Access Control Policies
Define and enforce access control policies to secure your CastellanAI environment.
Combine multiple access control policies to create layered security that protects against various attack vectors.
Overview
| Control Type | Description |
|---|---|
| IP-Based | Restrict by source IP address or network range |
| Time-Based | Limit to specific hours or days |
| Geographic | Allow or block by country/region |
Access Control Types
- 🌐 IP-Based
- ⏰ Time-Based
- 🌍 Geographic
IP Allowlist & Blocklist
Control access based on source IP addresses, CIDR ranges, or network blocks.
IP Allowlist (Recommended)
Only allow access from approved IP addresses:
192.168.1.0/24 # Corporate office
10.0.0.0/8 # Internal network
203.0.113.42 # Specific trusted IP
IP Blocklist
Block specific malicious or suspicious IPs:
198.51.100.0/24 # Known malicious range
203.0.113.0/24 # Suspicious network
192.0.2.123 # Specific blocked IP
Allowlist takes precedence over blocklist. An IP in both lists will be allowed.
Time-Based Access Control
Restrict access to specific time windows based on your organization's business hours.
Example Configuration:
| Setting | Value |
|---|---|
| Business Hours | Mon-Fri, 8:00 AM - 6:00 PM (EST) |
| Maintenance Window | Sunday, 2:00 AM - 4:00 AM (EST) |
| 24/7 Access Roles | Administrator, Security Analyst |
Time-based restrictions apply to login attempts. Active sessions are not terminated when outside allowed hours.
Geographic Access Control
Allow or block access based on IP geolocation.
Allowed Countries: Define countries where your organization operates:
- United States
- Canada
- United Kingdom
- Germany
Blocked Countries: Block access from high-risk regions or frequent attack sources.
Geographic restrictions can be bypassed using VPNs. Use in combination with other controls for defense in depth.
Configuring Access Control Policies
- 1️⃣ Navigate
- 2️⃣ Select Policy
- 3️⃣ Define Rules
- 4️⃣ Set Scope
- 5️⃣ Enable & Test
Step 1: Navigate to Access Control Settings
Access control policies are managed in Security settings.
Navigation Path: Settings → Security → Access Control
Only users with Administrator role can modify access control policies.
Step 2: Select Policy Type
Choose the type of access control policy:
| Policy Type | Use Case |
|---|---|
| IP Allowlist/Blocklist | Network-based restrictions |
| Time-Based Access | Business hours enforcement |
| Geographic Restrictions | Country-level blocking |
Step 3: Define Policy Rules
Add specific rules for the policy type:
Example: IP Allowlist Rule
| Field | Value |
|---|---|
| IP/CIDR | 192.168.1.0/24 |
| Description | Corporate office network |
| Enabled | Yes |
Step 4: Set Policy Scope
Determine which users or roles the policy applies to:
| Scope Option | Description |
|---|---|
| All users | Policy applies to everyone |
| Exclude Administrator | Admins bypass the policy |
| Exclude Security Analyst | Analysts bypass the policy |
| Specific roles only | Target specific roles |
Step 5: Enable and Test Policy
Always test access control policies from a non-admin account before enabling organization-wide. Incorrect configuration can lock out users.
Testing Steps:
- Enable policy in test mode
- Test with non-admin account
- Verify expected behavior
- Enable for organization
Common Policy Examples
- 🏢 Corporate Only
- ⏰ Business Hours
- 🌐 Geo + IP
- 🔒 High Security
Corporate Network Only
Restrict access to corporate office networks with VPN for remote workers.
✓ Allowlist: 10.0.0.0/8 (Corporate LAN)
✓ Allowlist: 172.16.0.0/12 (VPN Range)
Applies to: All users except Administrator
Use Case: High-security environments requiring controlled network access.
Business Hours with On-Call Access
Limit access to business hours, but allow 24/7 for security team.
✓ Time: Mon-Fri, 7:00 AM - 7:00 PM (Local)
Applies to: Viewer, Incident Responder roles
⊘ Excluded: Administrator, Security Analyst (24/7)
Use Case: Organizations wanting to limit non-essential access outside hours.
Geographic + IP Restrictions
Allow specific countries and require VPN for others.
✓ Countries: United States, Canada, UK
✓ Allowlist: 172.16.0.0/12 (VPN for other countries)
✗ Blocklist: Known Tor exit nodes
Use Case: Global organizations with regional compliance requirements.
High-Security Mode
Maximum restrictions: specific IPs, business hours, geo limits, and MFA.
✓ Allowlist: 192.168.1.0/24 (Office only)
✓ Time: Mon-Fri, 8:00 AM - 6:00 PM
✓ Countries: United States only
+ MFA Required: All roles
Use Case: Financial services, healthcare, or classified environments.
Emergency Access & Bypass
- 🔓 Break-Glass
- ⏱️ Policy Override
- 🆘 Support Access
Break-Glass Account
A special administrator account that bypasses all access control policies.
| Feature | Description |
|---|---|
| Purpose | Emergency situations only |
| Setup | During initial configuration |
| Security | MFA with offline backup codes |
| Monitoring | All usage logged and alerted |
Store break-glass credentials in a secure, offline location (e.g., safe, secure vault).
Policy Override Code
Time-limited code that temporarily disables access control for a specific user.
| Feature | Description |
|---|---|
| Valid for | 1 hour (default) |
| Generated by | Current Administrator |
| Effect | Bypasses access policies |
| Authentication | Still required normally |
Support-Assisted Access
Contact CastellanAI support for emergency access assistance.
| Tier | Availability | Response Time |
|---|---|---|
| Enterprise | 24/7 | ~30 minutes |
| Medium Business | Business hours | ~2 hours |
| Small Business | Business hours | ~4 hours |
Requirements:
- Identity verification
- Account ownership proof
- Security questions
Best Practices
- ✅ Do's
- ❌ Don'ts
Access Control Do's
| Practice | Description |
|---|---|
| Use Allowlist | More secure than blocklist |
| Layer Controls | Combine IP, time, geo, and MFA |
| Document Exceptions | Record why users are exempt |
| Test First | Always test with limited scope |
| Configure Break-Glass | Set up before restrictive policies |
| Review Quarterly | Update as infrastructure changes |
Access Control Don'ts
| Avoid | Risk |
|---|---|
| Blocking without testing | User lockouts |
| Relying on geo alone | VPN bypass |
| No break-glass account | Complete lockout risk |
| Overly complex policies | Management overhead |
| Static configurations | Outdated rules |
📝 Access Control Checklist
- Configure break-glass account first
- Document IP ranges to allow/block
- Define business hours and time zones
- Identify geographic restrictions needed
- Test policies with non-admin account
- Document all policy exceptions
- Set up emergency bypass procedures
- Schedule quarterly policy reviews
- Train team on lockout recovery
What's Next?
| Guide | Description |
|---|---|
| User Activity Monitoring | Monitor access attempts |
| Multi-Factor Authentication | Add authentication layer |
| Roles & Permissions | Role-based access control |