> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/organization-admin-app/business-owner-default-authority/security-and-governance/enforced-security-policies/geo-based-access-policies.md).

# Geo-based access policies

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

#### Purpose <a href="#purpose" id="purpose"></a>

Geo-based access control allows organizations to:

* Restrict access by country or region
* Allow access only from approved geographic locations
* Block access from high-risk or restricted regions
* Comply with regulatory, legal, or internal security requirements

This feature helps reduce security risks related to unauthorized or suspicious access from certain locations.

***

#### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Remember to check the following before configuration:

* You have **Admin** or **Security Management** permissions
* An **Access Security** policy can be created or edited
* You know which countries or regions should be allowed or denied
* **Geo-location** detection is enabled and supported by the system

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

#### Step 1: Create a New Access Security Policy <a href="#step-1-create-a-new-access-security-policy" id="step-1-create-a-new-access-security-policy"></a>

* Sign in as an administrator : [Oten Admin | Security Policy & User management](https://admin.oten.live/)
* Profile Account → **Admin**
* Welcome page **Admin**
* Click on menu **Security Policy** → **Access Security**
* Select **Create new access security**
* Fill in the required fields:
  * **Access security code**
  * **Access security name**
* (Optional) Add a **Description** to clarify the policy purpose

***

#### Step 2: Add an Access Security Rule <a href="#step-2-add-an-access-security-rule" id="step-2-add-an-access-security-rule"></a>

1. In the **Access Security Rules** section, select **Add rule**
2. A new rule (for example, ***Rule*** ***1***) will appear

***

#### Step 3: Add Geo Location Condition <a href="#step-3-add-geo-location-condition" id="step-3-add-geo-location-condition"></a>

1. Under the rule, select **Add condition**&#x20;
2. Choose **Location (Country / Region)**

***

#### Step 4: Select Policy Mode <a href="#step-4-select-policy-mode" id="step-4-select-policy-mode"></a>

Choose how geographic locations are evaluated:

**Whitelist / Allow**

* Users from the selected countries or regions **will have access**
* All other locations will be denied

**Example**:

* Allow access only from **Vietnam** and **Singapore**

**Blacklist / Deny**

* Users from the selected countries or regions **will not have access**
* All other locations will be allowed

**Example**:

* Deny access from **restricted or high-risk countries (Cambodia,..)**

***

#### Step 5: Select country or region <a href="#step-5-select-country-or-region" id="step-5-select-country-or-region"></a>

1. In the **Country / Region** field, select one or more locations
2. Multiple countries or regions can be added based on policy needs

***

#### Step 6: (Optional) Combine with Other Conditions <a href="#step-6-optional-combine-with-other-conditions" id="step-6-optional-combine-with-other-conditions"></a>

* Select **Add condition** to combine geo-based rules with:
  * IP or IP ranges
  * Device OS
  * Device compliance
* All conditions in the same rule are evaluated together

***

#### Step 7: Create Access security policy <a href="#step-7-create-access-security-policy" id="step-7-create-access-security-policy"></a>

1. Review all rules and conditions
2. Select **Create access security** to activate the policy

***

### Result <a href="#result" id="result"></a>

* User access is evaluated based on detected geographic location
* Access is automatically **allowed or denied** based on policy configuration
* Policies are enforced during sign-in and access attempts

***

### Additional notes <a href="#additional-notes" id="additional-notes"></a>

* Geo-location is determined using IP-based location data
* VPNs or proxies may affect location accuracy
* If **Whitelist / Allow** is used and no location matches, access is denied by default
* If **Blacklist / Deny** is used, only selected locations are blocked
* For stronger security, combine geo-based rules with MFA

***

### Summary <a href="#summary" id="summary"></a>

* Geo-based policies control access by country or region
* Supports both **allowlist** and **denylist** strategies
* Helps improve security and regulatory compliance
* Works best when combined with other access security controls
