.. _clients_in_policies:

Clients in policies
~~~~~~~~~~~~~~~~~~~

The client field in the policies can include or exclude clients.

In the scope `selfservice`, `authorization`, `enrollment` and `authentication` the client field can be used to specify
for which client the policy is valid. The IP address of the client, from which the request originated, is determined
and checked against the policies.

You can enter a list of IP addresses or networks in CIDR [#CIDR]_ notation separated by commas::

   172.16.15.0/16, 10.0.0.0/8, 192.168.1.1

When combining several policies it can be necessary to exclude client IPs from a policy. You can do this by
using the prefix ``-`` or ``!``::

   172.16.15.0/16, -172.16.15.123, 10.0.0.0/8, -10.0.2.0/16, 192.168.1.1

Such a policy definition::

   [special_user]
   realm = realm1
   client = 172.16.200.147
   user = administrator
   time = ""
   action = "authorize, "
   scope = authorization
   [all_users]
   realm = realm1
   client = "172.16.200.0/24, -172.16.200.147"
   user = *
   time = ""
   action = "authorize, "
   scope = authorization

would mean, that only the ``administrator`` is allowed to authenticate on all computers on the ``172.16.200.0/24``
network. All other users can authenticate on the network except at the machine ``172.16.200.147``.

.. [#CIDR] Classless Inter-Domain Routing