Managing access policies through APIs
An access policy is a set of rules and conditions that are evaluated to determine the access decision. You can create customized access policies. All customized access policies are displayed as options in the application configuration.
About this task
Some default access policies are provided for immediate use and cannot be modified. Tenants can add customized access policies according to their needs.
- Rules are evaluated on a first-match basis. When a match of all conditions in a rule evaluates to true, the result of the rule is returned as the evaluation decision. No further processing is completed.
- An optional parameter
alwaysRun: truecan be added to an individual rule. This parameter causes the rule to be evaluated in addition to the first-matched set of rules. The result of the first-match and thealwaysRunparameter are combined and the most restrictive action is applied as the result of the policy. MultiplealwaysRunrules can be added to a policy. - Where a policy requires a specific subscription for a condition, such as device management, and the tenant is not currently entitled for that subscription, the policy is skipped. A multi-factor authentication (MFA) decision is returned.
- Where a rule requires a specific subscription for MFA and the tenant is not currently entitled for that subscription, an evaluated MFA decision is changed to a deny. This change protects the application rather than allowing unconditional access.
The policy editor can be used to create and modify policies. See Managing access policies.
Some conditions cannot be added by using the policy editor. In those cases, the API can be used to modify existing policies or create new access policies with those conditions.
Syntax validation is performed when an access policy is created or updated.
Access policies are in the following JSON format:
Note: FedRAMP does not support adaptive access. Therefore, any
Trusteer attributes are not available for FedRAMP customers.
{
"name": "policy_name",
"description": "Description of the policy",
"schemaVersion": "urn:access:policy:4.0:schema",
"rules": [
{
"name": "allow_with_conditions",
"id": "1",
"conditions": {
"contextAttributes": {
"attributes": [
{
"name": "attrName",
"values": [
"value1",
"value2"
],
"opCode": "EQ"
}
]
},
"subjectAttributes": {
"attributes": [
{
"name": "realmName",
"values": [
"cloudIdentityRealm",
"www.ibm.com"
],
"opCode": "IN"
},
{
"name": "customAttr1",
"values": [
"val1"
],
"opCode": "NEQ"
}
]
},
"timeAttributes": {
"attributes": [
{
"name": "timezone",
"opCode": "EQ",
"values": [
"UTC Offset or GMT Offset"
]
},
{
"name": "startDate",
"opCode": "EQ",
"values": [
"YYYY-MM-DD HH:mm:ss"
]
},
{
"name": "endDate",
"opCode": "EQ",
"values": [
"YYYY-MM-DD HH:mm:ss"
]
},
{
"name": "Monday",
"opCode": "EQ",
"values": [
"hh:mm-hh:mm"
]
},
{
"name": "Tuesday",
"opCode": "EQ",
"values": [
"hh:mm-hh:mm"
]
}
]
},
"ipAddress": {
"opCode": "MATCH",
"values": [
"<ip_address>",
"<ip_address_range_start> - <ip_address_range_end>",
"<ip_address/subnet>"
]
},
"location": {
"attributes": [
{
"values": [
"3-Letter-ISO"
],
"name": "country",
"opCode": "IN"
}
]
}
"location": {
"attributes": [
{
"values": [
"<city>"
],
"name": "city",
"opCode": "IN"
}
]
}
"geoLocation": {
"enabled": "true"
},
"trusteer": {
"enabled": "true"
}
},
"result": {
"extendedAction": {
"action": "ACTION_ALLOW"
},
"authnMethods": []
}
},
{
"name": "Authentication factor validity",
"id": "2",
“alwaysRun”: true,
"conditions": {
"factorLifetimeAttributes": {
"attributes": [
{
"name": "anyFactor",
"opCode": "EQ",
"values": [
"120"
]
},
{
"name": "reauthPerDevice",
"opCode": "EQ",
"values": [
"enabled"
]
}
]
}
},
"result": {
"extendedAction": {
"action": "ACTION_MFA_OVERRIDE"
}
}
},
{
"name": "mfa_once_per_session_device_conditions",
"id": "3",
"contextAttributes": {
"attributes": [
{
"name": "devicePlatform",
"values": [
"IOS",
"ANDROID",
"OTHER_MOBILE",
"MACOS",
"WINDOWS",
"OTHER_DESKTOP"
],
"opCode": "IN"
},
{
"name": "deviceCompliance",
"values": [
"COMPLIANT",
"NONCOMPLIANT",
"UNKNOWN"
],
"opCode": "IN"
}
]
},
"result": {
"extendedAction": {
"action": "ACTION_MFA_PER_SESSION"
},
"authnMethods": [
"urn:ibm:security:authentication:asf:macotp"
]
}
},
{
"name": "deny_otherwise",
"id": "100",
"conditions": {},
"result": {
"extendedAction": {
"action": "ACTION_DENY"
},
"authnMethods": []
}
}
]
}
Note: Most of the API is already described in the swagger documentation. You can access
the swagger documentation from the administrator console .
