SASE makes dynamic decisions based on employee operations, behaviors, and devices. If a device triggers a dynamic policy, SASE takes a corresponding disposal action. This topic describes how to view the disposal process.
Prerequisites
A dynamic policy has been configured and triggered by an employee or device. For more information, see Configure dynamic policies.
Ensure that Secure Access Service Edge is activated. If you have not activated Secure Access Service Edge, purchase and activate the service. For more information, see Purchase service. You can also apply for a 7-day free trial. For more information, see Apply for a free trial.
You are using an Alibaba Cloud account or a Resource Access Management (RAM) user that has the permissions to access the SASE service. If you use a RAM user, you must grant the required permissions to the RAM user. For more information, see Grant permissions to a RAM user.
The SASE App installed on corporate office terminals is version 4.5.1 or later.
View the disposal process
If an employee or device meets the trigger conditions of a dynamic policy, SASE takes a disposal action and creates a record for the disposal process. You can perform a recovery operation for this action as needed.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Handling Process page, view the list of disposal processes. You can filter the list by criteria such as Handled At, Action, Restoration Method, Status, and User.
In the Actions column, click Details. In the Details panel, view the Basic Information and Trigger Settings.
Disposal recovery
Three recovery methods are available:
Automatic recovery: After an employee or device triggers a dynamic policy, the disposal action is automatically recovered if the issue is resolved and the trigger conditions are no longer met, or if the policy is disabled.
For example, assume that you set a dynamic policy that requires the SASE App version to be 4.5.1 or later. If a user upgrades their SASE App to a compliant version, the policy is no longer triggered, and the disposal action is automatically recovered.
Authentication reporting: After an employee or device triggers a dynamic policy, the user is forcibly logged off from the SASE App. After the user logs on again, the disposal action is recovered within the validity period of the authentication report.
ImportantTo use authentication reporting for recovery, select Recover After Authentication Reporting when you configure the dynamic policy. For more information, see Configure dynamic policies.
Console recovery: After an employee or device triggers a dynamic policy, an administrator can manually recover the disposal action in the console.
Log on to the Secure Access Service Edge console.
In the navigation pane on the left, choose .
On the Disposal Process page, use one of the following methods to perform the recovery:
In the Actions column, click Restore.
In the Actions column, click Details. In the Details panel, click Restore.
In the Recovery Prompt dialog box, enter the Validity Period of Reporting and click OK.
If an enterprise employee or a device triggers a dynamic policy, the user is automatically logged out of the SASE app. The user can log in again to resume service. The policy will not be triggered again during its validity period.
References
For more information about logs for dynamic decision disposal and recovery operations, see Dynamic decision logs.