Managing Adaptive Access policy rules

You can add policy rules either when you create a policy or when you edit a policy.

About this task

The rule assessment of a policy in Verify is based on the order of evaluation. Each rule in the policy is assessed in sequence. The first rule that is successfully evaluated identifies the action that is associated with it. The order that the rules are listed is important to the outcome of the policy. You can sequence the rules to ensure that the policy and its rules can be assessed to meet specific business use cases. See 3.e.

If no rules are matched, the action that is associated with the default rule is identified.

The rule evaluation is combined with the risk assessment to determine the overall policy evaluation.

Procedure

Add a rule.

From either Add policy or by editing an existing policy, navigate to the Add rule button.
Click Add rule.
Enter the rule name.
Optional: Add a description for the rule.
Click Next.

Select the condition type, attribute, operator, and value.

Table 1. Policy options
The table lists the condition type attributes. The conditions are sorted by adaptive access, OIDC/OAuth context, custom attributes, device attributes, and user attributes.
Condition type	Operation	Condition values
Adaptive access These attributes are available if Adaptive access is selected for the policy. Note: FedRAMP does not support adaptive access. Therefore, these and any Trusteer attributes are not available for FedRAMP customers.
New device	is is not	Detected.
New geolocation	is is not	Detected.
Device status	is one of is none of	Select a condition value.
Risk level	is one of is none of	Specify a condition value.
Last MFA on device	less than greater than	Number of days since an MFA was performed on the device. The value can be 1-740 days. The default setting is 90 days.
Risky device	is is not	Detected.
Risky connection	is is not	Detected.
Country	is one of is none of	Specify a condition value.
City	is one of is none of	Specify a condition value.
Internet service provider	contains each of is one of is none of	Specify a condition value.
Network location (IP)	is one of is none of	Specify a condition value.
Behavioral anomaly	Is Is not	Detected.
OIDC/OAUTH context
acr_values	contains each of is none of is one of	Specify a condition value.
claims	contains each of is none of is one of	Specify a condition value.
client_type	contains each of is none of is one of	Specify a condition value.
code_challenge_exist	is is not	Detected.
redirect_uir_scheme	contains each of is none of is one of	Specify a condition value.
request_type	contains each of is none of is one of	Specify a condition value.
response_method	contains each of is none of is one of	Specify a condition value.
response_mode	contains each of is none of is one of	Specify a condition value.
response_type	contains each of is none of is one of	Specify a condition value.
scope	contains each of is none of is one of	Specify a condition value.
Custom attributes
`Any attributes that you added`	contains each of is none of is one of attribute starts with attribute ends with attribute is present (no value)	Specify a condition value. Note: Attribute functions can be used to extract from the full adaptive access response JSON elements that aren't included in the adaptive access pre-defined condition. They can be extracted into custom attributes that can be evaluated in policy rule conditions. See the adaptive risk section in a2_manage_rules_ve.dit Attribute functions, ../references/r_attr_functions.html#r_attr_functions__adaptive.
Device attributes
New device	Is	Detected. Note: When the device is new and MFA is not complete in the session, the rule action is overridden to MFA always.
Device platform	is one of is none of	Select one or more platforms.
Device compliance	is one of is none of	Select one or more compliance states.
User attributes
Group membership	contains each of is none of is one of	Provide a group or a comma-separated list of groups. Note: Comma-separated Active Directory group names must be wrapped in double quotation marks. For example, `“cn=w3id-block-list,ou=memberlist,ou=ibmgroups,o=ibm.com”.`
realmName	contains each of is none of is one of	Provide the name of the realm.

Optional: Click Add Condition to add more condition types, attributes, operations, and values to the policy rule.
Click Next.
Select the action for the policy from the menu.
- Redirect to get additional content
- Block (Override)
- MFA (Override)
- Allow (Override)
- Block
- MFA always
- MFA per session
- Continue
- Allow
If you select an MFA action, you also need to specify the MFA method. You can select any available method or select one or more specific methods. The available selections depend on what is configured for your tenant. For example,
- Email OTP
- FIDO2
- SMS OTP
- Time-based OTP
- IBM Verify app
- Voice OTP
Click Add rule.
The rule type is added to the list of policy rules.

Edit or delete a rule.
1. Click the policy that you want to change the rules for.
2. Click Edit draft .
3. In the Policy rules section, click the icon for the rule that you want to edit.
  You can change the rule name, add a condition, change existing condition op-codes or values, or change the action for the rule.
4. Click Next.
5. Optional: From the Policy rules section, you can use the and icons to sequence the order that the rules are evaluated.
  The evaluation occurs in descending order. The default rule is always last in the sequence.
6. Optional: From the Policy rules section, you can use the Delete icon to delete a rule.
7. Click Save draft.