RS A® Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
Trademarks RSA, the RSA Logo, eFraudNetwork and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa .
License Agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on Encryption Technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.
Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Contents Preface...................................................................................................................................9 About This Guide................................................................................................................ 9 RSA Adaptive Authentication (On-Premise) Documentation............................................ 9 Support and Service .......................................................................................................... 10 Before You Call Customer Support ........................................................................... 10
Chapter 1: RSA Adaptive Authentication Back Office Applications .....................................................................................................................11 Back Office Applications Overview ..................................................................................11 Back Office Application Suite ................................................................................... 12 Standalone Back Office Applications........................................................................ 13 Log On to a Back Office Application ............................................................................... 14 Log Off from a Back Office Application .......................................................................... 15 Password Change .............................................................................................................. 15 Change your Password...................................................................................................... 16 Reset a Forgotten Password .............................................................................................. 16 Localization and Internationalization of the Back Office Applications ........................... 17
Chapter 2: Managing Access to the Back Office Applications ........ 19 Access Management Application Overview ..................................................................... 19 User Management ............................................................................................................. 19 Access the Application Users Page ........................................................................... 21 Application Users Page.............................................................................................. 21 View User Details ...................................................................................................... 21 Add a User ................................................................................................................. 22 Edit User Details ........................................................................................................ 23 Unlock a User ............................................................................................................ 23 Remove a User........................................................................................................... 24 Role Management ............................................................................................................. 24 Access the Application Roles Page ........................................................................... 25 Role Details................................................................................................................ 25 View Role Details ...................................................................................................... 26 Add a Role ................................................................................................................. 26 Edit a Custom Role .................................................................................................... 27 Remove a Role........................................................................................................... 27 Access Management Roles ........................................................................................ 28 Case Management Role Permissions ......................................................................... 31 Policy Management Role Permissions ...................................................................... 32 Organization Management ................................................................................................ 33 Access the Application Organizations Page .............................................................. 34 View Organization Details......................................................................................... 34 Add an Organization .................................................................................................. 34 Edit Organization Details........................................................................................... 35
Contents
3
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
View Available Organizations ................................................................................... 35 Group Management........................................................................................................... 36 Access the Application Groups Page ......................................................................... 36 Application Group Page............................................................................................. 36 View Group Details ................................................................................................... 37 Add a Group............................................................................................................... 37 Edit Group Details ..................................................................................................... 37
Chapter 3: Managing Policies ............................................................................... 39 Introduction to Policy Management.................................................................................. 39 Policies for Organizations.......................................................................................... 39 Reference Policy ........................................................................................................ 40 Additional Configuration Elements ........................................................................... 41 Policy Refresh............................................................................................................ 41 Introduction to Rules......................................................................................................... 41 Event Types ............................................................................................................... 42 Conditions.................................................................................................................. 42 Expressions ................................................................................................................ 44 Facts ........................................................................................................................... 44 Operators.................................................................................................................... 44 Actions ....................................................................................................................... 47 Authentication Methods............................................................................................. 47 Risk Score .................................................................................................................. 48 Case Creation ............................................................................................................. 49 Rule Status ................................................................................................................. 49 Status Change ............................................................................................................ 50 Rule Management ............................................................................................................. 51 Manage Rules Table .................................................................................................. 52 Sorting and Filtering Rules ........................................................................................ 53 Add a Rule ................................................................................................................. 53 Comparing Policy Facts............................................................................................. 55 Edit a Rule ................................................................................................................. 57 Delete a Rule.............................................................................................................. 58 General Rule Parameters ........................................................................................... 58 Request a Status Change for a Rule........................................................................... 60 Cancel a Status Change Request for a Rule ............................................................... 60 Approve a Status Change Request for a Rule............................................................ 61 Reject a Status Change Request for a Rule................................................................ 61 Duplicate Rules to Another Organization.................................................................. 62 Policy Export and Import.................................................................................................. 63 Export Policy Data..................................................................................................... 63 Import Policy Data..................................................................................................... 64 List Management............................................................................................................... 65 Manage Lists Table.................................................................................................... 66 Add a List................................................................................................................... 67
4
Contents
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Add a Single Value to a List...................................................................................... 67 Add a Range of IP Values to a List ........................................................................... 68 Import a Set of Values to a List ................................................................................. 69 Edit a List................................................................................................................... 70 Delete a List ............................................................................................................... 70 Hash the Values of a User ID List ............................................................................. 71 General List Parameters ............................................................................................. 71 Custom Facts Management............................................................................................... 72 Manage Custom Facts Table...................................................................................... 72 Add a New Custom Fact ............................................................................................ 73 Edit a Custom Fact..................................................................................................... 73 Delete a Custom Fact ................................................................................................. 74 Custom Fact Parameters ............................................................................................ 74 Custom Event Type Management..................................................................................... 75 Manage Custom Event Types Table .......................................................................... 76 Add a Custom Event Type ......................................................................................... 76 Edit a Custom Event Type ......................................................................................... 76 Custom Event Type Parameters................................................................................. 77 Policy Report..................................................................................................................... 78 Sample Policy Report ................................................................................................ 79 Generate a Policy Report ........................................................................................... 80
