Add an Access PolicyAdd an Access Policy

Before you begin

Procedure

1. Sign in to the Cloud Administration Console.
2. Click Access > Policies.
3. Click Add a Policy.
4. On the Basic Information page, in the Name field, enter the name of this access policy.
5. (Optional) In the Description field, enter text to describe the policy.
6. Click Next Step.
7. On the Identity Sources page, select the identity source(s) that this policy uses.
8. Click Next Step.
9. On the Rule Sets page, in the Rule Set Name field, specify a name for the first rule set in this policy. If you select All Users, a default name is used.
10. The Apply to field determines who this rule set applies to. Select one option.

    Option	Description
    All Users	Apply this rule set to all users in the selected LDAP directory server. If no directory server is selected, the rule set applies to all users in all deployed directory servers.
    Selected Users	Apply this rule set only to users in the selected LDAP directory server who match the user attributes.

11. In the Selected users must match field, indicate how closely the user request must match the user attributes.

    Option	Result
    Any	The user request can match any single user attribute, but is not required to match all user attributes.
    All	The user request must match all user attributes in the rule set.

12. Click Add to add a user attribute expression that selects users.

    1. In the User Selection Rule dialog box, use the User Attribute, Operation, and Value fields to define the target population. The User Attribute field is case sensitive.

       Note: For detailed information on operations, see Operators for Using LDAP Attributes in Access Policies.
       

    2. Click Save.
    3. (Optional) Click ADD to add another user attribute expression.

13. In the Access field, specify whether users in the target population can access the application.

    Option	Description
    Allowed	All users in the target population can access the application.
    Conditional	Users in the target population can access the application depending on these conditions: Whether the context of the user request matches the conditional expression. Whether the Action field allows access, denies access, or requires additional authentication.
    Denied	Users in the target population cannot access the application.

14. If you selected Allowed, determine which users in the target population must use additional authentication to open the application. In the Additional Authentication field, select one option.

    Option	Description
    Required	Always require additional authentication.
    Not Required (default)	Additional authentication is not required.

15. If you selected Required, also select an Assurance Level. These options specify the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods.

    Users can select options from higher assurance levels. For example, if you select Low, users will see authentication options from the Low, Medium, and High assurance levels.

16. If you selected Conditional, click ADD to add at least one condition.

    1. A condition contains at least one attribute/value pair. Each pair forms a conditional expression. In the field Perform operator between each attribute and value pair, choose an operator described in the table.

       Operator	Meaning
       AND	The context of the user request must match all attribute/value pair expressions in the condition. For example, Known Browser True AND Country is Canada indicates the user must authenticate with a known browser and be located in Canada.
       OR	The context of the request must match only one attribute/value pair expression in the condition. For example, Known Browser False OR Country is Canada indicates the user must authenticate with an unknown browser or be located in Canada.

    2. In the Attribute field, select an attribute.

    3. Select or specify a Value for each attribute, as described in the table. For more information on attributes, see Condition Attributes for Access Policies.

