Constraints

Constraints are assigned to Rules, and allow you to restrict access to a resource.

1. Select Policy > Rules.

2. On the Rules page, click Create Draft.

3. Click the rule that you want to modify.

4. In the Constraints section, click the Add button to create a constraint.

5. On the Rule Constraints page, select the Constraint Type from the drop-down list. This can be one of the following: 

   Constraint Type	Description
   Client Protocol	Restricts access by the client protocol, for example, SSH, Browser (HTTPS), vSphere Windows or Web client, or REST API.
   Client IP Range	Restricts access by the IP address range. Enter the start and end IP address of the range.
   Client IP Match	Restricts access by the exact IP address entered.
   Match VM Label(s)	Restricts access by the virtual machine label assigned to a resource. If the virtual machine label does not match, any operations are denied. Click Exclude VM Label to deny all access to the selected label.
   Match Host Label(s)	Restricts access by the host label assigned to a resource. If the host label does not match, any operations are denied. Click Exclude Host Label to deny all access to the selected label.
   Match Label(s) by Name	Restricts access by the name label assigned to a resource. If the name label does not match, any operations are denied. Click Exclude Label by Name to deny all access to the selected label.
   Match Network Label(s)	Restricts access by the network label assigned to a resource. If the network label does not match, any operations are denied. Click Exclude Network Label to deny all access to the selected label.
   Match Host Attribute(s)	Restricts access by the host attributes assigned to a resource. If one or more of the attributes does not match, any operations are denied. Click Exclude Host Attribute(s) to deny all access to the selected attributes.
   NSX Security Tag(s)	Restricts access to the specified NSX security tag. When used in a rule, it limits the ability of NSX users to perform NSX security tag operations, such as editing, deleting, or assigning or unassigning tags, on the specified tag.
   User Attribute(s)	Restricts access by the user attributes assigned to a resource. If one or more of the user attributes do not match, any operations are denied. Click Exclude User Attribute(s) to deny all access to the selected attributes.

   Note: Labels must be created and assigned to a policy resource before they can be used as part of a rule constraint.

6. Click OK to add the constraint.

   Note: If more than one constraint exists in a given rule, then all constraints must be satisfied before the operation can proceed. However, if you have more than one label in a single constraint, than the operation can proceed if any of the labels is satisfied.

7. Click OK to close the Edit Rule page.

8. Click Deploy to save the changes.