ltm rule command ACCESS policyΒΆ

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



ACCESS::policy
       Return information about access policies.

SYNOPSIS
       ACCESS::policy agent_id

       ACCESS::policy evaluate ('-sid' SESSION_ID)
				       ('-profile' APM_PROFILE_OBJ)   (KEY
       VALUE)*

       ACCESS::policy result (-sid SESSION_ID)?

       ACCESS::policy uri

       ACCESS::policy ACCESS_POLICY_COMMAND  (ACCESS_POLICY_INFO)?

DESCRIPTION
       The ACCESS::policy commands allow you to retrieve information about the
       access policies in place for a given connection.

       ACCESS::policy agent_id

	    * Returns the identifier for the agent raising the
	      ACCESS_POLICY_AGENT_EVENT.

       ACCESS::policy result

	    * Returns back the result of an access policy. The result will be one
	      of following:
	    * - allow
	    * - deny
	    * - redirect

       ACCESS::policy uri

	    * Returns TRUE if current request URI is internal to ACCESS (v11+
	      only).

       ACCESS::policy evaluate

	    * Executes an access policy using an APM profile and an existing APM
	      session. The flags sid and profile are required, and the profile
	      selection should include the folder path
	      ("/Common/access-policy-name"). The policy will evaluate in
	      clientless mode (i.e., no logon pages or message boxes). You can
	      insert multiple session variable keys and values that will be used
	      during policy evaluation.


	* Requires APM module

RETURN VALUE
VALID DURING
       HTTP_REQUEST, HTTP_PROXY_REQUEST

EXAMPLES
	when RULE_INIT {
	    # Set a static username and password for testing.
	    set static::username user1
	    set static::password password1
	}
	when CLIENT_ACCEPTED {
	    # When we accept a connection, create an Access session and save the session ID.
	    set flow_sid [ACCESS::session create -timeout 600 -lifetime 3600]
	}

	when HTTP_REQUEST {
	    # Under the previously saved session ID for the created session, use the "/Common/test" access
	    # policy to evaluate the connection. Set the session variables "username", "password", and "landinguri"
	    # to something so the policy has something to evaluate.
	    ACCESS::policy evaluate -sid $flow_sid -profile /Common/test session.logon.last.username $static::username session.logon.last.password $static::password session.server.landinguri [string tolower [HTTP::uri]]
	    # Check the outcome of the access policy evaluation. Throw a response basedon what we learn.
	    switch [ACCESS::policy result -sid $flow_sid] {
		"allow" {
		      HTTP::respond 200 content "You made it ($flow_sid)!"
		}
		"deny" {
		     HTTP::respond 200 content "Go away ($flow_sid)!"
		}
		default {
		     HTTP::respond 200 content "Different result than expected - check your configuration. ($flow_sid)"
		}
	    }
	}

	when CLIENT_CLOSED {
	    # To avoid clutter, remove the access session for the flow.
	    ACCESS::session remove -sid $flow_sid
	}

HINTS
SEE ALSO
CHANGE LOG
       @BIGIP-10.1.0 --First introduced the command.



BIG-IP				  2017-01-31			      iRule(1)