Security group exclusion from a access control policy

Ali Ammar0 Lv1Posted 18 Nov 2022 18:33

Hi there. I raised a question some days ago and I can,t find my answer. let me clear my question again. in my scenario, I integrated IAM with the active directory, create access control policies for web access management, and then linked policies with security groups created on the active directory. I am creating a block internet policy for users who are not members of any security group. by default, IAM allows all web traffic to that user who is not a member of any security group. so I decided to create a block rule at the bottom and exclude the above security groups which are already linked with policies. by doing this, random users will be blocked.
I am facing a problem that how to exclude a user or a security group while creating a policy.

CTI_JianJie has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

As mentioned in the previous thread, it should be working if configuring the top-down allow and deny policy.
If it is not working as expected, please try to get help from the Sangfor engineer via email to
Is this answer helpful?
Darjo Lv1Posted 18 Nov 2022 19:51
Instead of using security group, i think u also can try make access control policy with selected users, for example

Policy 1 Allow for Email => select some users  from AD that belong to this policy
Policy 2 Allow for Youtube => select some users from AD that belong to this policy
Policy 3 Deny All => select All users
jetjetd Lv5Posted 20 Nov 2022 20:52
Take note of the policy precedence, its from top to bottom. Put the allow policies on topmost and the deny all policy at the bottom. This will block the rest of the users that is not declared in the allow policy.
damulagski Lv3Posted 20 Nov 2022 22:24
It must have allow policy made
Naomi Lv3Posted 21 Nov 2022 09:56
Your policy is complicated.
rivsy Lv5Posted 21 Nov 2022 09:59
There are two ways, configuration in the AD server and thru configuration in the policy in the group or individual policy
Happpy Lv3Posted 21 Nov 2022 09:59
Please put the policy with the priority on top to bottom. more specific on top and to bottom are the less specific
babeshuka Lv3Posted 21 Nov 2022 10:43
Put the allow policies first, followed by the refuse all policies. This will prohibit all other users who have not been stated in the allow policy.
Pat Lv4Posted 21 Nov 2022 10:54
There are many policies which you could utilize, like for example you can select some users from AD to allow youtube, email or you can deny all
Arleng Lv2Posted 21 Nov 2022 11:06
check your policies with appropriate priorities

I Can Help:


Moderator on This Board


Started Topics




Started Topics



Board Leaders