Managing policy rules
Use this task to manage the policy rules.
About this task
You can add policy rules either when you create a policy or when you edit a policy.
The rule assessment of a policy in Verify is based on the order of evaluation. The first rule that is successfully evaluated is the rule that is applied to the request. The order that the rules are listed is important to the outcome of the policy. You can sequence the rules to ensure that the policy and its rules can be assessed to meet specific business use cases. See 2.d.
Procedure
- Add a rule.
- From either Security > Access policies > Add policy or by editing an existing policy, navigate to the Add new rule button.
- Click Add new rule.
- Enter the rule name.
- Optional: Provide a description for the rule.
- Click Next.
- Select the condition type, attribute, operator, and
value. When you select a condition category, the operations in the menu are filtered according to the selected condition type.Note: For native app policies first contact rules, the following condition types are available.
- Location attributes
- Network location (IP)
- Country
- City
- OIDC/OAUTH context
- client_type
Table 1. Policy options Condition type Operation Condition values Adaptive access These attributes are available if Adaptive access is selected for the policy.
New device - Is
- Is not
Detected. New geolocation - Is
- Is not
Detected. Risky device - Is
- Is not
Detected. Risky connection - Is
- Is not
Detected. Country - One of
- None of
Specify a condition value. City - One of
- None of
Specify a condition value. Internet service provider - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. Remote IP - One of
- None of
Specify a condition value. Behavioral anomaly - Is
- Is not
Detected. OIDC/OAUTH context acr_values - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. claims - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. client_type - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. code_challenge_exist - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. redirect_uir_scheme - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. request_type - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. response_method - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. response_mode - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. response_type - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. scope - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Specify a condition value. Custom attributes Any attributes that you added - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
- Attribute starts with
- Attribute ends with
- Attribute is present (no value)
Specify a condition value. Device attributes New device - Is
Detected. Device platform - One of
- None of
Select one or more platforms. Device compliance - One of
- None of
Select one or more compliance states. Location attributes These attributes are not available if Adaptive access is selected for the policy.
Network location (IP) - One of
- None of
Provide an IP address or a comma-separated list of IP addresses, an IP range, or an IP address with subnet. Location history - Is
- Is not
Verified. Country - One of
- None of
Provide a country or a comma-separated list of three letter country codes based on the following ISO standard. See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3. City - One of
- None of
Specify a condition value. User attributes Group membership - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Provide a group or a comma-separated list of groups. Note: Comma-separated Active Directory group names must be wrapped in double quotation marks. For example,“cn=w3id-block-list,ou=memberlist,ou=ibmgroups,o=ibm.com”.
realmName - Value or values must exist in attributes.
- Value or values must not exist in attributes.
- At least one value must exist in attributes.
Provide the name of the realm. - Location attributes
- Optional: Click Add Condition to add more condition types and operations to the policy rule.
- Select the action for the policy from the menu.
- Redirect to get additional context
- Block (Override)
- MFA (Override)
- Allow (Override)
- Block and redirect
- Block
- MFA always
- MFA per session
- Continue
- Allow
Note: For native app policies, only Block and Challenge actions are available. If you select Challenge, specify one or more authentication methods.- FIDO2
- Password
- QR code
- Click Save. The rule type is added to the list of policy rules.
- Edit or delete a rule.
- Click the to open the policy that you want to change the rules for.
- In the Policy rules section, click the for the rule you want to edit. You can change the rule name, add a condition, change existing condition op-codes or values, or change the action for the rule.
- Click Save.
- Optional: From the Policy rules section, you can use the
overflow menu icon to sequence the order that the rules are evaluated. The evaluation occurs in descending order. The default rule is always last in the sequence.
- Optional: From the Policy rules section, you can use the overflow menu icon to delete a rule.
- Click Save.