Chapter 4: Managing Cases ................................................................................... 83 Case Management Application Overview ........................................................................ 83 Case Management Functionality....................................................................................... 84 Flagged Activities ...................................................................................................... 84 Pending Activities and Cases..................................................................................... 85 Closed and Expired Cases.......................................................................................... 85 Actions Resulting from Triggered Rules ................................................................... 86 Terminating Open Authentication Sessions .............................................................. 86 Challenge Scenarios................................................................................................... 86 Case Assignment............................................................................................................... 88 Assign Manually Created Cases from the Lookup User Page ................................... 88 Assign Manually Created Cases from the Research Activities Page......................... 89 Case Grouping................................................................................................................... 89 Default Group ............................................................................................................ 89 Operator Group .......................................................................................................... 89 Lifecycle Milestones of Cases .......................................................................................... 90 Case Workflows ................................................................................................................ 90 Case Creation Workflow ........................................................................................... 90 Case Handling Workflow .......................................................................................... 90 Case Management Menu................................................................................................... 91 Recent Account Activity Fields ................................................................................. 94 Detailed Activity Information Fields ......................................................................... 95 Case Status ........................................................................................................................ 99
Contents
5
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Case Mode....................................................................................................................... 100 Process Queue Management ........................................................................................... 101 Case Priority ............................................................................................................ 101 Access the Process Queue Page ............................................................................... 102 Stop Automatic Refresh of the Process Queue ........................................................ 102 Restart Automatic Refresh of the Process Queue .................................................... 102 Case Listing in the Process Queue ........................................................................... 102 Case Locking and Unlocking................................................................................... 102 View the Queue............................................................................................................... 103 Access the View the Queue Page ............................................................................ 103 Filter the Queue Using the Filter Tab ...................................................................... 103 Filter the Queue Using the Advanced Tab............................................................... 104 Advanced Tab Fields ............................................................................................... 105 Look Up an End User...................................................................................................... 106 Case Update .................................................................................................................... 108 Update a Case Using Lookup User .......................................................................... 108 Update a Case in the Process Queue........................................................................ 108 Update Case Example .............................................................................................. 109 Manually Set a Resolution for an Activity...................................................................... 109 Case Resolution ........................................................................................................110 Operator Group Management ..........................................................................................111 Access the Manage Operator Group Page ................................................................111 Operator Group Definition........................................................................................111 Filters for Defining Operator Groups .......................................................................112 Add an Operator Group ............................................................................................112 Edit Operator Group Criteria ....................................................................................112 Delete an Operator Group .........................................................................................113 Operator and Operator Group Filters........................................................................113 Set a Default Operator Group ...................................................................................114 Operator Groups for a New Organization.................................................................114 Operator Management......................................................................................................115 Access the Manage Operators Page ..........................................................................115 Add an Operator to an Operator Group ....................................................................115 Change the Operator Group of an Operator..............................................................115 Research Activities ..........................................................................................................116 Access the Research Activities Page ........................................................................116 Research Activities Filters ........................................................................................116 Search for Cases Using Research Activities Filters..................................................117 Display a Case ..........................................................................................................118 Edit a Case ................................................................................................................119 Update a Case Buttons ..............................................................................................119 Snooze Mode....................................................................................................................119 Apply Snooze Mode to a Case ..................................................................................119 Top Risk Score Contributors........................................................................................... 120
6
Contents
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Chapter 5: Managing End-User Accounts................................................... 121 Customer Service Application Overview ....................................................................... 121 Find an End User............................................................................................................. 122 End User’s Account History ........................................................................................... 123 End User Account History Information ................................................................... 123 Activities within the Account History Information ................................................. 124 Account Locking............................................................................................................. 125 Lock an End User’s Account ................................................................................... 125 Unlock an End User’s Account ............................................................................... 125 Terminate an End User’s Authentication Sessions ......................................................... 126 Reset an End User’s Account.......................................................................................... 126 Account Unenrollment .................................................................................................... 127 Unenroll an End User .............................................................................................. 127 Watch an End User’s Progress ........................................................................................ 127
Chapter 6: Viewing and Analyzing Reports ............................................... 129 Report Viewer Application Overview ............................................................................ 129 Reports Directory Structure for the Report Viewer................................................. 130 View and Download Reports .......................................................................................... 130 Report Characteristics ..................................................................................................... 132 Report Types ................................................................................................................... 132 Report Format ................................................................................................................. 133 Example of Elements Common to All Reports ....................................................... 133 CSV Files ................................................................................................................. 134 Standard Header and Footer .................................................................................... 135 Report Naming Convention ..................................................................................... 137 Report Content ................................................................................................................ 138 Billing Report .......................................................................................................... 139 Authentication Plug-In Billing Report..................................................................... 139 Blocked Users Report .............................................................................................. 140 Case Management and Case Management Trends Reports..................................... 141 eFraudNetwork Report ............................................................................................ 143 Forensic Summary Report ....................................................................................... 144 Policy Summary and Policy Summary Trends Reports........................................... 146 Risk Factor Report and Risk Factor Trends Reports ............................................... 147 System Usage and System Trends Reports.............................................................. 149
Appendix A: List of Facts ...................................................................................... 151 Appendix B: Rules in the Reference Policy ............................................... 167 Appendix C: List of Event Types ...................................................................... 175
Contents
7
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Preface About This Guide This guide describes how to use the Back Office applications in RSA® Adaptive Authentication (On-Premise) 7.1. It is intended for administrators, Fraud Analysts, Customer Service Representatives, Case Management Operators, Policy Managers, and other trusted personnel. Do not make this guide available to the general user population.
RSA Adaptive Authentication (On-Premise) Documentation For more information about RSA Adaptive Authentication (On-Premise), see the following documentation:
Authentication Plug-In Developer’s Guide. Describes the Authentication Plug-In development process that enables external authentication providers to integrate their products with RSA Adaptive Authentication (On-Premise). Back Office User’s Guide. Provides an overview of the following Back Office applications: Policy Management, Case Management, Access Management, Customer Service Administration, and the Report Viewer. Bait Credentials Setup and Implementation Guide. Describes how to set up and implement RSA bait credentials, which help provide you with accelerated fraud detection and prevention capabilities. Best Practices for Challenge Questions. Describes the best practices related to challenge questions that RSA has evolved through experience at multiple deployments.
