In What Order are Access Policies and Identities Processed?

Available Languages

Updated:July 17, 2014

Document ID:117989

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Question

In what order are Access Policies and Identities processed on the Cisco Web Security Appliance (WSA)

Environment: Cisco Web Security Appliance (WSA), all versions of AsyncOS

Access Policies and Identities are processed in a specific order on the WSA. The WSA evaluates the identities and access policies using a "top down" rule processing approach. This means that the WSA checks identities or access policies in a "top > down" fashion and the first match that ismade, at any point in the processing, results in the action taken by the WSA.

Additionally, identities are evaluated first. Once a client's access matches a specific identity, the WSA checks all access policies that are configured to use the identity that matched the client's access.

Revision History

Revision	Publish Date	Comments
1.0	17-Jul-2014	Initial Release

Contributed by Cisco Engineers

Josh Wolfer and Siddharth Rajpathak
Cisco TAC Engineers.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

Secure Web Appliance