Access Control Policies
Define and enforce access control policies to secure your CastellanAI environment.
Overview
Access control policies allow you to define who can access CastellanAI, from where, and when. Combine multiple policies to create defense-in-depth security.
| Control Type | Description |
|---|---|
| IP-Based | Restrict access by source IP address or network range |
| Time-Based | Limit access to specific hours or days of the week |
| Geographic | Allow or block access from specific countries or regions |
Access Control Types
IP Allowlist & Blocklist
Control access based on source IP addresses, CIDR ranges, or network blocks.
IP Allowlist (Recommended)
Only allow access from approved IP addresses or ranges.
192.168.1.0/24
10.0.0.0/8
203.0.113.42
IP Blocklist
Block specific IP addresses known to be malicious or suspicious.
198.51.100.0/24
203.0.113.0/24
192.0.2.123
Important: Allowlist takes precedence over blocklist. An IP in both lists will be allowed.
Time-Based Access Control
Restrict access to specific time windows based on your organization's business hours.
Example Configuration:
| Setting | Value |
|---|---|
| Business Hours | Mon-Fri, 8:00 AM - 6:00 PM (EST) |
| Maintenance Window | Sunday, 2:00 AM - 4:00 AM (EST) |
| 24/7 Access Roles | Administrator, Security Analyst |
Time-based restrictions apply to login attempts. Active sessions are not terminated when outside allowed hours.
Geographic Access Control
Allow or block access based on the geographic location of the source IP address.
Allowed Countries: Define specific countries where your organization operates (e.g., United States, Canada, United Kingdom).
Blocked Countries: Block access from high-risk regions or countries with frequent attack sources.
Geographic restrictions can be bypassed using VPNs. Use in combination with other controls.
Configuring Access Control Policies
Step 1: Navigate to Access Control Settings
Access control policies are managed in the Security settings section (Administrator only).
Navigation Path: Settings → Security → Access Control
Step 2: Select Policy Type
Choose the type of access control policy you want to create or modify:
- IP Allowlist/Blocklist
- Time-Based Access
- Geographic Restrictions
Step 3: Define Policy Rules
Add specific rules for the policy type. You can add multiple rules per policy.
Example: IP Allowlist Rule
- IP Address or CIDR Range:
192.168.1.0/24 - Description: Corporate office network
Step 4: Set Policy Scope
Determine which users or roles the policy applies to:
- Apply to all users
- Exclude Administrator role
- Exclude Security Analyst role
Step 5: Enable and Test Policy
Enable the policy and test it with a non-administrative account to ensure it works as expected.
Critical: Always test access control policies from a non-admin account before enabling organization-wide. Incorrect configuration can lock out users.
Common Policy Examples
Example 1: Corporate Network Only
Restrict access to only corporate office networks with VPN access for remote workers.
✓ Allowlist: 10.0.0.0/8 (Corporate LAN)
✓ Allowlist: 172.16.0.0/12 (VPN Range)
Applies to: All users except Administrator
Example 2: Business Hours with On-Call Access
Limit access to business hours, but allow 24/7 access for security team and administrators.
✓ Time: Mon-Fri, 7:00 AM - 7:00 PM (Local Time)
Applies to: Viewer, Incident Responder roles
⊘ Excluded: Administrator, Security Analyst (24/7 access)
Example 3: Geographic + IP Restrictions
Allow only specific countries and require VPN for remote access.
✓ Countries: United States, Canada, United Kingdom
✓ Allowlist: 172.16.0.0/12 (VPN for other countries)
✗ Blocklist: Known tor exit nodes
Example 4: High-Security Mode
Maximum restrictions: specific IPs, business hours, geographic limits, and MFA required.
✓ Allowlist: 192.168.1.0/24 (Office only)
✓ Time: Mon-Fri, 8:00 AM - 6:00 PM
✓ Countries: United States only
+ MFA Required: All roles
Emergency Access & Bypass
CastellanAI provides emergency access mechanisms to prevent complete lockout:
Break-Glass Account
A special administrator account that bypasses all access control policies for emergency situations.
- Set up during initial account configuration
- Requires MFA with backup codes stored securely
- All usage is logged and alerted
Policy Override Code
A time-limited code that temporarily disables access control for a specific user (Administrator only).
- Valid for 1 hour by default
- Can only be generated by current Administrator
- User must still authenticate normally
Support-Assisted Access
Contact CastellanAI support for emergency access assistance if all other methods fail.
- Requires identity verification
- Available 24/7 for Enterprise tier
- Typically resolved within 30 minutes
Best Practices
- Use Allowlist, Not Blocklist - IP allowlisting is more secure than blocklisting. Explicitly define trusted sources rather than trying to block all untrusted ones.
- Layer Multiple Controls - Combine IP, time-based, and geographic controls with MFA for defense-in-depth security.
- Document Policy Exceptions - Clearly document why certain users or roles are exempt from policies and review exceptions quarterly.
- Test Before Enforcing - Always test new policies with a limited scope before rolling out organization-wide to avoid accidental lockouts.
- Configure Break-Glass Access - Set up emergency access mechanisms before implementing restrictive policies. Store break-glass credentials securely offline.
- Review Regularly - Audit access control policies quarterly and update as your infrastructure changes (new offices, VPN ranges, etc.).
What's Next?
- User Activity Monitoring - Monitor user activity and audit access attempts
- Multi-Factor Authentication - Add an extra layer of security with MFA