Policies and Access Control
Introduction
Access is given to protected devices by policies, created in the XMS, that specifies the following five things: Who? What? Where? How? When?
The types of policies can be categorized by the mapping from types of sources to types of destinations.
From user group to protected devices
This is the most typical kind of policy which gives a group of users access to devices behind XoT-Locks that match the specified device type, group and location.
From protected devices to protected devices
This is sometimes referred to as a machine-to-machine or M2M policy, as this means that the XoT-Locks that match the specification for the policy source are given the capability of acting as clients in communication with the targets of the policy.
With this type of policy, devices from behind XoT-Locks can be given access to other devices or subnets without running any clients themselves. The XoT-Locks specified in the Source section will establish encrypted tunnels to the target XoT-Locks allowing secure communication between different protected devices.
From protected devices to unprotected devices
This type of policy will allow traffic from devices protected by XoT-Locks to whatever is specified in the policy. This can be set for specific IPs or subnets, allow access to neighboring devices (devices on the subnet on the outside of the XoT-Lock), or allow unrestricted outgoing traffic across the XoT-Lock.
From unprotected devices to protected devices
With this type of policy, access is given to sources not protected by XoT Technology to devices that are.
Creating Policies
Once you have admin access to XMS, click Create in the Policies section of the main menu. This will take you to the policy creation screen.

From here, you can specify the details of the policy.
First, you should give your new policy a name and optionally a description.

Source
This section specifies who is to be given access by the policy?
There are three different types of policy sources.
User Group
If Type is set to User Group, then the policy will apply to members of the group.

Protected Device
If Protected Device is selected as Type then the policy will apply to XoT-Locks matching the Device Type, Group and Location settings.

Unprotected Device
If Unprotected Device is selected as source Type, then access is granted to whatever IP or subnet is specified in the Who field.

Destination
The Destination section specifies the types and locations to which the policy will allow communication.
Commonly, we will specify the device type, group, and location of devices protected by XoT-Locks here.

For some policies however (as described in the introduction), the targets of the policy can be external IPs or subnets, or allow unrestricted outgoing communication.

How
How should authenticated clients be allowed to communicate? What protocols and ports can be accessed?
By default, the policy will be set to Deny-All and will not provide any access.

For the policy to grant access, you must add rules and services in the Service field.
For instructions on how to create firewall rules and services, see this section below.

If the Source of the policy is a User Group, then an additional field called Enforce Bridge Group can also be set in this section. If a Bridge Group is set here, then this will place a requirement for policy that it will only apply to communication that happens via that Bridge Group.
When should this access be granted?
It is also possible to only have the policy be active at certain times. The scheduling function allows a great deal of flexibility in this area.
Due to current limitations scheduling can only be added to existing policies, so if you are creating a new policy that needs to have a schedule, save the policy first by clicking Save in the bottom right and then the scheduling function should be available.

Firewall Rules & Services
As we've seen, policies can restrict what type of traffic they allow. This is done by assigning firewall rules or services to the policy.
A firewall service is either a portless protocol, like ICMP, or a combination of protocol and port range.
A firewall rule is simply a grouping of services. For situations where you want to assign the same combinations of protocols and port ranges for many policies, it may be easier to create a rule describing this group of services and simply assign that in the policy. Assigning a firewall rule to a policy is equivalent to assigning all the services contained within it.
To create a firewall rule or service, navigate to Firewall rules & services in the main menu.

Using the Policy Graph
The Policy Graph provides a visual representation of how users, user groups, policies, and assets are connected. Navigate to Policies → Graph in the main menu to access it.

Understanding the Graph
The graph displays access paths as connected nodes:
- Users and User Groups represent sources for user-based policies
- Assets can be both sources (in M2M policies) and destinations
- Unprotected nodes represent external IPs, subnets, or special cases like "Anyone" or "Neighbors"
- Policies connect sources to destinations
If a source is connected to a destination through a policy, access has been configured. The graph shows both active and inactive policies. Inactive policies do not currently grant access. Scheduled policies only grant access during their configured time windows.
Filtering the Graph
Use the search bar at the top to filter what is displayed. You can filter by:
- Source – Users, User Groups, Assets, or Unprotected
- Policy – Specific policy names
- Destination – Assets or Unprotected

Adjusting the View
The graph includes controls to adjust node visibility and how nodes are organized. Use these to simplify the view or focus on specific aspects of your policy configuration.
