Editing an access policy

Edit online

After creating a policy, you can review your setting and make changes before you publish your policy.

About this task

When you edit a policy, you create a draft copy of the policy where you can make your changes. This draft prevents the disruption of the active version while you are making your changes. When you publish the draft, it replaces the existing version of the policy.

Procedure

  1. Select Security > Access policies.
    A table lists the available policies. The Trash can icon indicates that the policy can be deleted. A lock icon Lock indicates that the policy is preset and can't be modified or deleted.
  2. Click the name of the policy that you want to edit.
    The policy is displayed and the Details panel lists the ID, creation date, creator, last modifier, last modification date, and version.
  3. Click the Edit as draft icon.
  4. Optional: Click the Edit icon to edit the Basic settings.
    1. Change the policy name.
    2. Add a description that provides information about the policy.
    3. Click Save.
  5. For native app policies, you can edit or add first contact rules.
  6. Select whether to enable or disable Adaptive access.
    For information about Adaptive access, see Managing adaptive access.
    Note: This option is not available for Native custom app policies.
    1. Select the action that is taken for each level of risk. For MFA actions, you can choose one ore more of the following methods that are based on the tenant authentication factor configuration.
      • Any available method (default)
      • Duo Security
      • Email OTP
      • FIDO2
      • SMS OTP
      • Time-based OTP
      • IBM Verify
      • Voice OTP
    2. Select whether to send notifications to the user.
  7. Select whether to require multi-factor reauthentication.
    1. Click the Edit icon to edit the reauthentication settings.
    2. Select the Require multi-factor reauthentication checkbox.
    3. Select the duration that the authentication remains valid. After that time expires, the user must authenticate again. The default setting is for 8 hours.
    4. You can specify whether you want reauthentication to apply to each of the user's devices.
    5. Select the methods for reauthentication.
      For MFA methods, you can specify to use any available method or choose one or more of the following methods that are based on the tenant authentication factor configuration.
      • Any available method (default)
      • Duo Security
      • Behavioral biometrics
      • Email OTP
      • FIDO2
      • SMS OTP
      • Time-based OTP
      • IBM Verify
      • Voice OTP
    6. Click Save.
  8. Add, edit, or delete post-authentication rules.
    For information about rules, see Managing policy rules.
    1. Click Add rule.
    2. Specify a name for the rule.
    3. Optional: Add a description for the rule.
    4. Click Next.
    5. Select the condition type, attribute, operator, and value.
      Repeat these steps for each condition that you want to add.
    6. Click Next.
    7. Select the action to be taken when the rule conditions are met.
    8. Specify the multi-factor authentication method.
      Use any available method or choose one or more of the following methods that are based on the tenant authentication factor configuration.
      • Any available method (default)
      • Duo Security
      • Behavioral biometrics
      • Email OTP
      • FIDO2
      • SMS OTP
      • Time-based OTP
      • IBM Verify
      • Voice OTP
    9. Click Add rule.
  9. Optional: From the Policy rules section, you can use the Up arrow and Down arrow icons to sequence the order that the rules are evaluated.
    The evaluation occurs in descending order. The default rule is always last in the sequence.
  10. If you do not need to make more changes, click Save draft.
    The Publish button becomes enabled.
  11. If your changes are complete, click Publish to make the policy available to be assigned to applications.