Managing policy rules
You can add policy rules either when you create a policy or when you edit a policy.
About this task
The rule assessment of a policy in Verify is based on the order of evaluation. The first rule that is successfully evaluated is the rule that is applied to the request. The order that the rules are listed is important to the outcome of the policy. You can sequence the rules to ensure that the policy and its rules can be assessed to meet specific business use cases. See 2.e.
Procedure
- Add a rule.
- From either Add policy or by editing an existing policy, navigate to the Add rule button.
- Click Add rule.
- Enter the rule name.
- Optional: Add a description for the rule.
- Click Next.
- Select the condition type, attribute, operator, and value. When you select a condition type, the operators in the menu are filtered according to the selected condition type.Note: For native app policies first contact rules, the following condition types are available.
- Location attributes
- Network location (IP)
- Country
- City
- OIDC/OAUTH context
- client_type
Table 1. Policy options Condition type Operation Condition values Adaptive access These attributes are available if Adaptive access is selected for the policy.
New device - Is
- Is not
Detected. New geolocation - Is
- Is not
Detected. Last MFA on device - Less than
- Greater than
Number of days since an MFA was performed on the device. The value can be 1-740 days. The default setting is 90 days.
Risky device - Is
- Is not
Detected. Risky connection - Is
- Is not
Detected. Country - Is one of
- Is none of
Specify a condition value. City - Is one of
- Is none of
Specify a condition value. Internet service provider - Contains each of
- Is one of
- Is none of
Specify a condition value. Remote IP - Is one of
- Is none of
Specify a condition value. Behavioral anomaly - Is
- Is not
Detected. OIDC/OAUTH context acr_values - Contains each of
- Is none of
- Is one of
Specify a condition value. claims - Contains each of
- Is none of
- Is one of
Specify a condition value. client_type - Contains each of
- Is none of
- Is one of
Specify a condition value. code_challenge_exist - Is
- Is not
Detected. redirect_uir_scheme - Contains each of
- Is none of
- Is one of
Specify a condition value. request_type - Contains each of
- Is none of
- Is one of
Specify a condition value. response_method - Contains each of
- Is none of
- Is one of
Specify a condition value. response_mode - Contains each of
- Is none of
- Is one of
Specify a condition value. response_type - Contains each of
- Is none of
- Is one of
Specify a condition value. scope - Contains each of
- Is none of
- Is one of
Specify a condition value. Custom attributes Any attributes that you added - Contains each of
- Is none of
- Is one of
- Attribute starts with
- Attribute ends with
- Attribute is present (no value)
Specify a condition value. Device attributes Device platform - Is one of
- Is none of
Select one or more platforms. Device compliance - Is one of
- Is none of
Select one or more compliance states. Location attributes These attributes are not available if Adaptive access is selected for the policy.
Network location (IP) - Is one of
- Is none of
Provide an IP address or a comma-separated list of IP addresses, an IP range, or an IP address with subnet. Location history - Is
- Is not
Verified. Country - Is one of
- Is none of
Provide a country or a comma-separated list of three letter country codes based on the following ISO standard. See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3. City - Is one of
- Is none of
Specify a condition value. User attributes Group membership - Contains each of
- Is none of
- Is one of
Provide a group or a comma-separated list of groups. Note: Comma-separated Active Directory group names must be wrapped in double quotation marks. For example,“cn=w3id-block-list,ou=memberlist,ou=ibmgroups,o=ibm.com”.
realmName - Contains each of
- Is none of
- Is one of
Provide the name of the realm. - Location attributes
- Optional: Select Add Condition to add more condition types, attributes, operations, and values to the policy rule.
- Select Next.
- Select the action for the policy from the menu.
- Block (Override)
- MFA (Override)
- Allow (Override)
- Block
- MFA always
- MFA per session
- Allow
- Email OTP
- FIDO2
- SMS OTP
- Time-based OTP
- IBM Verify app
- Voice OTP
- Select Add rule. The rule type is added to the list of policy rules.
- Edit or delete a rule.
- Select the policy that you want to change the rules for.
- Select Edit draft
.
- In the Policy rules section, click the
for the rule you want to edit.
You can change the rule name. Add a condition, change existing condition operators, or values, or change the action for the rule. - Select Next.
- Optional: From the Policy rules section, you can use the
and
icons to sequence the order that the rules are evaluated.
The evaluation occurs in descending order. The default rule is always last in the sequence. - Optional: From the Policy rules section, you can use the Delete icon
to delete a rule.
- Select Save draft.