Add an Access Policy

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Sep 15, 2017
Version 16Show Document
  • View in full screen mode

Access policies determine who can access applications, who must perform additional authentication to use the applications, and which authentication methods must be used.

You can require additional authentication for all users who matched the rule set's user attribute expressions, or you can require it on a conditional basis, depending on the user's context. For example, a rule set can require additional authentication for users who are attempting to access the application from unknown browsers, but not for users with known browsers.

Note:  RADIUS clients do not support access policies that contain authentication conditions.

Before you begin 

 

  • You must be a Super Admin in the Cloud Administration Console to perform this task.
  • The identity source(s) selected in this policy must be connected to the identity router.
  • An identity router must be able to communicate with at least one identity source and with the Cloud Authentication Service.
  • Understand how to select your user population and define requirements for additional authentication. See Access Policies for more information.
  • Understand how assurance levels work. See Assurance Levels for more information.
  • You need LDAP user attributes to define the target population for this policy. To verify if the correct attributes are configured and available to use in access policies, click Users > Identity Sources > User Attributes. Click Refresh Attributes, select the Policies checkbox to enable the attribute, and then click Save.

Procedure 

  1. Sign in to the Cloud Administration Console.
  2. Click Access > Policies.
  3. Click Add a Policy.
  4. On the Basic Information page, in the Name field, enter the name of this access policy.
  5. (Optional) In the Description field, enter text to describe the policy.
  6. Click Next Step.
  7. On the Identity Sources page, select the identity source(s) that this policy uses.
  8. Click Next Step.
  9. On the Rule Sets page, in the Rule Set Name field, specify a name for the first rule set in this policy. If you select All Users, a default name is used.
  10. The Apply to field determines who this rule set applies to. Select one option.
                        
    OptionDescription
    All Users Apply this rule set to all users in the selected LDAP directory server. If no directory server is selected, the rule set applies to all users in all deployed directory servers.
    Selected Users Apply this rule set only to users in the selected LDAP directory server who match the user attributes.
  11. In the Selected users must match field, indicate how closely the user request must match the user attributes.
    Option Result
    Any

    The user request can match any single user attribute, but is not required to match all user attributes.

    AllThe user request must match all user attributes in the rule set.
  12. Click Add to add a user attribute expression that selects users.
    1. In the User Selection Rule dialog box, use the User Attribute, Operation, and Value fields to define the target population.
      The User Attribute field is case sensitive.
    2. Click Save.
    3. (Optional) Click ADD to add another user attribute expression.
  13. In the Access field, specify whether users in the target population can access the application.                   
    OptionDescription
    Allowed

    All users in the target population can access the application.

    Denied Users in the target population cannot access the application.
  14. If you selected Access Allowed, use the Authentication Details section to determine which users in the target population must use additional authentication to open the application. In the Additional Authentication field, select one option.

                          
    OptionDescription
    Required

    Always require additional authentication.

    Conditional

    The user's ability to access the application depends on these conditions:

    • Whether the context of the user request matches the conditional expression.
    • Whether the Action field allows access, denies access, or requires additional authentication.
    Not Required (default)Additional authentication is not required.
  15. If you selected Required, also select an Assurance Level. These options specify the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods.

    Users can select options from higher assurance levels. For example, if you select Low, users will see authentication options from the Low, Medium, and High assurance levels.

  16.  If you selected Conditional, you need to add at least one condition. Click ADD to add a condition.
    1. A condition contains at least one attribute/value pair. Each pair forms a conditional expression. In the field Perform operator between each attribute and value pair, choose an operator described in the table.

      OperatorMeaning
      ANDThe context of the user request must match all attribute/value pair expressions in the condition. For example, Known Browser True AND Country is Canada indicates the user must authenticate with a known browser and be located in Canada.
      OR The context of the request must match only one attribute/value pair expression in the condition. For example, Known Browser False OR Country is Canada indicates the user must authenticate with an unknown browser or be located in Canada.
    1. In the Attribute field, select an attribute.
    2. Select or specify a Value for each attribute, as described in the table.

      Attribute Description and Values
      Authentication Source

      Identifies the identity source or identity provider (IdP) used to validate the user's identity when accessing the application. Enter the same name that the identity source or IdP was given when it was added to RSA SecurID Access. You can enter multiple values for this attribute.

