When you add an office application to Secure Access Service Edge (SASE), SASE automatically creates a deny-all policy for it. Zero trust policies control which users and enterprise partners can access which office applications, and under what conditions. Configure allow policies to grant specific user groups the access they need.
Prerequisites
Before you begin, ensure that you have:
Added the office applications to manage. See Add an office application to SASE.
Created the user groups the policy will apply to. See Create a user group.
Configured a security baseline template that meets your requirements. See Create a security baseline.
Create a zero trust policy
Log on to the SASE console.
In the left-side navigation pane, choose Private Access > Zero Trust Policies.
On the Zero Trust Policies page, click Create Policy.
In the Create Policy panel, configure the parameters described in the following table, then click OK.
| Parameter | Description |
|---|---|
| Policy Name | A name for the policy. Must be 2–100 characters and can contain letters, digits, hyphens (-), and underscores (_). |
| Priority | The policy priority. Value 1 is the highest priority. The maximum priority value for a new policy equals the number of existing policies in your account plus 1. For example, if you have 17 policies, a new policy can have a priority from 1 to 18. When two policies conflict, the policy with the higher priority (lower number) takes effect. |
| Action | The access control action. Allow Access grants users and terminals access to the specified applications. Access Denied denies access to the specified application from users or terminals. |
| Applicable User | The user group the policy applies to. Click Add, then select a group from the User Group tab. To create a new group inline, use the Custom User Group tab. See Configure a user group. |
| Selected Applications | The applications the policy covers. Click Add, then select applications by tag on the Tag tab, or individually on the Application tab. |
| Security Baselines | The security baseline template to apply. See Create a security baseline. |
| Trigger Templates | The trigger template for dynamic decision-making. Click View Trigger Templates to review available templates. |
| Policy Status | Enable or disable the policy. |
The number of policies you can create depends on your Private Access edition: 200 for Private Access VPN, 500 for Private Access Basic, and 1,000 for Private Access Advanced.
Manage policies
Find the policy you want to manage in the list and perform any of the following operations:
Edit: Click Edit in the Actions column. Modify the settings in the Edit panel.
Change priority: Click the icon in the Priority column. In the Priority dialog box, enter a new priority value and click OK.
Enable or disable: Toggle the switch in the Policy Status column.
Delete one policy: Click Delete in the Actions column.
Delete multiple policies: Select the policies and click Delete below the list.
After you delete a policy, users in the affected user group may gain access to applications that do not meet your security requirements. Proceed with caution.
What's next
If your users work from a trusted physical office network and you do not need to inspect that traffic, configure a trusted office zone to exempt it from analysis. See Use the office zone identification feature.