Creating an access policy

Edit online

Set the access policy and rules that you want to apply to applications.

Procedure

  1. Select Security > Access policies.
  2. Click Add policy.
  3. Provide the policy name.
  4. Select a policy type.
    Federated sign-on policy
    These policies set the rules that are evaluated after user authentication is done. First contact rules are not available for federated sign-on policies.
    Native web app policy
    A web native app policy has both pre- and post-authentication rules for the different phases of authentication.

    Native web app policy first factor, pre-authentication, rules have different result actions, either challenge or block. They have a limited set of attributes like IP or location because the actual user is unknown. Native web app policy second factor and post authentication rules are the same as Federated sign-on policies rules in terms of available attributes and actions.

    Native mobile app policy
    A mobile native app policy has both pre- and post-authentication rules for the different phases of authentication.

    Native mobile app policy first factor, pre-authentication, rules have different result actions, either challenge or block. They have a limited set of attributes like OIDC/OAuth context or location attributes because the actual user is unknown. Native mobile policy second factor and post authentication rules are the same as Federated sign-on policies rules in terms of available attributes and actions.

    Native custom app policy
    A native custom app policy has both pre- and post-authentication rules for the different phases of authentication. However, it differs from the native web and mobile policies in that it does not provide the adaptive access option.

    Native custom app policy first factor, pre-authentication, rules have different result actions, either challenge or block. They have a limited set of attributes like OIDC/OAuth context or location attributes because the actual user is unknown. Native custom policy second factor and post authentication rules are the same as Federated sign-on policies rules in terms of available attributes and actions.

    Note: If you select Native custom app policy, Adaptive access is not available.
  5. Click Create policy.
    A policy draft is displayed. The Details panel lists the ID, creation date, creator, last modification date, and version.
  6. Optional: Click the Edit icon to edit the Basic settings.
    1. Change the policy name.
    2. Add a description that provides information about the policy.
    3. Click Save.
  7. For native app policies, create the first contact rules.
    For information about rules, see Managing policy rules.
    1. Click Add rule.
    2. Specify a name for the rule.
    3. Optional: Add a description.
    4. Click Next.
    5. Select the condition type, attribute, operator, and condition value.
    6. Optional: Click Add Condition to add more condition types, attributes, operators, and values to the policy rule.
    7. Click Next.
    8. Select a first contact option either Challenge or Block.
    9. For Challenge, specify the MFA method to be used for authentication.
    10. Click Add rule.
      Repeat these steps for each rule that you want to add.
  8. Select whether to enable adaptive access.
    For information about Adaptive Access, see Managing adaptive access.
    Note:
    • This option is not available for Native custom app policies.
    • FedRAMP does not support adaptive access. Therefore, this option is not available for FedRAMP customers.
    1. Select the action that is taken for each level of risk. For MFA actions, you can choose one or more of the following methods that are based on the tenant authentication factor configuration.
      • Any available method (default)
      • Email OTP
      • FIDO2
      • SMS OTP
      • Time-based OTP
      • IBM Verify
      • Voice OTP
      • Duo Security
      • Custom provider
      Note: For users, the term passkey is used instead of FIDO to provide a more consumer-friendly experience.
    2. Select whether to send notifications to the user.
  9. Click Save.
  10. Select whether to require multi-factor reauthentication.
    1. Click the Edit icon to edit the reauthentication settings.
    2. Select the Require multi-factor reauthentication checkbox.
    3. Select the duration that the authentication remains valid. After that time expires, the user must authenticate again. The default setting is for 8 hours.
    4. You can specify whether you want reauthentication to apply to each of the user's devices.
    5. Select the methods for reauthentication.
      For MFA methods, you can specify to use any available method or choose one or more of the following methods that are based on the tenant authentication factor configuration.
      • Any available method (default)
      • Behavioral biometrics
      • Email OTP
      • FIDO2
      • SMS OTP
      • Time-based OTP
      • IBM Verify
      • Voice OTP
      • Duo Security
      • Custom provider
    6. Click Save.
  11. Add external integrations.
    1. Click Add integration.
    2. Select one of your realtime access policy web hooks from the available integrations.
    3. Optional: Go to the Real-time webhooks page to create a Realtime access policy.
    4. Click Save.
    You can edit the condition of your selected webhook in Policy rules (SSO).
  12. Set post-authentication policy rules.
    For information about rules, see Managing policy rules.
    1. Click Add rule.
    2. Specify a name for the rule.
    3. Optional: Add a description for the rule.
    4. Click Next.
    5. Select the condition type, attribute, operator, and condition value.
    6. Optional: Click Add Condition to add more condition types, attributes, operators, and values to the policy rule.
    7. Click Next.
    8. Select the action to be taken when the rule conditions are met.
      • Redirect to get additional context
      • Block (Override)
      • MFA (Override)
      • Allow (Override)
      • Block
      • MFA always
      • MFA per session
      • Continue
      • Allow
      Note: The Continue action is available only when adaptive access is enabled.
    9. If you selected an MFA option, specify the multi-factor authentication method.
      Use any available method or choose one or more of the following methods that are based on the tenant authentication factor configuration.
      • Any available method (default)
      • Duo Security
      • Behavioral biometrics
      • Email OTP
      • FIDO2
      • SMS OTP
      • Time-based OTP
      • IBM Verify
      • Voice OTP
    10. Click Add rule.
      Repeat these steps for each rule that you want to add.
  13. Click Save draft.
  14. From the Policy rules section, you can use the Up arrow and Down arrow icons to sequence the order that the rules are evaluated.
    The evaluation occurs in descending order. The default rule is always last in the sequence.
  15. Optional: Edit the draft to review your settings or to make any changes before you publish the draft.
    See Editing an access policy.
  16. Click Publish.

What to do next

If you need to make any changes to the policy, click Edit as draft.