Skip to content

Policy Recipes: Authorization

Task-oriented authorization recipes you can copy/paste. Each recipe affects application authorization and visibility and includes a quick validation step.

What You'll Learn

  • How to allow or hide applications using matchers
  • How to combine runtime modifications and arguments with authorization rules
  • How to validate authorization behavior in the Applications view

Authorization Recipes (Apps)

These recipes affect application authorization and visibility only.

Allow Office Apps

Allow Word, Excel, PowerPoint by shortcut name.

json
{
  "id": "allow-office-apps",
  "displayName": "Allow Office Applications",
  "enabled": true,
  "priority": 100,
  "matchAll": [
    { "type": "shortcutName", "pattern": "(Microsoft Word|Microsoft Excel|Microsoft PowerPoint)", "patternType": "regex" }
  ],
  "action": "allow"
}

Validate:

  • Word, Excel, and PowerPoint appear in Applications.
  • Each application launches successfully.

Allow Program Files (Glob)

Allow any .exe under C:\Program Files using a glob path.

json
{
  "id": "allow-program-files-glob",
  "displayName": "Allow Program Files Applications (glob)",
  "enabled": true,
  "priority": 50,
  "matchAll": [
    { "type": "targetPath", "pattern": "C:\\\\Program Files\\\\**\\\\*.exe", "patternType": "glob" }
  ],
  "action": "allow"
}

Validate:

  • A representative application installed under C:\Program Files appears in Applications.
  • The application launches successfully.

Secure Browsers (Runtime + Args)

Add isolation and Incognito/Private mode and set a visual border color for common browsers.

json
{
  "id": "secure-browsers",
  "displayName": "Secure Browser Launches",
  "enabled": true,
  "priority": 75,
  "matchAll": [
    { "type": "shortcutName", "pattern": "(Chrome|Firefox|Edge)", "patternType": "regex" }
  ],
  "action": "allow",
  "modifications": {
    "runtime": {
      "isolation": { "remoteSandbox": true },
      "visual": { "borderColor": "#80008200" }
    },
    "arguments": { "append": "--incognito" }
  }
}

Validate:

  • Chrome, Firefox, and Edge appear in Applications and launch.
  • Each browser shows an Incognito/Private indicator.
  • A colored border appears around the window matching the configured borderColor.

Show App but Require Manager Approval Before Launch

Make a sensitive application visible in Applications, but require an approval workflow (for example, manager approval) before it can launch in the Secure Sandbox runtime.

json
{
  "configuration": {
    "launch": {
      "runtime": {
        "approval": {
          "workflows": [
            {
              "id": "manager-approval-app-launch",
              "type": "accessRequest",
              "operations": ["appLaunch"],
              "providerRef": "manager-email-approval"
            }
          ],
          "defaults": {
            "appLaunchWorkflowRef": "manager-approval-app-launch"
          }
        }
      }
    }
  },
  "apps": [
    {
      "id": "sensitive-engineering-tools",
      "displayName": "Sensitive Engineering Tools",
      "enabled": true,
      "priority": 400,
      "matchAll": [
        { "type": "targetPath", "pattern": "C:\\Tools\\Sensitive\\**.exe", "patternType": "glob" }
      ],
      "action": "allow",
      "authorization": {
        "requirements": {
          "userAttributes": [
            { "attribute": "usPersonStatus", "allowedValues": ["verified"] }
          ]
        },
        "approval": {
          "mode": "required",
          "workflowRef": "manager-approval-app-launch",
          "reuse": {
            "policy": "perUserPerApp",
            "ttlSeconds": 86400
          }
        }
      }
    }
  ]
}

Validate:

  • The sensitive app appears in Applications (matching the configured shortcut/executable).
  • When you attempt to launch the app, the client prompts for or initiates an approval workflow instead of launching immediately.
  • After approval is granted, the app launches successfully into the Secure Sandbox runtime and an authz event with action: "allow" is recorded.
  • If approval is rejected or expires, attempts to launch remain blocked and corresponding authz/workflow.lifecycle audit events are present.

Ban List: Block Consumer Browsers from Applications

Use an explicit deny policy to prevent certain applications from ever appearing in Applications or launching, even if other allow or approval rules exist. Deny policies act as a ban list and take precedence over allow.

json
{
  "apps": [
    {
      "id": "ban-consumer-browsers",
      "displayName": "Ban Consumer Browsers",
      "enabled": true,
      "priority": 1000,
      "matchAny": [
        { "type": "targetPath", "pattern": "**\\Google\\Chrome\\Application\\chrome.exe", "patternType": "glob" },
        { "type": "targetPath", "pattern": "**\\Mozilla Firefox\\firefox.exe", "patternType": "glob" },
        { "type": "targetPath", "pattern": "**\\Microsoft\\Edge\\Application\\msedge.exe", "patternType": "glob" }
      ],
      "action": "deny"
    }
  ]
}

Validate:

  • On a device where Chrome, Firefox, and Edge are present, these shortcuts are still discovered by the Launcher, but:
    • They do not appear in the Applications tab.
    • Attempts to route to these executables (for example, via other policies or approval rules) result in authz deny events.
  • Adding new action: "allow" or authorization.approval rules that match these executables does not make them visible or launchable, because the deny policy takes precedence.

Notes:

  • For broad catalog cleanup (for example, stripping out uninstallers or low-value shortcuts), combine deny policies with configuration.discovery.providers[].filters.exclude patterns so unwanted entries are never discovered in the first place.

See also: