Managing Tenant Restrictions for SaaS Apps (Tenant Restrictions Policy)

The Tenant Restriction policy lets you create rules to limit which tenants users can access for the apps allowed in your network. This helps you secure your network by preventing access to tenants besides your organization's tenant. For example, you can stop users from accessing their personal email account or file sharing account to help prevent leakage of sensitive data.

The Tenant Restriction rulebase controls user traffic headed to SaaS apps by changing the header fields in HTTP client requests. When traffic matches a rule, Cato acts as a proxy and injects the HTTP headers you defined for that rule. The third-party app receives the headers you specified, and then enforces your organization's tenant access policy for that app.

You can configure granular Tenant Restriction rules that apply to specific user groups, sites, or other sources. Granular rules can help you gradually implement tenant restrictions and avoid potential usability issues. You can also create rules that bypass tenant restrictions for specified sources.

Enable the Tenant Restriction policy to create rules that control access to SaaS apps tenants.

When you add a rule to the Tenant Restriction policy, configure each section in the rule that is required to define the tenant access for that app.

Creating Tenant Restriction Rules

Create a new Tenant Restriction rule and configure the rule's settings to implement tenant control for your organization. The Injected Headers fields can contain only the following characters:

• Header Name - a-z, A-Z, 0-9, and special characters: _ and -

• Header Value - a-z, A-Z, 0-9, and special characters: _ :;.,\/"'?!(){}[]@<>=-+*#$&`|~^&

To create a new Tenant Restriction rule:

1. From the navigation menu, select Security > App & Data Inline.

2. Select the Tenant Restriction tab.

3. Click New. The New Rule panel opens.

4. Enter a Name for the rule.

5. Configure the Position for the rule in the rulebase.

6. Expand Source and select the source type.

   • Select the type (for example: Host, Network Interface, IP, Any). The default value is Any.

   • When needed, select a specific object from the drop-down list for that type.

7. Select a SaaS Application from the drop-down menu.

8. Define each Header Name and Header Value for the configured application (see below for more information).

9. Select the Action for this rule. The options are Inject Headers and Bypass.

10. (Optional) Configure the Time options that define when this rule is enabled.

11. Click Save.

    The changes are saved to your unpublished revision, and are available for editing until they are published or discarded.

The Header Name and Header Value fields define the app and the action the Tenant Restriction Policy enforces. These fields are specific to each app. Below are examples of required fields for commonly used apps. To ensure you have the latest information, we recommend checking the apps's documentation.