The Agent provides XML-based rules processing that allows your system to respond to certain requests without making calls to the RSA ClearTrust Servers. This is implemented by adding <Rule> items to the rules.xml file residing in the /conf directory of your Agent installation. If at runtime any of the rules are relevant to an access request, the Agent performs the specified actions. If the rules are not relevant, the Agent continues to process the request normally.
Each rule is composed of one or more arguments and an action. If multiple arguments are specified then the associated action(s) for the rule is taken only when all the arguments are matched. Each rule can contain multiple actions with a different action type. When all the rule arguments are matched the specified action(s) for the rule are executed.
Valid rule argument values are "URI", "Method", "Header", "Protocol", "QueryString", and "ClientIP". All argument expressions should contain regular expressions to match the users request. See the HTTP RFC for additional details on HTTP URI, request methods, headers, protocols or query strings. (http://www.w3.org/Protocols/rfc2616/rfc2616.html) All arguments should contain a type and expression, "HEADER" contains an argument field which could contain the name of the HTTP header to inspect. The expression fields can take regex expressions. See examples below.
<argument type="URI" expression="/default.ida*"/>
<argument type="Method" expression="HEAD"/>
<argument type="Protocol" expression="[^(1\.0)]"/>
<argument type="Header" argument="host" expression="badhost.com"/>
<argument type="QueryString" expression="abc=def"/>
<argument type="ClientIP" expression="192.168.1.1"/>
Action type can be one of "HTTP" (to send a HTTP response code), "LOG" (to log the request parameters to the log file at the specified log level) or "LOCK" (to lock the client by IP address for specified amount of time. All of the actions require arguments. There was a reference to an action of "NOTIFY" in the rules.xsd file, this feature was to generate snmp traps when a request meets a specified argument. This action type was removed from the product but was not removed from the rules.xsd file.
Available HTTP response arguments for "HTTP" are 200, 301, 302, 400, 401, 403, 404, 500, and 501. HTTP 301 and 302 require a URI to redirect the user. See examples below. "LOG" requires an argument of ClearTrust Agent Log Level, available values are documented in the webagent.conf. "Lock" requires a time period to lock the requesting IP.
<action type="HTTP" argument="200"/>
<action type="HTTP" argument="302 /ct_access_denied_en.html"/>
<action type="LOG" argument="Critical"/>
<action type="LOCK" argument="10 Mins"/>
Related Articles
Renaming an RSA Identity Governance & Lifecycle Notification Rule creates an orphan event in Scheduler Number of Views Provisioning Termination rule is not generating change requests to disable accounts in RSA Identity Governance and Lifecycle Number of Views Termination rule sometimes fails to create change requests to disable accounts in specific applications in RSA Identity Go… Number of Views Unable to create attribute change rule with RSA Identity Governance and Lifecycle 6.9.1P08 or later when the condition use… Number of Views Provisioning/Termination Rule does not create change requests to revoke entitlements if the rule also disables and/or dele… Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