      If the policy includes multiple identity sources in the same domain, you can do one of the following:

      • Add a condition for each identity source.
      • If the identity sources have similar names, you can add one condition using the “starts with” operator. The names must be similar, for example, Corp AD1 or Corp AD2.
      Authentication Type

      The method used to sign in to the identity router. Specify one of the following values:

      • UserStore, to match users who enter an Active Directory or LDAPv3 directory server password to access the portal
      • SAML for IWA or SAML IDP, to match users who use Integrated Windows Authentication.
      Country

      Select is or is not to determine whether the user must be authenticating from the selected country in order to match the condition. For example, Country is Canada matches users who are in Canada, and Country is not Canada matches users who are not in Canada.

      You can select multiple countries from the drop-down list by holding down the Control key. RSA SecurID Access evaluates multiple selections as Country [is/is not] Country A or Country B or Country C, and so on.

      For more information, see Country Attribute for Authentication Conditions

      Identity Confidence

      Select Low if you want users with a low identity confidence score to match the condition, or High to if you want users with a high score to match the condition. For more information, see Identity Confidence Attribute for Authentication Conditions

      IP Address

      The user's IP address as seen by the identity router. This address might be obscured by network address translation (NAT). To specify a range of addresses, use an operator such as “starts with” or “matches.” You can use regular expressions.

      Use this attribute for users who are inside your corporate network.

      Known Browser

      When you select True, the condition is matched if the user successfully completed additional authentication from this browser in the past and selected Remember This Browser.

      When you select False, the condition is matched if the user has not successfully completed additional authentication from this browser in the past and selectedRemember This Browser

      Note:  RSA SecurID Access does not support the Known Browser attribute when users access the application portal through IWA or an external SAML IdP.

      For more information, see Known Browser Attribute for Authentication Conditions.

      Trusted Location

      When you select True, the condition is matched when the user's location matches a location on the Trusted Location list. If you select True and no trusted locations have been added to RSA SecurID Access, the value is interpreted as False.

      When you select False, the condition is matched when the user's location does not match a location on the Trusted Location list.

      Use this attribute for users who are outside your corporate network.

      For more information, see Trusted Location Attribute for Authentication Conditions.

      Trusted Network

      When you select True, the condition is matched when the user's network matches a network on the Trusted Network list. If you select True and no trusted networks have been added to RSA SecurID Access, the value is interpreted as False.

      When you select False, the condition is matched when the user's network does not match a network on the Trusted Network list.

      For more information, see Add a Trusted Network .

      User Agent

      Identifies the user's web browser type. You can use this attribute to differentiate between mobile browser users and desktop browser users. Check the HTTP request headers for details on the user agent.

      This is a sample User Agent value: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36

      This attribute can produce inaccurate results if a user request is spoofing the browser. For example, the user-agent string that identifies the browser can be mobile-ios when the user is actually using a Firefox browser.

    Select an appropriate operator if you are using Authentication Source, authenticationType, ipAddress, or UserAgent. The following table describes how RSA SecurID Access matches user requests for certain operators.

    OperatorRequirements for Matching the User Request with the Condition
    Is one of

    The user request must exactly match at least one value specified in the condition, but the request is not required to match all values in the condition.

    For example, the request is a match if the condition specifies AD1, IWA Connector and the request contains AD1.

    Is notThe user request must not contain any of the specified values.
    Contains all ofThe user request must match all of the specified attribute values.
    Does not contain all ofThe user request must not contain all of the specified attribute values, but it may contain none, one, or more values.
    1. In the Action field, select the action to perform if the condition is matched.

      ActionDescription
      Deny AccessThe user cannot open the application.
      Allow AccessThe user can open the application without additional authentication.
      AuthenticateThe user must complete additional authentication before opening the application.
    • If you selected Authenticate, select an Assurance Level. These options select the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods, according to your company's configuration.
    • Click Save.
  17. (Optional) If you want to add another condition, click +ADD.
  18. (Optional) If you want to add another rule set, click Add a Rule Set.
  19. Click Save and Finish.
  20. (Optional). Click Publish Changes in the top menu bar if you want to activate the settings immediately. Otherwise, changes accumulate and are published during the next publish operation.

 

 

 

You are here
Table of Contents > Access Policies > Add an Access Policy

Attachments

    Outcomes