       Attribute	Description and Values
       Authentication Source	Identifies the identity source or identity provider (IdP) used to validate the user's identity when accessing the application. Enter the same name that the identity source or IdP was given when it was added to RSA. You can enter multiple values for this attribute. If the policy includes multiple identity sources in the same domain, you can do one of the following: Add a condition for each identity source. If the identity sources have similar names, you can add one condition using the “starts with” operator. The names must be similar, for example, Corp AD1 or Corp AD2.
       Authentication Type	The method used to sign in to the identity router. Specify one of the following values: UserStore, to match users who enter an Active Directory or LDAPv3 directory server password to access the portal SAML for IWA or SAML IDP, to match users who use Integrated Windows Authentication.
       Country	Select is or is not to determine whether the user must be authenticating from the selected country in order to match the condition. For example, Country is Canada matches users who are in Canada, and Country is not Canada matches users who are not in Canada. You can select multiple countries from the drop-down list by holding down the Control key. RSA evaluates multiple selections as Country [is/is not] Country A or Country B or Country C, and so on.
       High-Risk User List	When you select True, the condition is matched if the user has been identified as high risk by a third-party program. When you select False, the condition is matched if the user has not been identified as high risk.
       Identity Confidence	Select Low if you want users with a low identity confidence score to match the condition, or High to if you want users with a high score to match the condition.
       IP Address	The user's IP address as seen by the identity router. This address might be obscured by network address translation (NAT). To specify a range of addresses, use an operator such as “starts with” or “matches.” You can use regular expressions. Use this attribute for users who are inside your corporate network.
       Known Browser	When you select True, the condition is matched if the user successfully completed additional authentication from this browser in the past and selected Remember This Browser. When you select False, the condition is matched if the user has not successfully completed additional authentication from this browser in the past and selectedRemember This Browser Note: RSA does not support the Known Browser attribute when users access the application portal through IWA or an external SAML IdP.
       Trusted Location	When you select True, the condition is matched when the user's location matches a location on the Trusted Location list. If you select True and no trusted locations have been added to RSA, the value is interpreted as False. When you select False, the condition is matched when the user's location does not match a location on the Trusted Location list. Use this attribute for users who are outside your corporate network.
       Trusted Network	When you select True, the condition is matched when the user's network matches a network on the Trusted Network list. If you select True and no trusted networks have been added to RSA, the value is interpreted as False. When you select False, the condition is matched when the user's network does not match a network on the Trusted Network list. For more information, see Add or Delete a Trusted Network .
       User Agent	Identifies the user's web browser type. You can use this attribute to differentiate between mobile browser users and desktop browser users. Check the HTTP request headers for details on the user agent. This is a sample User Agent value: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 This attribute can produce inaccurate results if a user request is spoofing the browser. For example, the user-agent string that identifies the browser can be mobile-ios when the user is actually using a Firefox browser.

    Select an appropriate operator if you are using Authentication Source, authenticationType, ipAddress, or UserAgent. The following table describes how RSA matches user requests for certain operators.

    Operator	Requirements for Matching the User Request with the Condition
    Is one of	The user request must exactly match at least one value specified in the condition, but the request is not required to match all values in the condition. For example, the request is a match if the condition specifies AD1, IWA Connector and the request contains AD1.
    Is not	The user request must not contain any of the specified values.
    Contains all of	The user request must match all of the specified attribute values.
    Does not contain all of	The user request must not contain all of the specified attribute values, but it may contain none, one, or more values.

    4. In the Action field, select the action to perform if the condition is matched.

       Action	Description
       Deny Access	The user cannot open the application.
       Allow Access	The user can open the application without additional authentication.
       Authenticate	The user must complete additional authentication before opening the application.

    • If you selected Authenticate, select an Assurance Level. These options select the authentication methods to use during authentication. The assurance level (Low, Medium, or High) indicates the relative strength and security of the methods, according to your company's configuration.
    • Click Save.
17. (Optional) If you want to add another condition, click +ADD.
18. (Optional) If you want to add another rule set, click Add a Rule Set.
19. Click Save and Finish.
20. (Optional). Click Publish Changes in the top menu bar if you want to activate the settings immediately. Otherwise, changes accumulate and are published during the next publish operation.

Clone an Access PolicyClone an Access Policy

When you clone an access policy, RSA copies settings from the original policy to a new policy and names the new policy Clone oforiginal_policy. You can edit the policy to give it a different name and modify the settings.

1. In the Cloud Administration Console, click Access > Policies.
2. Find the policy you want to clone. Click the drop-down arrow, then Clone.
3. When prompted, confirm that you want to clone the policy.
   The new policy appears in the policy list.

Delete an Access PolicyDelete an Access Policy

You can delete access policies that are not needed and are not being used.

Note: If you delete an access policy that is being used to protect Authentication Manager resources, Authentication Manager will be disconnected from the Cloud Authentication Service. If you want to reconnect, select another policy and perform the registration process again in the Authentication Manager Security Console. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.

1. Sign in to the Cloud Administration Console.
2. Click Access > Policies.
3. Find the policy you want to delete, click the Edit arrow, and select Delete from the drop-down list.
4. When prompted, click Delete to confirm.
   A message confirms that the delete was successful.
5. (Optional). Click Publish Changes in the top menu bar if you want to activate the settings immediately. Otherwise, changes accumulate and are published during the next publish operation.

After you finish

After you delete the policy, make sure you update the client configuration (if applicable) with the changes to ensure that the client is using the correct access policy.