Policy objects are the individually configurable components of a policy, such as network locations. You configure policy objects and then add them to authentication policies.
You can configure these kinds of policy objects:
Network Locations (previously called safe locations)
Network location policy objects enable you to specify a list of IP addresses. You can then configure authentication policies that only apply when users authenticate from the IP addresses in the specified network location.
Time schedule policy objects enable you to specify the dates and times when authentication policies apply to user authentications. When you add a time schedule to an authentication policy, the policy only applies when a user authenticates during the specified time schedule.
When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location.
We recommend that you create a second policy for the same groups and resources without the policy object. Users who only have a policy that includes a policy object do not get access to the resource when the conditions of the policy object do not apply to the authentication (because they do not have a policy that applies, not because authentication is denied).
- Users who only have a policy that includes a network location do not get access to the resource when they authenticate outside of that network location.
- Users who only have a policy that includes a time schedule do not get access when they authenticate outside the hours of that time schedule.
If you have two policies (one with a policy object and one without), assign a higher priority to the policy with the policy object. For more information, see About Policy Precedence.