Installation and Upgrade Guide. Describes detailed procedures on how to install, upgrade, and configure RSA Adaptive Authentication (On-Premise). Integration Guide. Describes how to integrate and deploy RSA Adaptive Authentication (On-Premise). Operations Guide. Provides information on how to administer and operate RSA Adaptive Authentication (On-Premise) after upgrade. This guide also describes how to configure Adaptive Authentication (On-Premise) within the Configuration Framework. Performance Guide. Provides information about performance testing and performance test results for the current release version of RSA Adaptive Authentication (On-Premise). Product Overview Guide. Provides a high-level overview of RSA Adaptive Authentication (On-Premise), including system architecture.
P
reface
9
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. It also includes the supported platforms and work environments for platform certifications. The latest version of the Release Notes is available on RSA SecurCare® Online at https://knowledge.rsasecurity.com. Security Best Practices Guide. Provides recommendations for configuring your network and RSA Adaptive Authentication (On-Premise) securely. Web Services API Reference Guide. Describes RSA Adaptive Authentication (On-Premise) services and parameters. guide also describes howweb to build yourAPI ownmethods web services clients and This applications using web services API to integrate and utilize the capabilities of Adaptive Authentication (On-Premise).
What’s New. Highlights new features and enhancements in RSA Adaptive Authentication (On-Premise) 7.1. Workflows and Processes Guide. Describes the workflows and processes that allow end users to interact with your system and that allow your system to interact with RSA Adaptive Authentication (On-Premise).
RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads. The RSA Solution Gallery provides information about third-party hardware and software products that have been certified to work with RSA products. The gallery includes Secured by RSA Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.
Before You Call Customer Support Make sure that you have direct access to the computer running the Adaptive Authentication (On-Premise) software. Please have the following information available when you call:
10
Your RSA Customer/License ID.
Adaptive Authentication (On-Premise) software version number.
The make and model of the machine on which the problem occurs.
The name and version of the operating system under which the problem occurs.
Preface
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
1
RSA Adaptive Authentication Back Office Applications •
Back Office Applications Overview
•
Log On to a Back Office Application
•
Log Off from a Back Office Application
•
Password Change
•
Change your Password
•
Reset a Forgotten Password
•
Localization and Internationalization of the Back Office Applications
This chapter provides an overview of the RSA Adaptive Authentication (On-Premise) Back Office applications and describes how to log on to the Back Office applications.
Back Office Applications Overview The Back Office Applications are a set of GUI-based applications that enable users in your organization to interact with the Adaptive Authentication system. The applications in the Back Office Application Suite are connected to both the Core Database and the Back Office Database. In addition, the Case Management application is connected to the Case Management Database.
1:RSAAdaptiveAuthenticationBackOfficeApplications
11
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Back Office Application Suite The following table describes the applications in the Back Office Application Suite. BackOfficeApplication Administration Console
Description
User
The Administration Console Administrator enables you to manage system configuration parameters according to your Adaptive Authentication implementation, business requirements, and system setup.
Database • Core Database • Back Office Database
Note: Although the
application is located in the Back Office Application Suite, for information about the Administration Console see the Operations Guide. Customer Service
The Customer Service Customer Service application helps the Representative Customer Service Representative search for and modify end-user account
• Core Database • Back Office Database
information theAdaptive end user interacts withasthe Authentication system. In this way, a representative can assist end users with online account troubleshooting. The Customer Service application provides logs of end-user activity within the Adaptive Authentication system for monitoring by the representative. A Customer Service Representative can delete end users and lock, unlock and reset accounts.
12
1:RSAAdaptiveAuthenticationBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
BackOfficeApplication Policy Management
Description The Policy Management application is used to create and manage rules, lists, custom facts, and custom event types. Together, these elements form an organizational policy, which is executed by the Policy Engine.
User Rule Manager
Database • Core Database • Back Office Database
Standalone Back Office Applications The following table describes the Back Office applications that exist as standalone applications. BackOfficeApplication Access Management
Description
User
The Access Management System Administrator application allows you to manage access to the Back Office applications. You can use it to create and manage users, roles, organizations, and groups for the Back Office applications.
Database • Core Database • Back Office Database
Note: You can also use the
External Identity Provider framework to manage users in an External Identity Store. For more information, see the Operations Guide. Case Management
WS Credentials
The Case Management application is used to review any events that have been flagged as risky by the Adaptive Authentication system and require review by a Fraud Analyst.
Fraud Analyst, IT Administrator, Fraud Analyst Manager
The WS Credentials application is used to create and manage users who can access Web Services and SOAP requests.
Administrator
1:RSAAdaptiveAuthenticationBackOfficeApplications
• Core Database • Back Office Database • Case Management Database
• Core Database • Database Back Office
13
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
BackOfficeApplication Report Viewer
Description
User
With the Report Viewer application, you can view daily, weekly, and monthly reports created by the RSA Data Center. Reports from the RSA Data center are synchronized with the Report Viewer application for accurate reading of the files.
Security Analyst
Database Back Office Database
Log On to a Back Office Application To log on to a Back Office app lication:
1. Do one of the following: •
To log on to the Policy Management, Administration Console, or Customer Service applications, go to http:// /backoffice. Note: Fore more information about the Administration Console, see the
Operations Guide. •
To log on to the Access Management application, go to
•
http:///accessmanagement. To log on to the Case Management application, go to http:///casemanagement.
•
To log on to the WS Credential application, go to http:///wscredentialmanager.
•
To log on to the Report Viewer application, go to http:///reportviewer.
2. On the Logon page, enter your user name and password, and click Login.
14
1:RSAAdaptiveAuthenticationBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
3. From the Organization drop-down menu, select the organization that you want to view. The organizations are displayed hierarchically, with child organizations listed below parent organizations.
