Athena SWG (Secure Web Gateway)

Athena SWG (formerly Internet Access Gateway) ensures visibility and control across the network, detecting risks like unauthorized access, non-compliant activities, and data leaks to manage endpoints.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
13.0.120
Athena SWG (Secure Web Gateway) {{ breadTitle }} User Manual Functions Online Activities Access Control Add Object for Access Control
{{sendMatomoQuery("Athena SWG (Secure Web Gateway)","Add Object for Access Control")}}

Add Object for Access Control

{{ $t('productDocDetail.updateTime') }}: 2025-12-29

Network access objects and Internet access policies are independent elements of the IAG. An Internet Access Policy is valid only after being associated with specific Internet access objects.

There are several Internet access objects on the IAG.

The Internet access objects to which Internet access policies can be associated are listed on the Object tab page, as shown in the following figure.

There are four types of objects: User, Location, Endpoint Device, and Destination.

User: including Local Users, Domain User, Security Group, Domain Attributes, User Attributes, and Source IP.

Location: Locations are classified by IP address segment, wireless network, or VLAN.

Endpoint Type: types of Internet access devices, including mobile devices, PCs, and multipurpose devices.

Destination: target IP address range.

1. The four types of objects have the AND relationship. For example, you can select user IT Department in Users, All in Location, PC in Endpoint Type, and All in Destination. This policy applies to user tests with the endpoint device PC on the IP address segment at the R&D headquarters. The object set is displayed on the Selected pane.

2. If any of the four object types are not specified, this type is not used as a filtering condition. For example, if no location is specified, the location is not a filtering condition.

3. This policy is blank if none of the four object types is specified. It is not associated with any user and is not effective for any user.

There are six user types: Local Users, Domain User, Security Group, Domain Attributes, User Attributes, and Source IP.

If a user is synchronized to the IAG added to the IAG by an authentication policy, or created on the IAG, the user is a local user. A local user can be selected in Local Users.

Domain User, Security Group, and Domain Attributes only display if an LDAP server is configured.

In Domain User, all configured LDAP servers are listed as OU groups. You can select OU groups or users in Domain User.

In Security Group, all configured LDAP servers are listed as OU groups. However, you can select only security groups in Security Group, and cannot select domain users or OU groups.

In Domain Attributes, you can select users meeting specified attributes on the LDAP server. On the Domain Attributes page, click Add. In the Add Domain Attribute dialog box, set attribute conditions. A maximum of five conditions can be set. The conditions have the AND relationship.

In User Attributes, you can select users meeting specified attributes. On the User Attributes page, click Add. In the Add User Attributes dialog box, set attribute conditions. A maximum of five conditions can be set. The conditions have the AND relationship.

In Source IP, you can select a source IP address range of intranet users.

1. Users include Local Users, Domain User, Security Groups, Domain Attributes, User Attributes, and source IP addresses. The user types have the OR relationship instead of the AND relationship. For example, the policy applies to both users if you select local user A and domain user B.

2. Domain User, Security Group, and Domain Attributes only display if an LDAP server is configured.

The procedure for adding an Internet Access Policy for a specific object is as follows: When creating this Internet Access Policy, you can directly add objects for this policy.

  1. On the Policies page, click Add.
  1. Click Object, select an object type, and then select a user group or user. The selected user/user group is displayed on the Selected pane.

  1. Click OK[A78].

The procedure for adding an Internet Access Policy (only local users) on the User Management page is as follows:

Choose Users > Local Users. Select a user group named Marketing Department in the User Group.

On the Member and Policy pane, click Policies.

Click Add Policy. In the Add Policy dialog box, select Access Control for Marketing Department, and the option Recursive pass down to its subgroups to apply the Internet Access Policy to child groups. If this option is not selected, this policy does not apply to child groups. However, it will still apply to member users of this user group and child groups added later. Click OK.

On the Policies tab, view the list of policies associated with the user group. The Pass Down column indicates whether a policy applies to all member users and child groups.

You can change the Internet Access Policy of a single user on the Online Users page. The procedure is as follows:

Choose Status > Users. On the Members pane, select the user test for which an Internet Access Policy is added or edited.

Click the username. The editing page is displayed.

Click Add Policy on the Policies tab and select an Internet Access Policy associated with the selected user.

On the Online Users page, you can edit or modify the Internet Access Policy of a non-temporary user. If you click the username of a temporary user in the online user list, you can only view the policy result set of this user. You cannot edit the Internet Access Policy of the user.