My Page Enrollment Policy
You can secure registration using an identity verification workflow to control which users have the right to access self-service enrollment. The My Page Enrollment Policy enables you to add an extra layer of security to the My Page enrollment process using an identity verification provider. It supports different identity verification providers for different user populations.
You can add rules to the My Page Enrollment Policy and determine situations to which this policy applies, and you can customize them for different user groups.
Note: Enrollment is only available for users who have no registered authenticators.
Configure My Page Enrollment Policy
The My Page Enrollment Policy exists by default. You can enable and configure it, or disable it. However, unlike other access policies, this policy cannot be cloned, deleted, or used to view access usage. When you disable the policy, the current configurations are saved. Consequently, these configurations can be restored when the policy is re-enabled.
Before you begin
You must be a Super Admin in the Cloud Administration Console.
You need to configure a user verification identity provider to use it within the My Page Enrollment Policy. For more information, see Identity Verification Providers.
In the Cloud Administration Console, enable My Authenticators under Access > My Page > My Authenticators.
In the Cloud Administration Console, enable Enrollment Settings under Access > My Page > Enrollment and Recovery.
Procedure
In the Cloud Administration Console, click Access > Policies.
- On the Policies page, click Enable next to the My Page Enrollment Policy.
On the Available Identity Sources page, select identity source(s) from the list to identify the target user population for this policy. Select at least one identity source.
Click Next Step.
On the Rule Sets page, do the following:
Enter the rule set name.
In the Apply to field, select All Users to allow application access to all users who authenticate or Selected Users if you want to apply this rule set only to users who match the user attribute expressions in this rule set.
Access Details: The Access setting determines how user access is managed based on the selected user population.
Allowed: Cloud Access Service (CAS) evaluates the request to determine if additional authentication is required. In the Identity Verification section, in the Method field, select one of the following methods if the Allowed option is selected:
Identity Verification Method Description Password + Email Verification This method requires users to enter their password and then verify their identity by entering a code sent to their registered email address upon request. Password+ Identity Verification Providers This method combines password authentication with an additional layer of identity verification provided by third-party services to enable access to enrollment. In the Identity Verification Provider field, select an identity verification provider.
This feature is offered as an add-on. For more information, please contact your RSA Sales Representative.
Password + SMS/Voice Code This method combines password authentication with an extra layer of security by using a one-time passcode (OTP) sent via SMS or voice call to the user's registered phone number. For information on configuring the SMS/Voice OTP validity period, see the Set Up Enrollment Settings section in Manage My Page.
This feature is offered as an add-on. For more information, please contact your RSA Sales Representative.
Email Verification + SMS/Voice Code This method combines email verification with an extra layer of security by using a one-time passcode (OTP) sent via SMS or voice call to the user's registered phone number. For information on configuring the SMS/Voice OTP validity period, see the Set Up Enrollment Settings section in Manage My Page.
Email Verification + Identity Verification Providers This method combines email verification with an additional layer of identity verification provided by third-party services to enable access to enrollment. In the Identity Verification Provider field, select an identity verification provider. SMS/Voice Code + Identity Verification Providers This method combines one-time passcode (OTP) sent via SMS or voice call to the user's registered phone number with an extra layer of identity verification provided by third-party services to enable access to enrollment. In the Identity Verification Provider field, select an identity verification provider. For information on configuring the SMS/Voice OTP validity period, see the Set Up Enrollment Settings section in Manage My Page.
Note: When selecting identity verification methods, such as "Password + Email Verification" or "Password + SMS/Voice Code", RSA strongly recommends limiting user recovery options based on conditional attributes, such as the user's country, known browser, and identity confidence. This approach minimizes security risks by applying conditional logic based on each user's specific circumstances.
Conditional: CAS evaluates the request based on specified conditions. Click Add to include a new condition for determining user access based on contextual conditions. In the Authentication Condition dialog box:
(Optional) Select an operator (OR or AND) to determine how each attribute and value pair is combined.
Select the Attribute and specify the Value. The context of the user’s request will be compared against the specified value for the chosen attribute.
Select the Action to be performed when the user's request matches the configured conditions:
Deny Access: Select this option to deny access when conditions are met.
Verify Identity: Select this option if you need to verify the user’s identity. Then, select an identity verification method from the available options in the Method field.
Click Save.
Note: Conditions are evaluated in the order they are listed. You can drag and drop to reorder them as needed. Conditions that do not match any criteria are evaluated last.
Click Save and Finish.
Click Publish Changes.
CAS enforces this access policy immediately for enrollment to My Page. This policy does not impact existing registrations.
Example
The following example describes how the My Page Enrollment Policy works for an allowed user.
The administrator adds a user verification identity provider and sets up its workflow.
The administrator enables the My Page Enrollment Policy.
The administrator creates a rule set to require sales users to complete registration with My Page using an identity proofing method and an identity verification provider.
A sales user opens the secure enrollment URL, enters the User ID, Password, and Country, and then scans their ID. Then, a sales user can register a new authenticator using My Page.
Related Articles
Cloud Access Service Quick Setup Guide for My Page SSO - Step 7: Enable My Page Number of Views Robin - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views My Page Recovery Policy Number of Views Microsoft Entra ID - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views Manage Applications Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