Log Off from a Back Office Application To log off from a Back Office application:
Click the Logout link in the top frame of any Back Office application page. Note: By default, Back Office applications log off users who are inactive for 30
minutes. You can configure this time period in the Administration Console. For more information, see the topic about configuring Back Office applications parameters in the chapter “Administration Console” in the Operations Guide.
Password Change When the system administrator defines a user password, the password is automatically assigned an expiration date. This date is configurable in the Administration Console. The default value is 90 days. For more information, see the Operations Guide. If you attempt to log on to a Back Office application using an expired password, a window opens in which you can define a new password. The new password is required for the next logon attempt. An administrator may change your password for any one of several reasons, for example: • The administrator suspects that your password was compromised. •
Your password is routinely changed for preemptive security reasons.
1:RSAAdaptiveAuthenticationBackOfficeApplications
15
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Change your Password You must change your password if the password has expired or if the system administrator resets your password. You are required to enter your current password before the system will allow you to change your password. If you forget your current password, you are not allowed to redefine the password or select a new password. For more information, see Reset a Forgotten Password on p age 16. The organization can configure the password length and valid characters. The new password must meet the requirement defined on the Change Password page. The requirement often involves choosing a password with a minimum of eight characters, including at least one number, one letter, and one special character from the following character set: ( ) * & ^ % $ # @ !. The password must not resemble the logon name too closely. The specific requirements can be configured locally. To change your password:
1. Log On to a Back Office Application. 2. Enter your logon name and original password in the appropriate fields. 3. Enter your new password. 4. In the Re-type New Password field, enter your new password to confirm the password. 5. Click Next to save your changes and return to the logon page.
Reset a Forgotten Password If you forget your password, your system administrator can provide you with a temporary password. You must reset your password again immediately upon your next logon. To reset your forgotten password:
1. Log on to the Back Office Application Suite using the temporary password. You are automatically directed to the Set New Password page. 2. In the New Password field, enter your new password. 3. In the Re-type New Password field, enter your new password to confirm the password. 4. Click Confirm to save your changes and continue. Note: You cannot access the Case Management application until you set a new
password.
16
1:RSAAdaptiveAuthenticationBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Localization and Internationalization of the Back Office Applications The Adaptive Authentication system is designed so that the user interface, input, display, and other features of the Back Office applications can be adapted to various languages and regions. You can use any number of languages when interacting with the Back Office applications. You can add location-specific text to meet the needs of your user demographic. Note: The system supports localization of the Back Office applications to one
language. You cannot use different languages for different users, organizations, or applications. For more information, see the Operations Guide.
1:RSAAdaptiveAuthenticationBackOfficeApplications
17
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
2
Managing Access to the Back Office Applications •
Access Management Application Overview
•
User Management
•
Role Management
•
Organization Management
•
Group Management
This chapter provides an overview of how to manage access to the Back Office applications using the Access Management application. It explains how to use the Access Management application to manage users, roles, organizations, and groups in the RSA Adaptive Authentication (On-Premise) system.
Access Management Application Overview The Access Management application allows you to manage access to the Back Office applications. The Access Management application allows you to create users, organizations, and groups for use within the Adaptive Authentication system. You can also use it to manage user roles and permissions, and associate users with roles and organizations. Note: You can also use the External Identity Provider framework to manage users in
an External Identity Store. For more information, see the Operations Guide.
User Management You can manage users and their ability to access the Back Office applications by adding users, viewing user details, editing user details, unlocking users, and removing users from the system. You use the Application Users page to perform tasks related to user management. Users created in Access Management are not end-user customers, but rather belong to an organization using the Adaptive Authentication system. The following users are created by the system by default: •
admin Note: Do not use the admin user provided by the system as a regular user. RSA
recommends that you use the admin user to create additional admin users that you can assign to people within your organization. You must maintain the system admin user as a superuser.
2:ManagingAccesstotheBackOfficeApplications
19
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
•
editor
•
fraudanalyst
•
reviewer
You cannot remove these users from the system or edit user details, as indicated on the UI. A newly created user can be associated with any of the following: Role. The level of authorization for a user. A role can be associated with one or
more module. Each role can be associated with different permissions. For more information, including a definition of predefined roles in the system, see Role Management on p age 24. Important: A user with an assigned role can only access a Back Office application
if the role is also associated with the corresponding module. Predefined roles are automatically associated with corresponding modules. The modules available correspond to the Back Office applications. For a list of modules associated with each role, see Access Management Roles on p age 28. Organization. An organization, along with a user name, is the unique identifier of an end user.
For more information, see Organization Management on p age 33. For more details about the configuration structure for organizations, see the Operations Guide. If a new Back Office application user is created or an existing Back Office application user’s updated, the permissions assignment to For that user are thepermissions same as the are permissions of the user who available creates orfor updates the user. example, if a user has Read/Create/Update/Delete permissions, the new or updated user can have only those permissions or a subset of them. A new user can never have a higher level of permissions than that of the person who created or updated that user. Important: Users cannot change their own permissions using the Access Management
application.
Default User Passwords Each predefined user is populated with a password that is the same as the user name, for example, user=operator, password=operator. The system automatically prompts the user to change the password at the initial logon. Important: If a user does not log on immediately after installation, RSA recommends
that the administrator change the default password to prevent security breaches.
20
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Access the Application Users Page You use the Application Users page to perform tasks related to user management. The main page of the Access Management application, the Application Users page, is displayed by default when you log on to the application. To access the Application Users page:
From the Access Management menu, select User List.
Application Users Page
The Application Users page provides information about users in the Access Management system, as described in the following table. C o lu m n N a m e
D e s c r i p ti o n
User Name
User’s logon name. Sortable column.
First Name
User’s first name. Sortable column.
Last Name
User’s last name. Sortable column.
Organizations
Lists all of the organizations to which the user has access.
Modules
Lists the RSA Back Office applications that the user has permission to use.
Roles
Lists the user’s current roles.
