Managing Tenant Control for SaaS Applications

This article explains how to control access to SaaS application tenants using Header Injection rules as part of Cato's Cloud Access Security Broker (CASB) solution. For an overview of using header injection for tenant control , see Controlling Access to SaaS Application Tenants with Header Injection.

Controlling Access with Header Injection

Header Injection rules limit which tenants users can access for the applications allowed in your network. This helps you secure your network by preventing access to tenants beside your organization's tenant. For example, you can stop users from accessing their personal email account or file sharing account to help prevent leakage of sensitive data. The Header Injection rulebase controls user traffic headed to SaaS applications by changing the header fields in HTTP client requests. When traffic matches a rule, Cato acts as a proxy and injects the HTTP headers you defined for that rule. The third-party app receives the headers you specified, and then enforces your organization's tenant access policy for that app.

Prerequisites for Header Injection

  • For Header Injection rules, you must enable TLS Inspection and define the TLS Inspection policy to inspect the traffic that matches the rule.

  • The Header Injection feature is included in the CASB license. For more about purchasing the CASB license, please contact your Cato representative.

Enabling Tenant Control with Header Injection

When you enable Header Injection you can easily create rules to control access to SaaS application tenants.

To enable or disable Header Injection:

  1. From the navigation menu, select Security > Application Control.

  2. Select the Header Injection tab.

  3. Click the slider to enable (green) or disable (gray) the Header Injection policy for the account.

  4. Click Save.

Adding Header Injection Rules for Apps

When you add a rule to the Header Injection policy, configure each section in the rule that is required to define the tenant access for that application.


Header Injection Rule Settings

A Header Injection rule has the following sections:

  • Name - The name you assign for the rule.

  • Application - The SaaS application the rule controls access for.

  • Injected Headers -The names and values of allowed headers for the application.

    • For more information about settings for the header names and values, please consult the documentation for the relevant third-party software or SaaS app

Creating New Header Injection Rules

Create a new Header Injection rule and configure the rule's settings to implement tenant control for your organization. The Injected Headers fields can contain only the following characters:

  • Header Name - a-z, A-Z, 0-9, and special characters: _ and -

  • Header Value - a-z, A-Z, 0-9, and special characters: _ :;.,\/"'?!(){}[]@<>=-+*#$&`|~^&


To create a new Header Injection rule:

  1. From the navigation menu, select Security > Application Control.

  2. Select the Header Injection tab.

  3. Click New. The New Header Injection Rule panel opens.

  4. Enter a Rule Name.

  5. Select a SaaS Application from the drop-down menu.

  6. Define each Header Name and Header Value for the configured application.

  7. Click Save. The rule is added to the rulebase.

Was this article helpful?

0 out of 2 found this helpful


Add your comment