
GregK.54397 (Customer) asked a question.
A general practice question for the community here, any informed insights are welcome!
We are using Okta CIAM and are configuring the Global Session Policy.
We have strict requirements that access be limited to IPs in specific Networks.
So we've create a 1-Rule Global Session Policy which apply to the Everyone group, and have DENY access if the request comes from outside those networks.
It's my understanding that in most cases, Global Session Policies should have an unconditional 'Default Rule' which is applies when no other Rules in the Policy are applicable. But in our case, we want Global Session Policy evaluation to continue when the user is not explicitly denied.
We accomplish that by NOT providing a Default Rule in the Policy. From what my research tells me, if Okta selects a matching Policy for a user, but finds no applicable rules within that policy, it will Skip the Policy and move on to the next Policy in ascending priority order. This is exactly what we want, and Okta appears to be working exactly in that manner.
My question is whether this is considered an anti-pattern that should be avoided: should we instead provide a unconditional Default Rule in every Policy?
I believe it's a valid pattern if used very intentionally for 'Escape' clauses such as the one I described above in which we want evaluation to terminate upon detecting an out-of-network request, but to continue on with additional policies for in-network requests.
Anyone out there have insight on this?
Thanks!

Hi @GregK.54397 (Customer) , Thank you for reaching out to the Okta Community!
We strongly recommend leaving Default Policies/Rules as they are to prevent accidental lock-outs, instead try leveraging new policies and rules to ensure you can run tests with dedicated groups to confirm expected functionality before applying to everyone.
Priority is the most important factor.
When a user attempts to log in, Okta evaluates the first policy (priority 1)
>IS user is part of assigned group
IF yes THEN checks rules - does the user satisfy all conditions of rule priority 1 - IF yes THEN Allow/Deny (depending how the rule is configured)
OTHERWISE move to next rule.
If no other rule is available it would check the next policy.
So I would typically recommend setting up a dedicated Policy with two Rules based on the explicit network zones you require.
Something like the following example:
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added