Locked
Indicates if the user account is locked. If a user attempts to log on to any Back Office application with an incorrect password too many times, the user is locked out. For more information about password configuration, see the topic that discusses configuring Back Office applications parameters in the Operations Guide.
Action
Contains links to the View, Edit, and Remove pages, depending on the user’s permissions: • View. View all user details (read-only). • Edit. Edit all user details. • Remove. Remove user names from the system. Note: Predefined user names cannot be removed.
View User Details All roles can view user details for all users in the system. To view user details:
On the Application Users page, in the Action column for the user, click View. The View User Details section displays the user details in read-only format.
2:ManagingAccesstotheBackOfficeApplications
21
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Add a User You add a user in the Access Management application to create a user who can access the Back Office applications. Note: On the initial logon to the system, a new user is required to change the default
password. To add a user:
1. On the Application Users page, click Add New User. The User Details page is displayed. 2. In the Add User Details section, enter the user details. The following table describes the actions required for each of the fields in the Add User Details section. F i e l d Na m e
Ac t i o n
User Name
Enter a unique name for the user. This is a required field. Note: A user name must be unique. You cannot enter a user name
that is identical to an existing user name. Password
Enter a password for the user. This is a required field. Note: The password must be at least 8 characters long and contain
at least digits, one character each of theasfollowing uppercase letters, special from characters such - _ . ! @groups: # %^ * $). Confirm Password
Enter the user password. This is a required field.
First Name
Enter the user’s first name.
Last Name
Enter the user’s family name (surname).
Email
Enter the user’s email address.
Phone
Enter the user’s phone number.
Locked At
Indicates lock out details, including the lock-out time, for a user who repeatedly enters an incorrect password and exceeds the allowed number of authentication attempts.
3. In the Organizations section, from the Available list, select the organizations to which you want the user to have access, and click the right-arrow to include them in the Selected list. For more information about Organizations, see Organization Management on page 33.
22
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
4. In the Roles section, from the Available list, select the roles that you want to assign to the user, and click the right-arrow to include them in the Selected list. 5. Click Save.
Edit User Details You can edit user details to change any relevant information about an Adaptive Authentication system user. The Edit User Details section enables authorized users to edit other user’s details including first name, last name, email address, phone number, organizations, and roles. A user’s permissions relate to all users below that user’s organization in the hierarchy. For example, if a user has permission to update users in the parent organization, the same user also has permission to update users in the suborganizations within the parent organization hierarchy. To edit user details:
1. On the Application Users page, in the Action column to the right of the user name, click Edit. The User Details page is displayed. 2. On the User Details page, in the Edit User Details section, edit the user details by modifying the user’s password, first name, last name, email address, and phone number in the relative fields, if necessary. Note: Completion of fields preceded by an asterisk (User Name, Password, and
Confirm Password fields) is mandatory. The fields are populated with existi ng entries, which you can edit.
If a Back Office user’s password is changed, a change of password is requested upon the user’s next logon to a Back Office application. 3. From the Available lists, select the organizations and roles that you want to associate with that user, and click the right arrow to move the selections to the Selected lists. 4. Click Save.
Unlock a User If a user attempts to log on, but access is locked, an administrator must reset the user password. Resetting the password unlocks the user immediately. If the administrator user does not change the password, the lock-out is released after a set period of time, and the user can try to log on again. Note: The default time frame is 30 minutes, but you can configure this time in the
Administration Console. For more information, see the section about configuring Back Office applications parameters in the Operation Guide.
2:ManagingAccesstotheBackOfficeApplications
23
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
To reset a password and unlock a user:
1. On the User Management page, in the Edit User Details section, in the Password field, enter a new password. 2. In the Confirm Password field, enter the new password to confirm the password. 3. Click Save.
Remove a User If a user can removedlink from the displayed system, theforRemove linkusers. is displayed in the user interface. ThebeRemove is not predefined To remove a user:
1. On the Application Users page, in the row for the user that you want to remove, click Remove in the Action column. 2. When prompted to confirm the removal, click OK.
Role Management Each user is assigned a role, and each role is associated with different permissions. You can manage the various Back Office user roles by adding roles, editing roles, and removing roles from the system. You use the Application Roles page to manage roles. For more information on system roles, see Access Management Roles on p age 28. For a user to access a Back Office application, you must assign the user one or more roles. Each role is associated with one or more modules. In the Access Management system, a module represents one of the Back Office applications. Important: The Access Management application supports the creation of custom
roles. However, RSA recommends applying only predefined roles to Access Management users. These roles reflect common user needs and include the appropriate permissions for each Back Office user. A user with an assigned role can only access a Back Office application if the role is also associated with the corresponding module. By default, roles are associated with their corresponding modules. In general, a user only sees interface elements that relate to the specific permissions assigned to the user. For example, if a user has PolicyManager permissions but does not have ListManager permissions, the user sees the Manage Lists screen but does not see the buttons used for creating and deleting lists or the blue hyperlinks used to edit lists. Similarly, a user without permissions related to the Policy Management module does not see the Policy Management tab in the Back Office Application Suite. Note: The spelling of the role names in the user interface do not include spaces. For
example, the fraud analyst role is written as “fraudanalyst,” and the operator manager role is written as “operatormanager.”
24
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Access the Application Roles Page You use the Application Roles page to manage user roles. To access the Application Roles page:
From the Access Management menu, select Roles. The Application Roles page is displayed.
Role Details The Roles table displays all of the roles in the system and the related details. The following table describes the columns displayed in the Roles table. C o lu m n N a m e
D e s c r i p ti o n
Role Name
Name of a role in the system (both predefined and user-created roles). Sortable column.
Description
Description of the role, such as what a user with the role is allowed to do within the system.
