IP Based Restrictions

The use case is straight forward, I want to apply an Approval Workflow to an action when a user accesses PAM from within or outside a specific IP address.

When the user is at their work computer, they do not require approval however when they go home or work remotely, do require approval.

Using an IP Filter in your workflow binding you can accomplish this quite easily.

Associate a Client IP

  1. Login to PAM as a System Administrator.
  2. Navigate to Workflow Bindings at Administration > Workflows > Bindings.
  3. Select your existing Binding and click the Edit button in the Actions menu or click Add to create a new Binding.
  4. Enter an IP Address or IP Range into the IP Filter field. Configuration examples are shown at the bottom of this page.
    1. Example: An IP value of 192.168.0.5 would indicate that any user from this specific IP address would require approval.

    2. Example: An IP value of -192.168.0.5 would indicate that any user not from this specific IP address would require approval.

  5. Optionally, you may also select a Principal(s) for the Users to work in combination with the IP Filter. If the Users parameter is left empty, it will apply to all PAM users satisfying the IP Filter requirement.

  6. Click the Save button to complete the configuration.

    Workflow-Binding-IP-Filter

IP Filter Configuration Example Scenarios

If you want to apply this workflow when a user accesses PAM:

  • from a specific IP address then enter this: 192.168.0.5
  • from anywhere but a specific IP address then enter this: -192.168.0.5
  • from an IP address using CIDR notation then enter this: 192.168.0.0/24
  • from any of these IP addresses then enter this: 192.168.0.5,192.168.0.6,10.0.0.88,70.54.48.786
  • from any of these IP addresses except one then enter this: 192.168.0.0/24,-192.168.0.6

< Back to  Request and Approval Workflows