Configure a dynamic policy - Secure Access Service Edge - Alibaba Cloud Documentation Center

Dynamic policies let SASE continuously evaluate employee devices, behavior, and compliance status—and automatically apply security responses when a condition is met. Use dynamic policies to detect threats in real time, restrict access for non-compliant devices, and protect your organization's data and resources.

Prerequisites

Before you begin, make sure that you have:

An active SASE subscription. If you haven't activated SASE, see Purchase the service. A 7-day free trial is also available. See Apply for a free trial.
An Alibaba Cloud account or a Resource Access Management (RAM) user with SASE access permissions. To grant permissions to a RAM user, see Grant permissions to a RAM user.
SASE client version 4.5.1 or later installed on office devices.

Create a dynamic policy

Log on to the Secure Access Service Edge console.
In the left navigation pane, choose Dynamic Decision-making > Dynamic Policy. On the Dynamic Policy page, click Create Policy.
In the Create Policy panel, configure the parameters described in the following table.
Click OK.

Policy parameters

Basic information

Parameter		Description
	Policy Name	Enter a name for the dynamic policy.
	Policy Status	Enable or disable the dynamic policy.
	Effective Scope	Select the user group to which the policy applies.

Trigger settings

Trigger Mode is set to Dynamic by default. The policy is triggered in real time when device properties, the network environment, or the device compliance baseline changes, or when a security event related to a user occurs.

Configure trigger conditions using one of the following methods:

Method	Steps
Manually set policy	Set conditions based on Device Information, Behavior Information, Compliance Baseline, and Time Rule. Configure one or more conditions and set the logical relationship between them. To reuse this configuration, click Save as Template. For parameter details, see Trigger configuration parameters.
Import existing template	Click Import Existing Template. In the dialog box, select a trigger template and click OK. For information on creating trigger templates, see Configure a trigger template.

Handling settings

When a policy is triggered, SASE applies one or more of the following response actions:

Action	Description
Prohibit App-initiated Connections to Internal Networks	Blocks the SASE app from initiating connections to internal networks. Requires a network access policy configured in SASE. Warning Requires SASE app version 4.7.0 or later.
Prohibit Use of Software	Prevents employees from using specified software. Applies only on qualifying devices.
Prohibit Connection to Office Network	Blocks the device from connecting to the office network. Requires a network access policy configured in SASE. For users or devices with a network access policy, the restriction takes effect on their next connection.
Access Control Downgrade	De-escalates the permissions of a non-compliant user. Requires a downgrade policy to be configured first.

Notifications and audit

Option	Description
Audit	Records response and recovery operations. View the logs in Log Audit. For details, see View the response process.
In-client Notification to User	Sends a pop-up notification when the policy is triggered. Set the pop-up title and content in both Chinese and English. The SASE client is forcibly logged off when the notification appears.
CloudMonitor Notification to System Administrator	Delivers response events to Cloud Monitor for system administrator alerts.

Restoration method

Configure how affected users or devices recover after a policy is triggered:

Method	Description
Automatic Restoration After Remediation	Automatically recovers the response if the device or user no longer meets the trigger condition at the next policy check.
Restoration After Authentication and Reporting	The SASE client is forcibly logged off. The user can log on again to resume access. Set the Reported Effective Time—the dynamic policy will not be triggered again within this period. The default Authentication Method is Log On Again.

Example: manually configured trigger policy

The following example shows a dynamic policy that triggers if the SASE client version is earlier than v4.5.1, or the QQ application is detected on an office device.

Trigger condition	Logical operator	Value
SASE Client Version	Less than	v4.5.1
Device Software Information	Includes any of	QQ

The two conditions use an OR relationship—the policy triggers if either condition is met.

Trigger configuration parameters

Device information

Basic device information

Option	Logical operator	Value
SASE Client Version	Greater than, Greater than or equal to, Less than, Less than or equal to	Enter the client version number.
Terminal Type	Is in, Is not in	Windows, macOS, iOS, Linux, Android (multiple selections supported).
Wi-Fi Connection	Is, Is not	Enter one or more SSIDs. Up to 10 SSIDs.
Device MAC Address	Includes any of, Does not include any of	Enter one or more MAC addresses. Up to 10 MAC addresses.
LAN IPv4 Address	Is in, Is not in	Enter one or more IP addresses or CIDR blocks. Up to 10 entries.
Mac Disk Access	Equals	Enabled, Not enabled.
Screenshot Permissions on Mac	Equals	Enabled, Not enabled.

Device application information

Option	Logical operator	Value
Device Software Information	Includes any of, Does not include any of	Application list from software management.

Behavior information

Logons

Option	Logical operator	Value
IP Address of Most Recent Logon	Belongs To, Does Not Belong To	Enter one or more IP addresses or CIDR blocks. Up to 10 entries.

Compliance baseline

Windows

Option	Logical operator	Value
Windows Version	Version Later Than, Version Equal To or Later Than, Version Earlier Than, Version Equal To or Earlier Than	Select from Windows 7, 8, 9, 10, or 11.
System Firewall	Include Any, Not Include	Enable Private Network Firewall; Enable Guest and Public Network Firewall; Enable Domain Network Firewall; System Firewall. Multiple selections supported.
Process Detection	Include Any, Not Include	Enter one or more process names.
Baseline Element	Include All	Windows Automatic Updates Not Enabled; High-risk Port Enabled; Antivirus Software Disabled; High-risk Software Used. For details on configuring baseline elements, see Configure baseline elements.

macOS

Option	Logical operator	Value
macOS Version	Version Later Than, Version Equal To or Later Than, Version Earlier Than, Version Equal To or Earlier Than	Select from macOS 10, 11, 12, 13, 14, or 15.
System Firewall	Include Any, Not Include	System Firewall.
Process Detection	Include Any, Not Include	Enter one or more process names.
Baseline Element	Include All	High-risk Port Enabled; Antivirus Software Disabled; High-risk Software Used. For details on configuring baseline elements, see Configure baseline elements.

Linux

Option	Logical operator	Value
Process Detection	Include Any, Not Include	Enter one or more process names.
System Firewall	Include Any, Not Include	System Firewall.

Time rules

Option	Logical operator	Value
Effective Time	Greater Than, Less Than, Validity Period	Set a specific time or a time range.

Manage policies

After you create a policy, it appears in the dynamic policy list. SASE applies responses to devices that match the policy based on your settings.

Operation	How to
Filter	Filter the list by Policy Name.
Edit	Click Details to view or modify the policy configuration.
Delete	Click Delete to delete a policy. Select multiple policies to delete them in a batch.
Enable or disable	Click the switch in the Status column to enable or disable a policy.

What's next

To view SASE product events reported to CloudMonitor, see View system events.