Mode
Permissions associated with that role. Modes include create, read, update, and delete. The checkbox for a mode is selected if the mode is allowed for the role. Sortable column. Important: The modes available are only relevant for roles used within
the Access Management application. Modules
Lists the Back Office applications that the role has permission to use.
2:ManagingAccesstotheBackOfficeApplications
25
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Co l u m n N a m e
Description
Action
• Custom roles contain View, Edit, and Remove links in this column. • Predefined roles contain the View link in this column. Note: Predefined roles cannot be removed.
View Role Details All roles can view details for all roles in the system. Role details are read-only. For more information, see Role Details on p age 25. To view role details:
On the Application Roles page, in the row of the role that you want to view, click View. The View Role Details page includes the role name, a role description, mode permissions, and accessible modules.
Add a Role You can create a role to associate a group of users with a given set of permissions. When you add a role in the Access Management application, you are creating a role within the Back Office applications. To add a role:
1. On the Applications Roles page, click Add New Role. The Role Details page is displayed. 2. In the Role Name field, enter a unique name for the new role. 3. (Optional) In the Description field, enter a description of the role. 4. In the Mode section, select one or more checkboxes to define the permissions for the role. The possible permissions are Create, Read, Update and Delete. Note: The Create, Read, Update, and Delete parameters in this section only affect
role permissions for the Access Management application. 5. In the Modules section, from the Available list, select one or more modules. 6. Click the right-arrow to move the modules into the Selected list. 7. Click Save.
26
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Edit a Custom Role You can edit custom roles by changing the modes and modules associated with a particular role. You cannot edit predefined roles. To edit an existing role:
1. On the Application Roles page, from the Roles list, select the role that you want to edit. The Roles Details page is displayed. 2. In the Action column, click Edit. 3. Modify entries in the fields as necessary. 4. (Optional) To change your entries back to the original values, click Reset. The Edit Role Details page returns to the latest settings before you clicked Edit. 5. Click Save.
Remove a Role You can remove a role from the system if you do not need the role anymore. After you remove a role, the role no longer appears in the Roles list. You cannot remove predefined roles from the system. Important: Removing a role from the system may limit the ability of current users to
access certain Back Office applications. If a current user is assigned a role, and then that role is deleted, the user will no longer have the permissions associated with the deleted role. To remove a role:
1. On the Application Roles page, from the Roles list, select the role that you want to remove. 2. In the Action column, click Remove. 3. In the confirmation message, click OK.
2:ManagingAccesstotheBackOfficeApplications
27
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Access Management Roles The following table describes the predefined roles that are available in the Access Management system. Important: A user with an assigned role can access a Back Office application only if
the role is also associated with the corresponding module. By default, roles are associated with the corresponding modules. RoleName admin
Description
AssociatedModule
An administrative role with access to all applications. A user with this role can perform most actions but does not necessarily have Update or Delete permissions in all applications. For example, in the Policy Management application, a user with the admin role can view rules and lists, but cannot create or edit rules and lists.
Note: If you used the AdminTool application in an earlier
• scheduler
version of Adaptive Authentication, you should now use the Policy Management menu to access functions available on the Lists Administration tab.
• wscredentialmanager
A user with this role can view and update activities in the Customer Service application, and can view the Lookup User page in the Case Management application. A user with the csr role can handle user calls, view recent activities of a user to troubleshoot the user problem, and search all users, not just those with cases.
• csr • casemanagement
For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31. CMAPIExtract
A user with this role can retrieve and view Case Management data concerning events (activities) and cases.
casemanagementAPI
Note: If either this role, CMAPIUpdate, or both are the only
roles that exist for a user, the user’s password will not have an expiration date. Additionally, a user with this role does not need to change the password during the first logon.
28
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
RoleName CMAPIUpdate
Description A user with this role can retrieve, view, and update Case Management data concerning events (activities) and cases. With this particular role, a user can lock data retrieved for update purposes.
AssociatedModule casemanagementAPI
Note: If either this role, CMAPIExtract, or both are the only
roles that exist for a user, the user’s password will not have an expiration date. Additionally, a user with this role does not need to change the password during the first logon. fraudanalyst
A user with this role can research and analyze fraud patterns to define antifraud strategies, and verify whether cases include fraudulent activity.
casemanagement
For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31. ListManager
A user with this role can view, edit, and delete lists. A List Manager user can view rules, custom facts, and custom event types but cannot create, edit, or delete these objects.
PolicyManagement
Note: A user with this role can only edit lists if the user has
access to the default organization. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32. operator
A user with this role can review, work with, and manipulate cases in the Case Management application. A user with the operator role can search for a relevant case, update a case, and move to the next case. A user with this role might have specific expertise, such as with account takeover fraud.
casemanagement
Note: Before an operator is assigned cases or begins to update
cases, the operator must be assigned to an operator group. For more information, see Add an Operator to an Operator Group on page 115. For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31.
2:ManagingAccesstotheBackOfficeApplications
29
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
RoleName operatormanager
Description
AssociatedModule
A user with this role can supervise activity in the Case Management application, and perform the following actions:
casemanagement
• Manage operators • Supervise case reviews performed by operators • Audit an operator’s work queue to increase productivity • Override operator decisions in cases • Define custom sorting and case filtering • Divide operators logically rather than randomly Note: By default, the Case Management application evenly and
randomly divides the work load of cases between operators. For more information on the specific permissions associated with this rule, see Case Management Role Permissions on page 31. PolicyManager
A user with this role can create, edit, and delete rules, custom facts, and custom event types. A user with the PolicyManager role can approve a status change made to a rule by another user. A user with the PolicyManager role can also view lists but cannot create, edit, or delete lists.
PolicyManagement
Note: Only a user with the PolicyManager role who has access
to the default organization can create, edit, or delete custom facts or custom event types. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32 PolicyViewer
A user with this role can view rules, custom facts, custom event types, and lists.
