Add, Clone, or Delete an Access PolicyAdd, Clone, or Delete an Access Policy
Access policies determine who can complete authenticator registration, access applications, who must perform additional (step-up) authentication to use the applications, and which authentication methods must be used.
You can require additional authentication for all users who matched the rule set's user attribute expressions, or you can require it on a conditional basis, depending on the user's context. For example, a rule set can require additional authentication for users who are attempting to access the application from unknown browsers, but not for users with known browsers.
A Super Admin can perform these tasks:
Keep in mind the following:
-
RADIUS clients do not support access policies that contain authentication conditions.
-
Certain policies limit the configuration options. For example, the RSA Authenticate Device Registration policy only supports identity source user attributes and certain conditions at this time.
-
If certain settings are disabled in My Account > Company Settings > Company Information, you cannot use the following attributes in an access policy.
If this setting is disabled Do not use this attribute in a policy Identity Confidence Collection Identity Confidence Location Collection Trusted Location or Country Known Browser Known Browser
For more information, see Configure Company Information and Certificates.
Note: If your deployment is downgraded from Cloud Premier to Cloud Plus, you must examine your access policies and edit them if necessary to ensure that they comply with the Cloud Plus license. Policies that are not up-to-date can result in authentication failures.
Add an Access PolicyAdd an Access Policy
Before you begin
- Understand how to select your user population and define requirements for additional authentication. See these topics:
- The identity source(s) selected in this policy must be connected to the identity router.
- An identity router must be able to communicate with at least one identity source and with the Cloud Authentication Service.
- If this policy selects users based on identity source attributes, make sure the identity source is configured to select the attributes and synchronize them with the Cloud Authentication Service.
- You need LDAP user attributes to define the target population for this policy. To verify if the correct attributes are configured and available to use in access policies, click Users > Identity Sources > User Attributes. Click Refresh Attributes, select the Policies checkbox to enable the attribute, and then click Save.
Procedure
- Sign in to the Cloud Administration Console.
- Click Access > Policies.
- Click Add a Policy.
- On the Basic Information page, in the Name field, enter the name of this access policy.
- (Optional) In the Description field, enter text to describe the policy.
- Click Next Step.
- On the Identity Sources page, select the identity source(s) that this policy uses.
- Click Next Step.
- On the Rule Sets page, in the Rule Set Name field, specify a name for the first rule set in this policy. If you select All Users, a default name is used.
-
The
Apply to field determines who this rule set applies to. Select one option.
Option Description All Users Apply this rule set to all users in the selected LDAP directory server. If no directory server is selected, the rule set applies to all users in all deployed directory servers. Selected Users Apply this rule set only to users in the selected LDAP directory server who match the user attributes. -
In the
Selected users must match field, indicate how closely the user request must match the user attributes.
Option Result Any The user request can match any single user attribute, but is not required to match all user attributes.
All The user request must match all user attributes in the rule set. -
Click Add to add a user attribute expression that selects users.
-
In the User Selection Rule dialog box, use the User Attribute, Operation, and Value fields to define the target population. The User Attribute field is case sensitive.
Note: For detailed information on operations, see Operators for Using LDAP Attributes in Access Policies.
- Click Save.
- (Optional) Click ADD to add another user attribute expression.
-
-
In the Access field, specify whether users in the target population can access the application.
Option Description Allowed All users in the target population can access the application.
Conditional Users in the target population can access the application depending on these conditions:
- Whether the context of the user request matches the conditional expression.
- Whether the Action field allows access, denies access, or requires additional authentication.
Denied Users in the target population cannot access the application. -
If you selected Allowed, determine which users in the target population must use additional authentication to open the application. In the Additional Authentication field, select one option.
Option Description Required Always require additional authentication.
Not Required (default) Additional authentication is not required. -
If you selected Required, also select an Assurance Level. These options specify the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods.
Users can select options from higher assurance levels. For example, if you select Low, users will see authentication options from the Low, Medium, and High assurance levels.
- If you selected Conditional, click ADD to add at least one condition.
A condition contains at least one attribute/value pair. Each pair forms a conditional expression. In the field Perform operator between each attribute and value pair, choose an operator described in the table.
Operator Meaning AND The context of the user request must match all attribute/value pair expressions in the condition. For example, Known Browser True AND Country is Canada indicates the user must authenticate with a known browser and be located in Canada. OR The context of the request must match only one attribute/value pair expression in the condition. For example, Known Browser False OR Country is Canada indicates the user must authenticate with an unknown browser or be located in Canada.
- In the Attribute field, select an attribute.
Select or specify a Value for each attribute, as described in the table. For more information on attributes, see Condition Attributes for Access Policies.
Attribute Description and Values Authentication Source Identifies the identity source or identity provider (IdP) used to validate the user's identity when accessing the application. Enter the same name that the identity source or IdP was given when it was added to RSA. You can enter multiple values for this attribute.
If the policy includes multiple identity sources in the same domain, you can do one of the following:
- Add a condition for each identity source.
- If the identity sources have similar names, you can add one condition using the “starts with” operator. The names must be similar, for example, Corp AD1 or Corp AD2.
