Access policies determine who can complete authenticator registration, access applications, who must perform additional (step-up) authentication to use the applications, and which authentication methods must be used.
You can require additional authentication for all users who matched the rule set's user attribute expressions, or you can require it on a conditional basis, depending on the user's context. For example, a rule set can require additional authentication for users who are attempting to access the application from unknown browsers, but not for users with known browsers.
Keep in mind the following:
- RADIUS clients do not support access policies that contain authentication conditions.
- Certain policies limit the configuration options. For example, the RSA SecurID Authenticate Device Registration policy only supports identity source user attributes and certain conditions at this time.
Note: If your deployment is downgraded from Premium Edition to Enterprise Edition, you must examine your access policies and edit them if necessary to ensure that they comply with the Enterprise Edition license. Policies that are not up-to-date can result in authentication failures.
Before you begin
- You must be a Super Admin in the Cloud Administration Console to perform this task.
- Understand how to select your user population and define requirements for additional authentication. See the following topics for more information:
- The identity source(s) selected in this policy must be connected to the identity router.
- An identity router must be able to communicate with at least one identity source and with the Cloud Authentication Service.
- If this policy selects users based on identity source attributes, make sure the identity source is configured to select the attributes and synchronize them with the Cloud Authentication Service.
- You need LDAP user attributes to define the target population for this policy. To verify if the correct attributes are configured and available to use in access policies, click Users > Identity Sources > User Attributes. Click Refresh Attributes, select the Policies checkbox to enable the attribute, and then click Save.
- Sign in to the Cloud Administration Console.
- Click Access > Policies.
- Click Add a Policy.
- On the Basic Information page, in the Name field, enter the name of this access policy.
- (Optional) In the Description field, enter text to describe the policy.
- Click Next Step.
- On the Identity Sources page, select the identity source(s) that this policy uses.
- Click Next Step.
- On the Rule Sets page, in the Rule Set Name field, specify a name for the first rule set in this policy. If you select All Users, a default name is used.
- The Apply to field determines who this rule set applies to. Select one option.
Option Description All Users Apply this rule set to all users in the selected LDAP directory server. If no directory server is selected, the rule set applies to all users in all deployed directory servers. Selected Users Apply this rule set only to users in the selected LDAP directory server who match the user attributes.
- In the Selected users must match field, indicate how closely the user request must match the user attributes.
Option Result Any
The user request can match any single user attribute, but is not required to match all user attributes.
All The user request must match all user attributes in the rule set.
- Click Add to add a user attribute expression that selects users.
In the User Selection Rule dialog box, use the User Attribute, Operation, and Value fields to define the target population. The User Attribute field is case sensitive.
Note: For detailed information on operations, see Operators for Using LDAP Attributes in Access Policies.
- Click Save.
- (Optional) Click ADD to add another user attribute expression.
In the Access field, specify whether users in the target population can access the application.
Option Description Allowed
All users in the target population can access the application.
Users in the target population can access the application depending on these conditions:
- Whether the context of the user request matches the conditional expression.
- Whether the Action field allows access, denies access, or requires additional authentication.
Denied Users in the target population cannot access the application.
If you selected Allowed, determine which users in the target population must use additional authentication to open the application. In the Additional Authentication field, select one option.
Option Description Required
Always require additional authentication.
Not Required (default) Additional authentication is not required.
If you selected Required, also select an Assurance Level. These options specify the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods.
Users can select options from higher assurance levels. For example, if you select Low, users will see authentication options from the Low, Medium, and High assurance levels.
- If you selected Conditional, click ADD to add at least one condition.
A condition contains at least one attribute/value pair. Each pair forms a conditional expression. In the field Perform operator between each attribute and value pair, choose an operator described in the table.
Operator Meaning AND The context of the user request must match all attribute/value pair expressions in the condition. For example, Known Browser True AND Country is Canada indicates the user must authenticate with a known browser and be located in Canada. OR The context of the request must match only one attribute/value pair expression in the condition. For example, Known Browser False OR Country is Canada indicates the user must authenticate with an unknown browser or be located in Canada.
- In the Attribute field, select an attribute.
