Configure Endpoint Advanced Access Policy on Switchboard

Applies to Platform: UTM 5.1


This article illustrates how to configure the Endpoint advanced access policy on the switchboard module.

The access policy is an optional configuration that allows to set specific customs views on the endpoint's application for every user in the system.


  • Switchboard module installed and configured with the last version of Endian OS or having an account on Connect Switchboard cloud
  • at least one Gateway with one Endpoint
  • at least one user with "Manage Device" permission


In case the Advanced Access Policies are used for at leas one user, must be used for all the user that can access to the gateway. All of them must be configured. At the moment the user/device groups are not supported in the access policies rules, so the rules must specify the users.


Considering a Switchboard with the following configuration:

  • a Gateway called gateway-milano-01
    • three Endpoints called linux, web_portal, windows
  • five user that have access to the gateway and the endpoints


Go in the switchboard Device page and edit the Gateway by clicking on the pencil icon ().


Navigate to the Permissions tab and set the user you want to allow to use the endpoint application as "regular user" or "manager" of the Gateway.

After that we can now specify the access policies in the text box called Policies below.


Policies are not applied to those users that have Superuser permission

The policies rules are text strings having a syntax that imitates the one used by SQL query. The syntax is:

ALLOW/DENY <<application_name>> ON <<endpoint_name>> TO <<user_name>>

The wildcard * is accepted in any position and will indicate any (application, endpoint, user).

The order of the rules will determinate the priority, the first rule matched will be the one to be executed. If no rule is matched the default rule will be

Everything will be accepted.

In case we want to have full control on the application access for each endpoint the best practice is to set the last rule with
This will block all the access between application, endpoint, user not directly specify from the policies.

ALLOW 'Secure Shell' ON linux TO
DENY * ON windows TO
ALLOW 'VNC Remote Desktop' TO


This configuration will allow the following visibility of endpoint and application:

User will be able to see only the Secure Shell application linux endpoint.

User will be able to see all applications on any endpoints except the ones on windows endpoint.

User will be able to see only "VNC Remote Desktop" application on all endpoints but since this Application is available only on the windows endpoint that will be the only application available. In case more endpoints with "VNC Remote Desktop" will be added in future, this user will be automatically able to see them all.

User will not be able to see any application on any endpoint.

User will be able to see every application on every endpoints.



In case the Organizations are in use on the Switchboard will be necessary to specify it in the application name only, separating it by /
ALLOW 'Secure Shell/Organization_NAME' ON Linux-server TO
Have more questions? Submit a request