# Geo-based access policies

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

#### Purpose <a href="#purpose" id="purpose"></a>

Geo-based access control allows organizations to:

* Restrict access by country or region
* Allow access only from approved geographic locations
* Block access from high-risk or restricted regions
* Comply with regulatory, legal, or internal security requirements

This feature helps reduce security risks related to unauthorized or suspicious access from certain locations.

***

#### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Remember to check the following before configuration:

* You have **Admin** or **Security Management** permissions
* An **Access Security** policy can be created or edited
* You know which countries or regions should be allowed or denied
* **Geo-location** detection is enabled and supported by the system

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

#### Step 1: Create a New Access Security Policy <a href="#step-1-create-a-new-access-security-policy" id="step-1-create-a-new-access-security-policy"></a>

* Sign in as an administrator : [Oten Admin | Security Policy & User management](https://admin.oten.live/)
* Profile Account → **Admin**
* Welcome page **Admin**
* Click on menu **Security Policy** → **Access Security**
* Select **Create new access security**
* Fill in the required fields:
  * **Access security code**
  * **Access security name**
* (Optional) Add a **Description** to clarify the policy purpose

***

#### Step 2: Add an Access Security Rule <a href="#step-2-add-an-access-security-rule" id="step-2-add-an-access-security-rule"></a>

1. In the **Access Security Rules** section, select **Add rule**
2. A new rule (for example, ***Rule*** ***1***) will appear

***

#### Step 3: Add Geo Location Condition <a href="#step-3-add-geo-location-condition" id="step-3-add-geo-location-condition"></a>

1. Under the rule, select **Add condition**&#x20;
2. Choose **Location (Country / Region)**

***

#### Step 4: Select Policy Mode <a href="#step-4-select-policy-mode" id="step-4-select-policy-mode"></a>

Choose how geographic locations are evaluated:

**Whitelist / Allow**

* Users from the selected countries or regions **will have access**
* All other locations will be denied

**Example**:

* Allow access only from **Vietnam** and **Singapore**

**Blacklist / Deny**

* Users from the selected countries or regions **will not have access**
* All other locations will be allowed

**Example**:

* Deny access from **restricted or high-risk countries (Cambodia,..)**

***

#### Step 5: Select country or region <a href="#step-5-select-country-or-region" id="step-5-select-country-or-region"></a>

1. In the **Country / Region** field, select one or more locations
2. Multiple countries or regions can be added based on policy needs

***

#### Step 6: (Optional) Combine with Other Conditions <a href="#step-6-optional-combine-with-other-conditions" id="step-6-optional-combine-with-other-conditions"></a>

* Select **Add condition** to combine geo-based rules with:
  * IP or IP ranges
  * Device OS
  * Device compliance
* All conditions in the same rule are evaluated together

***

#### Step 7: Create Access security policy <a href="#step-7-create-access-security-policy" id="step-7-create-access-security-policy"></a>

1. Review all rules and conditions
2. Select **Create access security** to activate the policy

***

### Result <a href="#result" id="result"></a>

* User access is evaluated based on detected geographic location
* Access is automatically **allowed or denied** based on policy configuration
* Policies are enforced during sign-in and access attempts

***

### Additional notes <a href="#additional-notes" id="additional-notes"></a>

* Geo-location is determined using IP-based location data
* VPNs or proxies may affect location accuracy
* If **Whitelist / Allow** is used and no location matches, access is denied by default
* If **Blacklist / Deny** is used, only selected locations are blocked
* For stronger security, combine geo-based rules with MFA

***

### Summary <a href="#summary" id="summary"></a>

* Geo-based policies control access by country or region
* Supports both **allowlist** and **denylist** strategies
* Helps improve security and regulatory compliance
* Works best when combined with other access security controls


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oten.gitbook.io/identity-support/user-guide/business-account/business-owner-default-authority/security-and-governance/enforced-security-policies/geo-based-access-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.