This article provides instructions on configuring the PCS device to restrict a user from accessing certain resources during specific times of the day.
Problem or Goal
A PCS admin wants to:
Restrict all users from signing in between 8PM and 8AM the following day.
Display a warning message before the user signs in to notify them of the restricted access hours.
As long as user signs in during the allowed hours allow them access to resources but only during certain time periods.
Once a user signs in, display a notification message that provides a schedule for accessing the resources.
To achieve this goal, the following tasks need to be performed:
Create a custom expression role-mapping rule that maps users to "no roles" if they sign in between 8PM and 8AM the next day.
Place a stop rule on the first rule so that no further roles can be assigned.
Create roles for File browsing, RDP access and Web browsing.
Create custom expression role-mapping rules that allow access to each of the roles during specific times of the day.
Apply the corresponding roles to each role-mapping rule.
Create a sign-in notification that warns users that they are not allowed to sign-in between 8PM and 8AM the next day and apply this to the sign-in URL as a pre sign-in notification.
Create a sign-in notification that notifies users of the hours they can File Browse, RDP and Web Browse and apply this to the sign-in URL as a post sign-in notification.
Section 1: Create a custom expression role-mapping rule on the authentication realm to block access to the PCS service during restricted hours.
Go to Users > User Realms and either select a realm that is being used for authentication, or configure a new authentication realm.
If a new authentication realm is being created, configure the realm to use the desired authentication server(s) and other restrictions.
On the role-mapping page click New Rule.
In the Rule based on drop-down menu select Custom Expressions and click Update.
Enter a name for the rule then click Expressions.
Enter a name for the expression then from the Expressions Dictionary, scroll to the expression for loginTime and click the arrow to expand the details for the expression. In the Expression section, enter the time period desired in the format provided in the expression details then click Add Expression. Use the operator '!=' for the expression to evaluate to false as per the example below.
Note: Keep in mind that the loginTime used in the expression is the system time and the range specified must be within the same day. This should be considered when configuring the expression for users in different time zones. Additional expression rules may be needed to cover all scenarios.
Click Close to close the expression window and continue with the role-mapping rule configuration.
Select the rule from the Available Expressions and click Add to move it to Selected Expressions.
Do not assign a role to the rule.
Check the box next to the option to Stop processing when this rule matches.
If you are configuring this role-mapping rule on an existing realm with other role-mapping rule already present, be sure to move this rule to the top of the the list so that it gets processed first and then Stops processing.
Click Save Changes.
Section 2: Create roles for File Browsing, RDP and Web browsing then assign access to these roles based on the time of day.
Note: If you are using an existing realm that already has role-mapping rules configured on it, it will be necessary to remove the access features from any roles that will be reassigned to the roles created below. For example, if you are configuring these options on an LDAP authentication realm with group membership role-mapping rules already configured, then the role that users get mapped to for group membership should not include access to File Browsing, RDP or Web browsing since that will be handled with the following role-mapping rules.
Go to Users > User Roles and click New Role.
Enter a name for the role, such as File Browsing then enable the corresponding feature for the role. Configure any additional session or UI restrictions for the role then save the changes.
Repeat step two for any additional resources users will have access to.
Go to the authentication realm that the first role-mapping rule was applied to and go to the role-mapping tab.
Follow steps 3 to 7 from the section above to create custom expression rules based on the time of day each resource can be accessed. The expression should be configured as loginTime = (10:00AM TO 2:00PM), for example. Open a text editor and copy and paste the hours allowed for each resource.
Apply the corresponding role to the role-mapping rule. Each of the three rules should be configured similar to the screenshot below:
Go to Users > Resource Profiles and select the Profiles to add access to for each of the features/roles that were created in the steps above and apply the corresponding role to the profile.
Section 3: Create sign in notifications and apply these to the sign-in URL.
Go to Authentication > Signing In > Sign-In Notifications and click New Notification.
Create a Pre Sign-in Notification. This will be the sign-in notification that gets displayed prior to login to alert users that they can only sign-in during certain hours or they will not have access to the system. Enter a name for the notification and the desired text for the sign-in notification. Save changes when finished.
Create a post sign-in notification by repeating steps one and two. Refer to the text file that the login times were pasted to from Section 2 Step 5.
Go to Authentication > Signing In > Sign In Policies and create a sign-in policy or select an existing sign-in policy.
Click New URL for a new sign-in policy and configure it with the desired settings.
Apply the realm to the policy that was created or used in Section 1.
At the bottom of the sign-in policy page enable the Pre-Auth Sign-in Notification and Post-Auth Sign-In Notification options and select the corresponding notifications created in the previous steps. The post sign-in notification selection should be set to use the option Use a common Sign-In Notification for all roles. See the example below:
Section 4: Test
See videos below for examples of the user sign-in experience.
Scenario 1: The time on the system is 9:14 PM PST which is outside of the allowed access time. The user is denied access.
Scenario 2: User signs in at 3:45 PM PST system time. This is within the allowed access hours so user is allowed to login and is presented with access schedule. Web browsing access is available 2 and 6 PM so the Web bookmarks are displayed.