Creating a Permission Control Rule

Configure a secure access rule to control access to your organization's internal apps by user, device, time, and location.

Define your enterprise applications and create permission control rules to allow or block access to these apps that meet the security needs and policies of your organization.

Trend Micro Vision One provides a default rule for permission control. The default rule is not editable and always has the lowest priority among all permission control rules. It will be applied if no other rules are matched and set to not allow any access to any configured internal app.

  1. On the Secure Access Rules screen, click Create Rule.
  2. Select Permission Control from the Template type drop-down list.

    The available templates appear in the list. For more information about the templates, see Secure Access Rule Templates.

  3. Click a template name.

    The rule configuration screen appears.

    You can choose another rule template from the Rule template drop-down list. The configuration items vary with the template.

  4. Specify a unique name and a description for the rule.

    By default, the rule template name and description are displayed as the rule name and description.

  5. Click the toggle next to Status to enable or disable the rule.

    You can also choose to enable or disable a rule on the Secure Access Rules screen after you create the rule.

  6. Configure the following Apply to rule factors.

    Rule Factor



    Select the internal apps that the rule applies to. Options include:

    • All apps: All the internal apps that have been added on the Rule Factor Management screen.

    • Selected apps: A subset of added internal apps.

    To add an internal app, click Add Internal Application on the Select Apps screen. For more information, see Adding an Internal Application.


    Select the users that the rule applies to. Options include:

    • All users: All the users from your Azure AD.

    • Selected users / groups: A subset of users from your Azure AD.


    Select the device operating systems that the rule applies to.


    In this release, only Windows and macOS are supported.


    Select the periods of time that the rule applies to. Options include:

    • Always: The rule takes effect all the time once created and enabled.

    • Custom: Customize the time and date when the rule takes effect.


    Select which geographic locations that the rule applies to.

  7. Select an action.
    • Block Internal App Access

    • Monitor Internal App Access

    • Allow Internal App Access

    For more information about actions, see Zero Trust Actions.

  8. Click Save.

    The rule is successfully created and listed on the Secure Access Rules screen.