Policy access_rights not blocking url access

I’m facing to difficulties to block access to some URL inside policy
with 2 urls service

  • path/company/pdf/template (get)
  • path/company/pdf/tools/infoversion (get)
        "access_rights": {
            "a693c391-f67e-4bb0-bb26-4d71664ddd81" : {
                "allowed_urls": [
                            "path": "/company/pdf/template",
                            "methods": ["GET"]

with this definition inside policy I was thinking to allow only /company/pdf/template access but both URL are still available
Question : if an URL isn’t inside “allowed_urls”: [ ] is it forbidden?
How to process?



Welcome back to the Community.

If no URL is present in the Allowed URLs then it allows access to all URLs.

You can opt and specify only the restricted URLs, i.e., a black list rather than white list.

In this case, you can use a negative lookup to blacklist the specific URL.

For example, something like /api-listen-path/[^xml].* will blacklist the XML URL only.

This will get more complicated if you try to add more and more URLs to the blacklist.

I would recommend that you use the endpoint designer and blacklist the URL directly using our plugins.

The “allowed URLs” parameter can accept a regex. You can write the regex to allow all traffic except for whatever matches your setup.

Let me know if you have any further questions.

regarding your answer

You can opt and specify only the restricted URLs, i.e., a black list rather than white list.

=> if I’m right, this white/black list is only applied at application level not policy (according to documentation)

Goal here is to define an app opening all URL, but with 2 different policies with different allow / forbidden URL (some are administration oriented) and then keys on them
My question was about the way to allow couple of URL / method (and to forbid others in same way) inside a policy
But all test I applied are failing.

note: I’m using community version



Hi @ECL_DSI, I can see that your allowed_urls json is misconfigured. It should be url rather than path as shown our documentation.

    "allowed_urls": [
            "url": "/resource/(.*)",
            "methods": ["GET", "POST"]

Let us know if this resolves the issue.

You are right, once “url” used in place of “path”, mechanism is working fine with all requested granularities.