Select or specify a Value for each attribute, as described in the table. For more information on attributes, see Condition Attributes for Access Policies.
Attribute Description and Values Authentication Source
Identifies the identity source or identity provider (IdP) used to validate the user's identity when accessing the application. Enter the same name that the identity source or IdP was given when it was added to RSA SecurID Access. You can enter multiple values for this attribute.
If the policy includes multiple identity sources in the same domain, you can do one of the following:
- Add a condition for each identity source.
- If the identity sources have similar names, you can add one condition using the “starts with” operator. The names must be similar, for example, Corp AD1 or Corp AD2.
The method used to sign in to the identity router. Specify one of the following values:
- UserStore, to match users who enter an Active Directory or LDAPv3 directory server password to access the portal
- SAML for IWA or SAML IDP, to match users who use Integrated Windows Authentication.
Select is or is not to determine whether the user must be authenticating from the selected country in order to match the condition. For example, Country is Canada matches users who are in Canada, and Country is not Canada matches users who are not in Canada.
You can select multiple countries from the drop-down list by holding down the Control key. RSA SecurID Access evaluates multiple selections as Country [is/is not] Country A or Country B or Country C, and so on.
High-Risk User List When you select True, the condition is matched if the user has been identified as high risk by a third-party program. When you select False, the condition is matched if the user has not been identified as high risk. Identity Confidence
Select Low if you want users with a low identity confidence score to match the condition, or High to if you want users with a high score to match the condition.
The user's IP address as seen by the identity router. This address might be obscured by network address translation (NAT). To specify a range of addresses, use an operator such as “starts with” or “matches.” You can use regular expressions.
Use this attribute for users who are inside your corporate network.
When you select True, the condition is matched if the user successfully completed additional authentication from this browser in the past and selected Remember This Browser.
When you select False, the condition is matched if the user has not successfully completed additional authentication from this browser in the past and selectedRemember This Browser
Note: RSA SecurID Access does not support the Known Browser attribute when users access the application portal through IWA or an external SAML IdP.
When you select True, the condition is matched when the user's location matches a location on the Trusted Location list. If you select True and no trusted locations have been added to RSA SecurID Access, the value is interpreted as False.
When you select False, the condition is matched when the user's location does not match a location on the Trusted Location list.
Use this attribute for users who are outside your corporate network.
When you select True, the condition is matched when the user's network matches a network on the Trusted Network list. If you select True and no trusted networks have been added to RSA SecurID Access, the value is interpreted as False.
When you select False, the condition is matched when the user's network does not match a network on the Trusted Network list.
For more information, see Add a Trusted Network .
Identifies the user's web browser type. You can use this attribute to differentiate between mobile browser users and desktop browser users. Check the HTTP request headers for details on the user agent.
This is a sample User Agent value: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
This attribute can produce inaccurate results if a user request is spoofing the browser. For example, the user-agent string that identifies the browser can be mobile-ios when the user is actually using a Firefox browser.
Select an appropriate operator if you are using Authentication Source, authenticationType, ipAddress, or UserAgent. The following table describes how RSA SecurID Access matches user requests for certain operators.
Operator Requirements for Matching the User Request with the Condition Is one of
The user request must exactly match at least one value specified in the condition, but the request is not required to match all values in the condition.
For example, the request is a match if the condition specifies AD1, IWA Connector and the request contains AD1.
Is not The user request must not contain any of the specified values. Contains all of The user request must match all of the specified attribute values. Does not contain all of The user request must not contain all of the specified attribute values, but it may contain none, one, or more values.
In the Action field, select the action to perform if the condition is matched.
Action Description Deny Access The user cannot open the application. Allow Access The user can open the application without additional authentication. Authenticate The user must complete additional authentication before opening the application.
- If you selected Authenticate, select an Assurance Level. These options select the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods, according to your company's configuration.
- Click Save.
- (Optional) If you want to add another condition, click +ADD.
- (Optional) If you want to add another rule set, click Add a Rule Set.
- Click Save and Finish.
- (Optional). Click Publish Changes in the top menu bar if you want to activate the settings immediately. Otherwise, changes accumulate and are published during the next publish operation.