password $static::password session.server.landinguri [string tolower [HTTP::uri]]
    # Check the outcome of the access policy evaluation. Throw a response based on what we learn.
    switch [ACCESS::policy result -sid $flow_sid] {
        "allow" {
              HTTP::respond 200 content "<html><body>You made it ($flow_sid)!</body></html>"
        "deny" {
             HTTP::respond 200 content "<html><body>Go away ($flow_sid)!</body></html>"
        default {
             HTTP::respond 200 content "<html><body>Different result than expected - check your configuration. ($flow_sid)</body></html>"

    # To avoid clutter, remove the access session for the flow.
    ACCESS::session remove -sid $flow_sid