Access Rules
You can use access rules in a policy to evaluate request attributes at runtime and allow, deny, or report requests.
Assistant
You can use the Assistant pane on the right side of the policy rule tabs to create access rules by describing the conditions you want to enforce in natural language. Start with the Assistant for quick setup, then use the editor for more precise control.
To submit a rule request:
- Describe the rule you want in the Assistant input field.
- Press Enter or use the arrow button at the bottom to submit your request.
Access rules editor
You can use the access rules editor on the left to manually update existing rules, including those created by the Assistant, and create new rules with full control over conditions and logic.
Add access rule
If you see the No Access Rules Enabled section on the rule tab, click + Create first access rule to open the rule editor.
After you create the first rule, the section label changes to Execute Access Rules and the rule appears underneath as a movable card.
Click the pencil (✎) icon to open the rule editor to update the rule.
Click + Access rule to add more rules.
AIDR evaluates access rules sequentially and independently, in the top-down order as displayed in the AIDR console.
Each rule produces its own result, and any rule with a Stop action halts execution.
Edit access rule
In the rule editor, you can create one or more conditions based on request attributes, combined using AND and OR logic:
- Enter a rule name.
- Create a condition.
- Create an expression (a single comparison):
- View available attributes by placing your cursor in the expression field on the left.
- Select a comparison operator for:
- Request metadata attributes:
==- Value equals the specified string exactly. Use@nullto matchnullor missing values, or@emptyto match empty strings.!=- Value does not equal the specified string. Use@nullto excludenullor missing values, or@emptyto exclude empty strings.>- Value is greater than the specified number>=- Value is greater than or equal to the specified number<- Value is less than the specified number<=- Value is less than or equal to the specified numberin- Value is found in a comma-separated list of allowed valuescontains- Value contains the specified text as a substringnot contains- Value does not contain the specified text as a substringmatches- Value matches the specified RE2 regular expression patternnot matches- Value does not match the specified RE2 regular expression pattern
- Prompt content-based:
has- Specified detector rule produced a findingnot has- Specified detector rule did not produce a findingexecutes- Runs the specified detector rule as part of this access rule evaluation
- Request metadata attributes:
- Type a value against which this expression is evaluated. When you place the cursor in the value field, it may suggest existing values from your data (known user IDs, application names, etc.) or internal lookup tables.
- Add another expression to the condition:
- Click Or + or And + next to an existing expression.
- Select an
ANDorORlogical operator to combine expressions.
- Change the execution order by dragging and dropping individual expressions using their six-dot handle on the left.
- Create an expression (a single comparison):
- Add another condition to the rule:
- Click Add Condition +.
- Select an
ANDorORlogical operator to combine conditions.
- In the Then dropdown, select the action to execute when the rule matches:
- Continue - Proceed to the next rule without logging a detection.
- Report and Continue - Log a detection and continue to the next rule.
- Report and Stop - Log a detection and stop policy execution.
- Block and Stop - Block the request, log a detection, and stop policy execution.
- Ignore and Stop - Allow the request and stop policy execution without logging.
- In the Else dropdown, select the action to execute when the rule doesn't match.
- Add another rule by clicking + Access rule.
- Click Save at the bottom of the rule editor to apply the rule changes to the policy.
If you define conditions based on prompt content (prompt.detections), you must also enable the corresponding detectors and configure referenced rules under the Prompt Rules tab.
Examples
Request metadata
This rule matches requests from user dennis.nedry@ingen.com to the security application, or requests using the DeepSeek model.
When matched, it reports the detection and continues to the next rule.
If not matched, it continues to the next rule without logging.
| Condition | Operator | Value | |
|---|---|---|---|
Report suspicious activity (rule name) | |||
user.user_id | == ▼ | dennis.nedry@ingen.com | AND ▼ (logical operator) ⊖ (remove expression) |
app.app_id | == ▼ | security | AND+ (add expression) ⊖ (remove expression) |
OR ▼ (logical operator) | |||
model.model_name | == ▼ | DeepSeek | OR+ (add expression) ⊖ (remove expression) |
Add Condition + | |||
Then Else | |||
🗑️ | Cancel | Save | |||
+ Access rule
After you click Save, the rule editor closes and displays the rule definition in a structured format that shows the logical conditions and operators.
if (
user.user_id == dennis.nedry@ingen.com
and app.app_id == security
)
or model.model_name == deepseek
Request metadata and prompt rules
This rule executes the US Social Security Number prompt rule from the Confidential and PII Entity detector only for requests from the ingen-chatbot application.
- When the request matches the
ingen-chatbotcondition, AIDR applies the action configured for theUS Social Security Numberprompt rule. The access rule then reports the detection and continues to the next rule. - When the condition doesn't match, the request is allowed and policy execution stops without logging.
| Condition | Operator | Value | |
|---|---|---|---|
Remove PII (rule name) | |||
app.app_id | == ▼ | ingen-chatbot | AND ▼ (logical operator) ⊖ (remove expression) |
prompt.detections | executes ▼ | confidential_and_pii_entity.us_ssn | AND+ (add expression) ⊖ (remove expression) |
Add Condition + | |||
Then Else | |||
🗑️ | Cancel | Save | |||
After you click Save, the rule editor displays the rule definition as:
if app.app_id == ingen-chatbot
and prompt.detections executes confidential_and_pii_entity.us_ssn
Rule execution order
AIDR evaluates rules in the order they appear.
You can change the order by dragging and dropping rules using their six-dot handle on the left.
Changes in rule order are saved automatically.
Default action
If no access rules match, AIDR proceeds to evaluate configured prompt rules.
You can test access rules using Policy Testing.
Was this article helpful?