Managing access policies
You can create, modify, or delete access policies and the rules for access policies.
Procedure
-
Select
Security > Access policies.
A table lists the available policies by name and description. The icons indicate whether the policy can be edited or deleted . A lock icon indicates that the policy is preset and can't be modified or deleted.
- Add a policy.
- Select Add policy.
- Provide the policy name and a policy description.
- Select Next.
- Select a policy type.
- Federated sign-on policy
- These policies set the rules that are evaluated after user authentication is done. First contact rules are not available for federated sign-on policies. Skip step f and step g.
- Native web app policy
- A web native app policy has both pre and post-authentication rules
for the different phases of authentication.
Native web app policy first factor, pre-authentication, rules have different result actions, either challenge or block. They have a limited set of attributes like IP or location because the actual user is unknown. Native web app policy second factor and post authentication rules are the same as Federated sign-on policies rules in terms of available attributes and actions.
- Native mobile app policy
- A mobile native app policy has both pre and post-authentication rules for the different phases
of authentication.
Native mobile app policy first factor, pre-authentication, rules have different result actions, either challenge or block. They have a limited set of attributes like OIDC/OAuth context or location attributes because the actual user is unknown. Native mobile policy second factor and post authentication rules are the same as Federated sign-on policies rules in terms of available attributes and actions.
- Native custom app policy
- A native custom app policy has both pre and post-authentication rules for the different phases
of authentication. However, it differs from the native web and mobile
policies in that it does not provide the adaptive access option. Skip step
h.
Native custom app policy first factor, pre-authentication, rules have different result actions, either challenge or block. They have a limited set of attributes like OIDC/OAuth context or location attributes because the actual user is unknown. Native custom policy second factor and post authentication rules are the same as Federated sign-on policies rules in terms of available attributes and actions.
- Select Next.
- Create first contact rules for pre-authentication. This option is available for Native app policy only. You can edit the default rule, or create more pre-authentication rules. See Managing policy rules for information about creating rules.Note: Select the to change the action and MFA options of the default rule. You can use the overflow menu icon to sequence the order that the rules are evaluated.
- Select Next.
- Select whether to enable adaptive access. Note: This option is not available for Native custom app policies.You can select the action that is taken for each level of risk. For MFA actions you can choose one ore more of the following methods.
- Email OTP
- FIDO2
- SMS OTP
- Time-based OTP
- IBM Verify
- Voice OTP
- Select Next.
- Select whether to enable reauthentication. If you enable it,
- You can specify whether you want reauthentication to apply to each of the user's device.
- Select the duration that the authentication remains valid. After that time expires, the user must authenticate again. The default setting is for 8 hours.
- Select Next.
- Optional: Add a rule. See Managing policy rules. These rules are applied after user authentication.Note: Select the to change the action of the default rule. You can use the overflow menu icon to sequence the order that the rules are evaluated.
- Select Next.
-
Select Save.
The policy is added to the list of available policies and can be selected when you set the access policy for the administration console and home page.
- Edit a policy. You can add more rules, delete rules, change the default rule action, or change the sequence of rule evaluation.
- Select the policy and select the edit icon .
- Optional: Change the policy name or description.
- Optional: For federated sign-on policies, you can enable or disable Adaptive Access.
- For native app policies, you can add or edit pre-authentication rules.
- Enable or disable Reauthentication and change the validation settings.
- Optional: Add or edit rules. Note: For federated sign-on policies, you can add or edit rules that are post-user authentication only. For native app policies, you can add or edit pre-user authentication and post-user authentication rules.
- Optional: Use the overflow menu icon to sequence the order that the rules are
evaluated. The evaluation occurs in descending order. The default rule is always last in the sequence.
- Optional: Select the icon to change or delete a rule.
- Select Save.
- Select Done.
- Delete a policy. Note: A policy that is deleted cannot be restored. If the policy is needed again, you must manually re-create it.
- Select the policy and select the delete icon .
- Confirm that you want to delete the policy. The policy is removed from the list of available policies and can no longer be set as the access policy for the administration console and home page.