Authentication Type The method used to sign in to the identity router. Specify one of the following values:
- UserStore, to match users who enter an Active Directory or LDAPv3 directory server password to access the portal
- SAML for IWA or SAML IDP, to match users who use Integrated Windows Authentication.
Country Select is or is not to determine whether the user must be authenticating from the selected country in order to match the condition. For example, Country is Canada matches users who are in Canada, and Country is not Canada matches users who are not in Canada.
You can select multiple countries from the drop-down list by holding down the Control key. RSA evaluates multiple selections as Country [is/is not] Country A or Country B or Country C, and so on.
High-Risk User List When you select True, the condition is matched if the user has been identified as high risk by a third-party program. When you select False, the condition is matched if the user has not been identified as high risk. Identity Confidence Select Low if you want users with a low identity confidence score to match the condition, or High to if you want users with a high score to match the condition.
IP Address The user's IP address as seen by the identity router. This address might be obscured by network address translation (NAT). To specify a range of addresses, use an operator such as “starts with” or “matches.” You can use regular expressions.
Use this attribute for users who are inside your corporate network.
Known Browser When you select True, the condition is matched if the user successfully completed additional authentication from this browser in the past and selected Remember This Browser.
When you select False, the condition is matched if the user has not successfully completed additional authentication from this browser in the past and selectedRemember This Browser
Note: RSA does not support the Known Browser attribute when users access the application portal through IWA or an external SAML IdP.
Trusted Location When you select True, the condition is matched when the user's location matches a location on the Trusted Location list. If you select True and no trusted locations have been added to RSA, the value is interpreted as False.
When you select False, the condition is matched when the user's location does not match a location on the Trusted Location list.
Use this attribute for users who are outside your corporate network.
Trusted Network When you select True, the condition is matched when the user's network matches a network on the Trusted Network list. If you select True and no trusted networks have been added to RSA, the value is interpreted as False.
When you select False, the condition is matched when the user's network does not match a network on the Trusted Network list.
For more information, see Add or Delete a Trusted Network .
User Agent Identifies the user's web browser type. You can use this attribute to differentiate between mobile browser users and desktop browser users. Check the HTTP request headers for details on the user agent.
This is a sample User Agent value: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
This attribute can produce inaccurate results if a user request is spoofing the browser. For example, the user-agent string that identifies the browser can be mobile-ios when the user is actually using a Firefox browser.
Select an appropriate operator if you are using Authentication Source, authenticationType, ipAddress, or UserAgent. The following table describes how RSA matches user requests for certain operators.
Operator Requirements for Matching the User Request with the Condition Is one of The user request must exactly match at least one value specified in the condition, but the request is not required to match all values in the condition.
For example, the request is a match if the condition specifies AD1, IWA Connector and the request contains AD1.
Is not The user request must not contain any of the specified values. Contains all of The user request must match all of the specified attribute values. Does not contain all of The user request must not contain all of the specified attribute values, but it may contain none, one, or more values. In the Action field, select the action to perform if the condition is matched.
Action Description Deny Access The user cannot open the application. Allow Access The user can open the application without additional authentication. Authenticate The user must complete additional authentication before opening the application.
- If you selected Authenticate, select an Assurance Level. These options select the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods, according to your company's configuration.
- Click Save.
- (Optional) If you want to add another condition, click +ADD.
- (Optional) If you want to add another rule set, click Add a Rule Set.
- Click Save and Finish.
- (Optional). Click Publish Changes in the top menu bar if you want to activate the settings immediately. Otherwise, changes accumulate and are published during the next publish operation.
Clone an Access PolicyClone an Access Policy
When you clone an access policy, RSA copies settings from the original policy to a new policy and names the new policy Clone oforiginal_policy. You can edit the policy to give it a different name and modify the settings.
Procedure
- In the Cloud Administration Console, click Access > Policies.
- Find the policy you want to clone. Click the drop-down arrow, then Clone.
-
When prompted, confirm that you want to clone the policy.
The new policy appears in the policy list.
Delete an Access PolicyDelete an Access Policy
You can delete access policies that are not needed and are not being used.
Note: If you delete an access policy that is being used to protect Authentication Manager resources, Authentication Manager will be disconnected from the Cloud Authentication Service. If you want to reconnect, select another policy and perform the registration process again in the Authentication Manager Security Console. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.
Before you begin
Verify that no applications, service providers, or RADIUS clients are using the policy you intend to delete. To view the policy usage, in the Cloud Administration Console click Access > Policies. Click the drop-down menu next to the policy and select View Usage.
Procedure
- Sign in to the Cloud Administration Console.
- Click Access > Policies.
- Find the policy you want to delete, click the Edit arrow, and select Delete from the drop-down list.
-
When prompted, click
Delete to confirm.
A message confirms that the delete was successful.
- (Optional). Click Publish Changes in the top menu bar if you want to activate the settings immediately. Otherwise, changes accumulate and are published during the next publish operation.
After you finish
After you delete the policy, make sure you update the client configuration (if applicable) with the changes to ensure that the client is using the correct access policy.