Access Rules
You can use access rules in a policy to evaluate request attributes at runtime and allow, deny, or report requests.
Assistant
You can use the Assistant pane on the right side of the policy rule tabs to create access rules by describing the conditions you want to enforce in natural language. Start with the Assistant for quick setup, then use the editor for more precise control.
To submit a rule request:
- Describe the rule you want in the Assistant input field.
- Press Enter or use the arrow button at the bottom to submit your request.
Access rules editor
You can use the access rules editor on the left to manually update existing rules, including those created by the Assistant, and create new rules with full control over conditions and logic.
Add access rule
If you see the No Access Rules Enabled section on the rule tab, click + Create first access rule to open the rule editor.
After the first rule is created, the section label changes to Execute Access Rules and the rule appears underneath as a movable card.
Click the pencil (✎) icon to open the rule editor to update the rule.
Click + Access rule to add more rules.
Multiple rules are combined using AND logic.
Edit access rule
In the rule editor, you can create one or more conditions based on request attributes, combined using AND and OR logic:
- Enter a rule name.
- Select the
BlockorReportaction that you want the rule to apply. - Create an expression.
- Create a condition:
- View available attributes by placing your cursor in the condition field on the left.
- Select a comparison operator (
==,!=,>,>=,<,<=,in). - Type a value against which the condition is evaluated. When you place the cursor in the value field, it may suggest existing values from your data (known user IDs, application names, etc.) or internal lookup tables.
- Add another condition to the expression:
- Click + next to an existing condition.
- Select an
ANDorORlogical operator to combine conditions.
- Create a condition:
- Add another expression to the rule:
- Click + Add expression to add another expression to the rule.
- Select an
ANDorORlogical operator to combine expressions.
- Change the execution order by dragging and dropping individual expressions using their six-dot handle on the left.
- Click Save at the bottom of the rule editor to apply the rule changes to the policy.
This rule reports requests about security updates from user dennis.nedry@ingen.com OR requests using the DeepSeek model:
| Condition | Operator | Value | |
|---|---|---|---|
Block suspicious activity (rule name) | Block ▼ (action) | ||
user.user_id | == ▼ | dennis.nedry@ingen.com | AND ▼ (logical operator) |
app.app_id | == ▼ | security | + (add condition) - (remove condition) |
OR ▼ (logical operator) | |||
model.model_name | == ▼ | DeepSeek | + (add condition) - (remove condition) |
+ Add expression | |||
🗑️ | Cancel | Save | |||
After you click Save, the rule editor closes and the rule definition is displayed in a structured format that shows the logical conditions and operators.
if (
user.user_id == dennis.nedry@ingen.com
and app.app_id == security
)
or model.model_name == deepseek
If you define conditions based on prompt content (prompt.detections), you must also enable the corresponding detectors under the Prompt Rules tab.
Rule execution order
AIDR evaluates rules in the order they appear.
You can change the order by dragging and dropping rules using their six-dot handle on the left.
Changes in rule order are saved automatically.
Default action
If no access rules match, AIDR continues to evaluate prompt rules.
Learn how you can test access rules in the Policy Testing documentation.
Was this article helpful?