PolicyManagement
For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32
30
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
RoleName RuleManager
Description
AssociatedModule
A user with this role can create, edit, and delete rules, custom facts, and custom event types but cannot approve pending rules.
PolicyManagement
Note: Only a user with the RuleManager role who has access to
the default organization can create, edit, or delete custom facts or custom event types. This user can view lists but cannot create, edit, or delete them. This user can submit a request to change the status of a rule, but a PolicyManager or SeniorPolicyManager user must approve the request before the status change occurs. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32. SeniorPolicy Manager
A user with this role can create, edit, and delete rules, custom facts, and custom event types, as well as approve all pending rules. A user with this role can approve a status change made to a rule by another user, and can also perform self-approval on status changes made to a rule. This user can view lists but cannot create, edit, or delete lists.
PolicyManagement
Note: Only a user with the SeniorPolicyManager role who has
access to the default organization can create, edit, or delete custom facts or custom event types. For more information on the specific permissions associated with this rule, see Policy Management Role Permissions on page 32
Case Management Role Permissions The following table shows the permissions available for each role associated with the Case Management application. Case Management permissions are separated according to the various pages available in the application. Permission
Admin
Process Queue
XXXX
Lookup User View the Queue
X
Operator Manager
X X
2:ManagingAccesstotheBackOfficeApplications
Fraud Analyst
X X
O p e r a to r
X
C SR
X
X
31
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Permission
Admin
Operator Manager
Manage Operator Group
X
X
Manage Operator
X
X
Research Activities
XXXX
Fraud Analyst
O p e r a to r
C SR
Policy Management Role Permissions The following table shows the permissions available for each role associated with the Policy Management application. Policy Management permissions are separated according to the various actions available in the application. Important: Some permissions are available only to users that are granted access to the
The following conditions also apply to the Policy Management role permissions: •
A user with the SeniorPolicyManager role can also perform self-approval on status changes made to a rule.
•
Only a user with access to the default organization can view the Last Modified By and Created By fields in the Manage Lists, Manage Custom Facts, and Manage Custom Event Types pages.
•
Any role that is associated with the PolicyManagement module receives the same permissions as the PolicyViewer role. A user with this role can view rules, custom facts, custom event types, and lists and can also create policy reports.
Organization Management Each organization consists of a collection of users. An organization can also have multiple groups. You can manage organizations by adding organizations, viewing organizational details, and editing organizational details. You use the Application Organizations page to display and manage all of the organizations that exist in the system. The hierarchy of organizations in the Access Management application and in the Adaptive Authentication system is defined as follows: • An organization identifies any user who belongs to the organization. •
A user of the Back Office applications is identified by a unique user name. This uniqueness allows a user to belong to more than one organization.
2:ManagingAccesstotheBackOfficeApplications
33
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
•
An end user is identified by a user name and organization. Two end users with the same user name can belong to different organizations.
•
Organizations can include suborganizations. The organization is the parent and each sub-organization is a child in the system hierarchy. Note: RSA supports up to four levels in the hierarchy of organizations. This
means that you can create up to three levels of suborganizations under the default organization. Adding additional levels of suborganizations has a negative impact on system performance and is not recommended. The limitation of the number of organization levels in the hierarchy does not relate to the total number of organizations allowed in the system. •
An organization cannot be deleted from the system. All organizations are stored in the database.
•
An organization can only be viewed by a user who has access to that organization or its parent organizations. A user with access to the default organization, can view all organizations.
Access the Application Organizations Page You use the Application Organizations page to display and manage all of the organizations that exist in the system. To access the Application Organizations page:
From the Access Management menu, select Organizations.
View Organization Details To view organization details:
On the Application Organizations page, in the Action column, click View in the row of the organization that you want to view. The link is only displayed if you have View permission. Details are displayed in the View Organization Details page.
Add an Organization When you add an organization in the Access Management application, you create a organization within the Adaptive Authentication system. After an organization is created in the system, you cannot remove the organization. You cannot edit the name of an organization. After you create an organization in the system, you cannot change the name. Only the organization description and parent can be changed. To add an organization:
1. On the Application Organizations page, click Add New Organization. The Organization Details page is displayed.
34
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
2. On the Organization Details page, do the following: a.
In the Organization Name field, enter a unique name for the organization. This is a mandatory field. Note: You cannot use the following characters:
[^<>&]*.
The maximum length of organization names is 50 characters. b. In the Organization Description field, enter a description for the organization. c.
From the Organization Parent list, select a parent organization for the new organization. In the list, default is the root organization in the system and is the parent of all organizations.
3. Click Save. Note: If you attempt to create a loop in the hierarchy, for example, an organization
is both a child and parent of the same organization, an error message appears and the organization is not saved.
Edit Organization Details You can edit a rule to change any of the details. You cannot edit the name of an organization. After you create an organization in the system, you cannot change the name. To edit organization details:
1. On the Application Organizations page, in the row of the organization that you want to edit, click Edit. The Edit link is only displayed if you have Edit permission. 2. On the Edit Organization Details page, edit the organization description or change the parent of the organization. Important: If you change the parent of the organization, it may take up to five
minutes for the change to be reflected in the system. 3. Click Save.
View Available Organizations You can view organizations in the Edit User Details page. Newly added organizations are available for viewing immediately. To view the available organizations:
Click Edit User > Organizations > Available.
2:ManagingAccesstotheBackOfficeApplications
35
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Group Management A group is a subunit of an organization. Groups provide a way of further organizing end users within organizations. You can create a hierarchy of groups, but all groups in a hierarchy must belong to the same organization. Groups in the Access Management application relate to the Adaptive Authentication system as follows: • •
There is no default group. An end user can belong to any group within an organization.
•
An end user can be moved from one group to another within an organization.
•
An end user in a specific organization cannot belong to more than one group.
