Create Session Control rules

This topic describes how to create rules for protecting your organization's applications.

Overview

With the SWS Session Control security layer, you can define notification and enforcement rules for specific fields within a web application to protect your high-risk and high-value applications. For example, you can create rules to alert you when users attempt to transfer funds that exceed a pre-set threshold within your banking app, or ensure that only users with your company’s email domain can be added to your cloud management console.

With Session Control rules, you have the option to enforce conditions, send push notifications to the CyberArk Mobile app and send alerts through email.

Create rules

1. From your SSO application, open an application that is protected by SWS.

2. Open the SWS browser extension, and then open the Session Control tab.

   

3. Click Create rule. SWS begins mapping the elements for the open application web session.

4. When mapping is completed, hover over an element to see the SWS icon.

   To view all the mapped elements in the page at once, click the view icon on the tab that appears at the bottom of the page.

   You can click Cancel to exit the create rule function.

   

5. Click a SWS icon to add a rule for the target element.

   You can add one rule for each element. If an element already has a rule, the SWS icon is marked with a check .

6. In the General section, the rule name is entered automatically as the name of the target field. You can change it if needed.

7. The URL field contains the URL of the open application web page. If required, you can change the URL and add wildcards.

8. Enter the conditions of the rule.

   Element type	Options
   Text / Numeric	Action - Select whether to allow the user action for this element. Element name - The name of the element that you are creating the rule for. Condition - Select a condition for the element. The following conditions are available: To contain To start with To be equal to Value - Enter the value that you allow / don't allow the user to enter for this element. You can add multiple values when needed. This is especially useful for blocking several words on social media platforms. The condition between each value is "OR". This means if any of the listed values are detected, the rule will be triggered. To add multiple values: Type in a value and press Enter after each entry. Or Click Upload CSV to import a file with a predefined list of values. If value doesn't match - Allow action and create timeline event - If the value the user enters isn't the same value as you defined in the field Value, the user is allowed to continue with this action, and it's recorded as a timeline event in the SWS portal. Block action and create timeline event - If the value the user enters isn't the same value as you defined in the field Value, the user is NOT allowed to continue with this action, and its recorded as a timeline event in the SWS portal. Examples Scenario 1: In Salesforce, only corporate emails can be used when adding new users. Conditions: Element type - Text Element name - Email Condition - Contains Value - <companyname>.com AND If value doesn't match is set to: Block action and create timeline event   Outcome: When an admin attempts to add a new user to Salesforce with a non-corporate email, the action is blocked.   Scenario 2: In Salesforce, you want to prevent using admin as a user name. Conditions: Element type - Text Element name - username Condition - Does not contain Value - admin AND If value doesn't match is set to: Block action and create timeline event Outcome: When an admin attempts to enter admin as the username, the action is blocked.
   Button / Link	Action - Allow clicking or don't allow users to click the button or link.

9. Set the additional options.

   Option	Desription
   Autoflag step in session recording timeline	Automatically flags the session recording step where the user triggered the rule. For more information about flagging, see Flag session recordings and steps.
   Send email notification to	Enables you to add an email where you'll receive notifications of rule events. You can limit the amount of notifications you receive within a certain time period from the Settings page. For details, see Configure Session Control rule notification limit.
   Send push notifications to the CyberArk Mobile app.	Notifications are sent to your CyberArk Mobile app, (not to be confused with the CyberArk Identity app).

10. Select whether to identify elements by name or location.

    By default, SWS identifies elements based on their name. Identifying elements by name ensures that even if the field or button is moved on the web page, the rule remains valid.

    Alternatively, elements identified by location provides more specific targeting. For example, elements without names, or instances where the same name appears multiple times within the same web page, can be targeted using location based identification.

    Identification based on location within a particular URL is more likely to be impacted by changes made to the web application.

11. If you want to apply this rule to specific users only, deselect the Activate this rule for all app users with Session Control check box.

12. Click Create rule.

    You can view the rule in the SWS browser extension.

    

    The rule is only applied when a new session for this application is launched.

Create a rule from the session timeline

You can create and modify Session Control rules directly from a session's timeline. This allows you to create rules while auditing sessions from the timeline without needing to launch the session. (For more details about session timeline, see Monitor sessions.)

Rules can be created from specific steps in the timeline.

1. Go to the Session Recordings page, and click an application session recording to view the steps.

2. Click More options on a specific step, and click Create rule.

3. Enter the details of the rule as described in Create rules.

   Once the rule is created, you can view the rule in the Application policies page.