Access rules can be used to define conditions of user access. Access rules can, for example, restrict a user to only be able to sign in from the local physical system, require a second-factor logon or call out to a single sign-in system for password validation. Access rules are plug-ins and the system can be extended with new rules on demand.