For more information about the swagger APIs, see Verify Application programming interfaces (APIs).
The following information applies to the API rules.
- Each rule consists of these properties:
- name
- A name for the rule.
- id
- The unique ID for the rule that is used in event data and reports.
- conditions
- More than one condition can be present per rule. All conditions in the rule must evaluate to true for the rule to match and the result to be applied. The default rule contains an empty condition.
- The conditions contain the following properties:
- contextAttributes
- The attributes that are contextual to the flow in which the access policy was run. These attributes include Device management, OpenID Connect, and HTTP request attributes.
- subjectAttributes
- The login session attributes that are associated with the authenticated user subject.
- factorLifetimeAttributes
- Associate validity with a specific authentication factor or method.
- timeAttributes
- The time of the day attributes that enable time-based access control.
- ipAddress
- The IP address condition that enables individual, range, or subnet-based allow and blocklists .
- location
- The Country or City that is resolved from the user's IP address. Country must contain a
comma-separated list of the country name or three letter country codes based on the following ISO
standard. A single country or three letter country code is allowable.
City must contain a comma-separated list of the city name. A single city is allowable.
- geoLocation
- The locations where access decisions were verified. The default setting is for the previous five
verified locations. The condition property is either
enabled(true) ordisabled(false). - trusteer
- IBM Security Trusteer detects the first-time access of new devices for users.
- The attributes contain the following properties:
- name
- A name of the attribute.
- values
- The values of the attribute.
- opCode
- The operator.
- The operators for the evaluation of attribute values:
- EQ
- All of the values are present.
- NEQ
- None of the values are present.
- IN
- One or more of the values are present.
- MATCH
- The ipAddress condition opCode for matching IP addresses, ranges, or subnets.
- NOMATCH
- The ipAddress condition opCode for non-matching IP addresses, ranges, or subnets.
- The result contains the following properties:
- Action
- Specifies what action to trigger when the conditions are met. Valid values are:
- ACTION_ALLOW
- ACTION_MFA_ALWAYS - MFA every time the rule is matched during access policy evaluation.
- ACTION_MFA_PER_SESSION - MFA once per authenticated session and allow if already completed.
- ACTION_DENY.
- authnMethods
- Specifies the allowable authentication mechanisms when the action is a multi-factor
authentication (MFA). urn:ibm:security:authentication:asf:macotp - allow the
user to select any mechanism they can complete, or one or more of the following factors:
emailotp- email one-time passwordsmsotp- SMS one-time passwordtotp- Time-based one-time password (authenticator app)signatures- IBM® Verify app push notificationpasskey- passkey authenticatorvoiceotp- Verbal one-time password sent to the user's registered phone number.anyFactor– is an alias forurn:ibm:security:authentication:asf:macotp. This mechanism is used especially in thefactorLifetimecondition and represents any valid authentication mechanisms that are completed by the user.
Factor life time
This condition associates validity with a specific authentication factor or method. The validity can be associated with a user profile or with a user’s device.
This feature can be used to implement business logic like:
- For organizations that want to MFA a user only once per calendar day, you can configure reauthentication for an 18-hour period.
- For organizations that want to MFA a user once per business week, you can configure a policy
for every 6 days.Note: When the
reauthPerDeviceoption is enabled, a user is prompted for MFA for devices that aren't 'known'. For example, a user authenticates from a different browser (Chrome instead of Edge), or from a different physical device.When a private browsing mode is used, an MFA challenge is generated for the first access in each new session.
Note: Rules that contain this condition must be an “alwaysRun” rule with no other
conditions defined in that rule.
factorLifeTimeAttributes contain the
following mandatory attributes: - name
- A list of valid
authnMethodsor theanyFactorattribute. - values
- The validity interval in seconds for the
authnMethod. - opCode
- EQ.
The following attributes associates MFA validity with a user’s device if the value is
“enabled” or with user’s profile if the value is “disabled”.
- name
reauthPerDevice.- values
- Either enabled or disabled.
- opCode
- EQ.
Context attributes
Context attributes can include device management, OpenID Connect and HTTP Request attributes.
- Device management context attributes
- Device management attributes devicePlatform and deviceComplaince are defined under the
contextAttributes condition.
- devicePlatform
- The operating system and device platforms such as iOS, Android, Mac OS X. The allowed values are
IOS,ANDROID,OTHER_MOBILE,MACOS,WINDOWS,OTHER_DESKTOP. This condition requires the Device Management subscription, see Configuring conditional access. - deviceCompliance
- The compliance level of the device. The allowed values are
COMPLIANT,NONCOMPLIANT, andUNKNOWN. This condition requires the Device Management subscription, see Configuring conditional access.
- OpenID Connect context attributes
-
Most of the following context attributes that are available to OpenID Connect applications are OIDC request parameters. Those attributes that do not match 1-1 with the request parameter names are provided with an explanation. For more information, see https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest and https://tools.ietf.org/html/rfc7636#section-4.3.
