An Access Policy in Zscaler Private Access (ZPA) is a rule that dictates access to internal applications. Each policy rule is defined by a set of conditions (criteria) and a single, specific action. When the conditions are met, the policy applies its configured action, which can be either "Allow Access" or "Block Access". The targets of this action, defined within the same rule, can be a combination of individual Application Segments and entire Application Segment Groups. This structure allows for both granular control over specific applications and broad, scalable management over logical groupings of applications.

A. The use of "OR" is imprecise. A policy rule can target both Application Segments and Application Segment Groups simultaneously, not just one or the other.

B. A single Access Policy rule is configured with only one action. It cannot be configured to simultaneously allow one target and block another.

D. Similar to option B, a single Access Policy rule has a unitary action (either Allow or Block) and cannot perform conflicting actions on different targets.

---

1. Zscaler Help Portal

"About Access Policy": "An Access Policy rule consists of two main building blocks: criteria and an action. The criteria for a rule consists of logical expressions that use SAML and SCIM attributes

as well as other criteria (e.g.

client types

location

etc.). The action for the rule can be set to either Allow Access or Block Access." This document confirms that a single rule has a single action.

2. Zscaler Help Portal

"Configuring Access Policies": In the step-by-step guide for creating an Access Policy

Step 2

"Applications

" shows that an administrator can select both Application Segments and Application Segment Groups as targets for the rule. Step 4

"Access

" shows a single "Action" dropdown menu for the entire rule with the options "Allow Access" and "Block Access". This demonstrates that one action is applied to all selected targets

which can be a mix of segments and groups.

3. Zscaler Help Portal

"About Application Segment Groups": "Application Segment Groups allow you to group a set of application segments together. This is useful when you need to apply the same Access Policy or Client Forwarding Policy to multiple application segments." This confirms that Application Segment Groups are valid targets for an Access Policy.