Skip to content

Rules

Admin Console

The Nullafi Shield Admin Console provides a graphical user interface for configuring policy, viewing status, and examining event data. It is a web application which can be accessed using any web browser. The Admin Console is available after the Shield container is started. Access is governed by the defined container options (see Deployment). In the simplest case, browsing to the container host’s IP address on the mapped NULLAFI_HTTP_PORT will open the Admin Console login screen, and using the NULLAFI_USERNAME and NULLAFI_PASSWORD will allow the administrator to log in.

Policy

The policy engine is at the heart of Nullafi Shield. It does the work of examining the data being accessed, classifying it, and deciding whether it should be passed through to the user. The Policy section of the Admin Console is where rules are created to control the engine’s behavior.

Rules

Rules are the highest level expression of Policy in the Admin Console. Each rule is built using a series of policy objects (Mask Formats, Applications, etc.) which are in turn defined on their own pages of the Policy section.

Rule Order

The main Rules page displays all the configured rules on a table, listing attributes of each rule. Because rule order affects how policy is implemented, this table cannot be sorted but rather will always represent the prioritization or rules relative to each other. If a transaction from an end user matches more than one rule, the last matching rule in the table will take precedence.

New Rule

To define a new rule, click on the Add New Rule button in the upper right hand corner. The rule editing window will slide out from the right. To create the rule:

  1. Type the Name and (optionally) Description into the text fields
  2. Select at least one Application from the Applications list. If the rule should apply to multiple Applications, use the list again to select them.
  3. Select at least one Obfuscation from the Obfuscations list. Like Applications, the rule can apply to more than one.
  4. If directory integration is configured, filtering the rule by User or Group is an optional component of the rule. See below for more information on configuring Users and Groups in Rules, and the Integrations section for how to attach data from your directory to transactions for Nullafi Shield.
  5. Click on Save in the lower right

Edit Rule

To edit an existing rule, hover your mouse over the Rule Name, click on the three-dot menu that appears, and choose Edit Rule Details. The rule editing window will slide out from the right.

Delete Rule

To delete a rule, hover your mouse over the Rule Name, click on the three-dot menu that appears, and choose Delete.

Enable or Disable Rule

To temporarily disable a Rule without deleting it, mouse over the Rule Name, click on the three-dot menu that appears, and choose Turn Off. The Status of the rule will switch to Inactive. To re-enable the rule, choose Turn On from the menu and the Status will become Active.

Users and Groups in Rules

In order to apply Policy to specific users or groups in your organization, Shield must have some way of receiving identity information from your directory. See the Integrations section for more information on how to transmit this data to Shield. Once you have completed directory integration, you may include user identity in rule evaluation. On the Rule creation page, below Applications and Obfuscations, click on Users and Groups to add criteria:

  • Group definition is expanded by default. To apply rules to specific users, expand the Username section by clicking on the title.
  • There are four methods of matching groups and user names
    • “is equal” and “is not equal” are for exact matches. Use these to specify an individual user or group. Case sensitive?
    • “contains” and “does not contain” are for matching multiple users or, more likely, groups. If your directory has group names like Marketing-East and Marketing-West, you can use Group contains “Marketing” to write a rule that applies to both groups.
  • Multiple entries in the Users and Groups section operate as a logical OR If you specify both Group equals “Sales” and Group equals “Support” in a single Rule, that Rule will apply to a user if they are in either Sales or Support.