# UI-SEC-010 - App/Url Restrictions

> **Rule ID:** `UI-SEC-010`

**Rule ID:** `UI-SEC-010`

**Scope:** Activity

**Default action**: Warning

This rule applies only to activities that are part of the Classic UI Automation
experience.

:::note
The rule checks both local and
remote applications (for example, applications automated over RDP connections).
:::

## Description

Enables you to control which applications and URLs can be used by the current workflow by throwing an error when a prohibited
one is used. This can be done in two ways:

### **Allow**

By using the **Allowed Applications** and **Allowed Urls** fields in the **Workflow Analyzer**, you can specify which applications or URLs can be accessed by the current workflow.

:::note
If an application or URL is specified in these fields, they are the only ones that can be accessed by your automation project.
If an application or URL that is not specified is accessed, the automation throws an error.
:::

### **Prohibit**

By using the **Prohibited Applications** and **Prohibited Urls** fields in the **Workflow Analyzer**, you can specify which applications or URLs cannot be accessed by the current workflow.

:::note
All applications and URLs except the ones specified in these fields can be accessed by your automation. If either an application
or URL that is specified in this Workflow Analyzer rule is accessed, an error is thrown.
:::

## Recommendation

Do not create automations for applications or web pages that are not allowed by your organization.

![docs image](https://dev-assets.cms.uipath.com/assets/images/activities/activities-docs-image-185322-442b1b13.webp)

## Modifying the Rule

In the **Project Settings** window, select the **Workflow Analyzer** tab. Find and select the rule, and then define the restrictions for applications and URLs using the prohibited lists or the
allowed lists. When modifying the rule:

* Add a list of URLs / applications separated by semicolons `;`. For applications, you can add any part of the full path to executable files. For web pages, you can add any part of the
  URL.
* You can use wildcards when defining the lists. The supported wildcards are `*` and `?`.

  Note: Do not use the prohibited and allowed lists concurrently for the same scope. If both lists are populated for the same scope,
  the list of allowed applications/URLs takes precedence.

## Reset to Default

By default, the rule does not restrict the use of any activity. To reset the rule to default, right-click it in the **Project Settings** window, and then click **Reset to default**.

## What the Rule Verifies

The rule verifies all of the `app` type attributes of the selectors within the entire project. This includes scope activities, such as **Attach Browser**. Also, the **FileName** property of the **Open Application** activity and the **Url** property of the **OpenBrowser** activity are verified.