- scope
- An arbitrary space-separated list of scopes that this token receives. An example of a well-known
scope is
emailaddressprofileopenid. - response_type
- One or more of the following:
codetokenid_token. For the supported values, see https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/developer/explorer/#!/OpenID_Connect/handleAuthorizeGet. - acr_values
- Ties a specific
ARCto a specific authentication. - method
- A list of strings that contain the policies that were run in the format
urn:ibm:security:policy:id:<policy-id>. - claims
- A complex JSON.
- response_mode
- A string, one of
query fragment form_post. - response_method
- Specifies the method that is returned from a request to a URI.
- code_challenge_exist
- A Boolean choice in a PKCE flow that specifies whether a
code_challengewas sent in the request. - redirect_uri_scheme
- The scheme component of the redirect URI that detects a non-browser user agent and the response.
- client_type
- Specifies whether a client is a
publicorconfidentialclient. Confidential clients have a client secret. - request_type
- Identifies the endpoint that the request came from,
device_authorize,user_authorize,authorization,access_token,introspect,user_info,revoke, orclient_registration.
- HTTP request context attributes
- HTTP request headers can be evaluated in access policies. Use the HTTP request header name as
the name of the attribute in the contextAttributes and the value that
corresponds to the value of the inbound header. Transformation of values is not currently supported
and only the standard opCodes for context attributes can be used. For example,
,
"conditions": { "contextAttributes": { "attributes": [{ "name": "referer", "values": [ "https://<isv_tenant>/usc/", "https://<some_other_known_referrer>" ], "opCode": "IN" }, { "name": "user-agent", "values": [ "<specific_user_agent>" ], "opCode": "EQ" }, { "name": "x-forwarded-for", "values": [ "<x_forwarded_for_ip_address>" ], "opCode": "EQ" } ] } }
Cloud Directory subject attributes
The following subject attributes are
available for users from Cloud Directory identity source.
- displayName
- The name that is displayed for the user.
- name
- The given name followed by the surname.
- family_name
- The surname of the user.
- given_name
- The given name of the user.
- The email of the user.
- emailAddress
- The email of the user.
- groupIds
- The Group IDs.
- preferred_username
- A changeable username.
- uuid
- A unique identifier for the user.
- uniqueSecurityName
- A unique identifier for the user.
- realmName
- This value is always
cloudIdentityRealmfor non-federated Cloud Directory users. - userType
- This value is always
regularfor non-federated Cloud Directory users.
timeAttributes
Time of the day attributes.
- The attributes contain the following properties:
- name
- A name of the attribute. The name is a day of the week and optionally
timeZone, startDate, and endDate. It
can have the following values:
- Monday
- Tuesday
- Wednesday
- Thursday
- Friday
- Saturday
- Sunday
The day of the week time ranges are enabled by the range in their
{ ... "values": [ "hh:mm-hh:mm" ]}and can be optionally staged with a startDate and endDate. - timeZone
- The time zone that is associated with the region. The default is Coordinated Universal Time
(UTC). The values can be any of the following formats.
UTC<+/-><offset>- For example,UTC+10GMT<+/-><offset>- For example,GMT-5- A time zone database name - For example,
Australia/Brisbane
- startDate
- The start date and time for when the condition is active. It can be used individually to create
a block time match, staged with days of the week attributes. The startDate
takes precedence over the days of the week. Values are in the format
YYYY-MM-DD HH:mm:ss. For days of the week, the value is in the formathh:mm-hh:mm. - endDate
- The optional end date and time for when the condition is no longer active. It can be used
individually to create a block time match with a startDate or staged with days
of the week attributes. Without an endDate, the condition matches indefinitely
if a startDate or day of week exists. Values are in the format
YYYY-MM-DD HH:mm:ss.
ipAddress
The IP address-based condition that supports IPv4 and IPv6.
- The condition contains the following property:
- values
- The values of the condition. Valid values are a range of IP addresses, a comma-separated IP address list or a CIDR IP address.
- opCode
- The operator. Specific opCodes are required for the
ipAddress condition.The operators that are available:
- MATCH
- All of the values are present.
- NOMATCH
- None of the values are present.
location
The Country or City resolved from the user's IP address. Country must contain a comma-separated list of the country name or three letter country codes based on the following ISO standard. See ISO 3166-1 alpha-3. A single country or 3 letter country code is allowable. City must contain a comma-separated list of the city name. A single city is allowable.
- The condition contains the following property:
- enabled
- Whether the condition is enabled (true) or disabled (false).
- opCode
- The operator. Specific opCodes are required for the
location condition.The operators that are available:
- IN
- One or more of the values are present.
- NOT IN
- None of the values are present.
geoLocation
The locations where access decisions were verified. The default setting is for the previous five verified locations.
- The condition contains the following property:
- enabled
- Whether the condition is enabled (true) or disabled (false).
trusteer
IBM Security Trusteer detects the first-time access of new devices for users.
- The condition contains the following property:
- enabled
- Whether the condition is enabled (true) or disabled (false).