Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

access policy to check for AD group membership based on URI


Hi.  Trying to check for AD group membership to allow access to URL based on a string in the URI.  


In the Look for Login box, I'm using the branch rule expr {[mcget {session.server.landinguri}] contains "/login.html".  I've tried several others, but it doesn't restrict based on AD group.  Any ideas?  Thanks 





The variable "session.server.landinguri" will contain the first URI that triggered the access policy, and will not change each time you visit a new URI, so if you requested /home then /login, the first one will be your landing URI, the one that caused the creation of an APM session.

You shoud use another method to apply rules selectively depending on the requested URI, for example per request policy: Adding a URL branching rule ( 

You can attach layer 7 acl so after the access policy evaluation is done then the users that do not have ad group will be blocked for some url.



You can also see the link below as if you do not decrypt the traffic FQDN domains or SSL SNI  with irule/local traffic policy can be used or Per request policy that will check each request:


You can also use the per-request policy to trigger an irule that will get the session group membership and if the users do not have the group but are trying to reach the destination fqdn/sni or url if you are decrypting the traffic and this not a VPN APM implementation (for VPN /Portal you will need layered VS ) and to block users if they do not have the group.


Hi dcarterjr,

So i think the first step please try to login and then you go to overview session and click session variable to see about expression that match landinguri

have you looked at ACL's?
You can create one and set it on authorisation.