Access policies

Access policies let administrators move beyond “all-or-nothing” network access. With UserLock, you can:

• Enforce MFA for stronger authentication.

• Apply contextual restrictions (time, geolocation, machine).

• Limit the number of concurrent sessions.

• Control access with permanent or temporary policies.

• Generate alerts and notifications when rules are triggered.

This enables fine-grained control of user access while ensuring policies can adapt to exceptional situations (e.g., temporary access during leave, extended hours for special projects).

• Permanent policies: Apply indefinitely until modified or deleted.

• Temporary policies: Active only for a specified period. These can be used to allow exceptions (e.g., working outside usual hours) or to temporarily deny access (e.g., while on leave).

Because users may belong to several policies, UserLock applies a priority system to resolve conflicts based on the following criterias:

1. User temporary policy

2. Group/OU temporary policy

3. User permanent policy

4. Group/OU permanent policy

• Alice is in a permanent group policy (“Everyone”) allowing 1 workstation session.

• She is also in a temporary group policy (“Everyone”) allowing 3 sessions.

• Result: The temporary rule applies → Alice can open 3 sessions.

• Bob is in a permanent group policy (“Everyone”) allowing 1 session.

• He is also in another permanent group policy (“Group-A”) allowing 2 sessions.

• Both rules are permanent group-level policies (same priority level).

• Result: The applied rule depends on the server-wide policy (most restrictive = 1; least restrictive = 2).

• Carol is in a permanent group policy (“Group-A”) allowing 2 sessions.

• She also is in a temporary group policy (“Group-B”) allowing 5 sessions.

• Server is set to least restrictive → Carol can open 5 sessions.

• If a temporary policy for “Group-A” authorizes 3 sessions, it overrides both → Carol can open 3 sessions during the temporary policy.

• Alice has a permanent user policy allowing 2 sessions.

• She is also in a permanent group policy allowing 1 session.

• Result: The user policy wins → Alice can open 2 sessions.

• Bob has a temporary user policy allowing 2 sessions.

• He is also in a temporary group policy (“Group-A”) allowing 1 session.

• Result: The user policy wins → Bob can open 2 sessions.

UserLock continuously tracks AD group and OU memberships to ensure policies are always up to date.

When applying restrictions, UserLock checks which policies apply to the user.

• The membership list is refreshed every 5 minutes.

• Creating or deleting a policy applies to active sessions within 5 minutes.

• Changes to policies are applied without requiring users to reconnect.

👉️ Example: If an admin creates a new temporary policy to allow access outside normal hours, the user does not need to disconnect / reconnect to apply the modification.

UserLock access policies give administrators precise, flexible control over network access:

• Apply MFA and contextual restrictions (time, location, machine, session limits).

• Use permanent policies for baseline security, and temporary policies for exceptions.

• Synchronization with AD ensures policies stay accurate and up-to-date.

• Rules are applied immediately, with conflicts resolved by a clear priority system.

This framework ensures that user access remains both secure and adaptable to organizational needs.