Any user with roles that allow read, write, or create in the Access Management application is permitted to correspondingly view, edit, or add groups.
Access the Application Groups Page You access the Application Groups page to add a group, view group details, and edit group details. For more information, see Application Group Page on p age 36. To access the Application Groups page:
From the Access Management menu, select Groups.
Application Group Page You can use the Applications Groups Page to add a group, view group details, and edit group details. The Application Groups page provides information about groups in the Access Management system, as described in the following table.
36
C o lu m n N a m e
Description
Group Name
Group name. Sortable column.
Organization Name
Name of the organization to which the group belongs. Sortable column.
Group Description
Description of the group. This description is editable, depending on the rights of the user. Sortable column.
Group Parent
The parent of the group in the group hierarchy. Sortable column.
Action
Lists the actions that the user is permitted to perform. A link for each available action is provided.
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
View Group Details All roles can view group details for all groups in the system. To view group details:
On the Groups Application page, in the table, click View. The Group Details page is displayed. Information in View Group Details section is not editable.
Add a Group You can add a group to organize end users within an organization. The Group Name and the Organization Name together serve as a unique key. Before You Begin
•
You must have Create permissions to add a group.
•
You can only add a group to a group that you create.
To add a group:
1. At the bottom of the Ap plication Groups page, click Add New Group. 2. On the Group Details page, in the Add Group Details section, do the following: a.
In the Group Name field, enter a name for the group. Note: You cannot use the following characters:
[^<>&]*. The maximum length of group names is 50 characters.
b. From the Organization Name list, select an organization. c.
In the Group Description field, enter a description for the group. Make the description unique so that the group can be easily identified.
d. (Optional) From the Group Parent list, select a group parent with which to associate the new group in the group hierarchy. e.
Click Save.
Edit Group Details You can edit only the group description and the group parent. You can create a hierarchy of groups, but all groups in a hierarchy must belong to the same organization. Note: If you create a loop in the hierarchy, for example, if a group is both a parent and a child of the same group, an error message appears.
2:ManagingAccesstotheBackOfficeApplications
37
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
To edit group details:
1. On the Application Groups page, in the row of the group that you want to edit, click Edit. The Edit link is only displayed if you have Edit permission. 2. On the Group Details page, edit the group description and change the group parent as necessary. You cannot edit the name of a group. Important: If you change the parent of the group, it may take up to five minutes
for the change to be reflected in the system. 3. Click Save.
38
2:ManagingAccesstotheBackOfficeApplications
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
3
Managing Policies •
Introduction to Policy Management
•
Introduction to Rules
•
Rule Management
•
Policy Export and Import
•
List Management
•
Custom Facts Management
•
Custom Event Type Management
•
Policy Report
The Policy Management application helps organizations create a risk-management policy in line with the unique security needs of the organizations. Well-defined policies help prevent harmful, fraudulent activity and keep the number of false positives to a minimum. Each policy contains a set of rules that define actions that take place in specific circumstances. For more information, see Introduction to Rules on page 41. The Policy Management application acts as an additional security layer on top of the Risk Engine, which provides the core functionality of determining the risk level of a given event. The Policy Management application uses the Risk Engine, along with other data, and allows you to define a policy based on this data. The rules that you create in your organizational policy are loaded into the Policy Engine of the Policy Management application, which then executes the policy.
Introduction to Policy Management A policy is made up of a set of rules. You can create a policy by adding rules in the Policy Management application. Each rule is applied for at least one event type and contains one or more conditions and an action. A rule defines the actions triggered by various event types, given specific sets of conditions. The specific rules that you create depend on the security needs of your organization. For more information, see Introduction to Rules on p age 41.
Policies for Organizations Each policy reflects a set of rules relevant for a specific organization. In a multi-organization environment, each organization haspolicy a policy. When you an organization on which you want to work, the relevant is displayed in select the Policy Management application. For more information about selecting an organization, see Log On to a Back Office Application on p age 14.
Managing 3: Policies
39
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
You can create an organization in the Access Management application. For more information, see Organization Management on p age 33. When you create an organization, a blank policy is automatically created to correspond with the organization. You can base the policy of a newly created organization on that of an existing one by duplicating rules from another organization. For more information, see Duplicate Rules to Another Organization on p age 62.
Reference Policy The Adaptive Authentication system includes a default reference policy that you can import into the Policy Management application. You can use the reference policy as a starting point for constructing the policy for your organization. The reference policy includes a predefined set of rules that are based upon both sign-on and transaction event types. The rules in the reference policy cover a broad range of end-user event types and protect against common fraud risks. For more information about the rules that make up the reference policy, see Appendix B, Rules in the Reference Policy. The rules in the reference policy are both risk-based and device-based. Risk-based rules rely on data taken from the Risk Engine, while device-based rules rely on device matching and data taken from end-user devices. Risk-based rules can be activated only after the necessary Risk Engine learning period. Before the learning period is over, the risk score is not consistent and may not reflect end-user behavior for the specific customer population. For more information, see Risk Score on p age 48. The rules in the reference policy have a status of Work in Progress. To activate the rules, you must change the status of the rules to either Test or Production. For more information, see Status Change on p age 50. Rules in the reference policy with an action of Challenge are assigned the following Authentication Methods, in order: •
OOB PHONE
•
OOB SMS
•
KBA
•
QUESTION
Note: You must configure Authentication Methods before the methods are applied to
end users. For more information, see the Operations Guide. The reference policy .zip file is available in the main_directory\utils_7.1.0.0.0 folder. The .zip file contains the file Reference_Policy.xml. A checksum file, Reference_Policy.xml.md5, is also created to check for any possible corruption in the plain file. For more information on how to import policy data, see Import Policy Data on page 64. Note: Depending on your organizational policy needs, RSA recommends that you
consider importing the reference policy after product installation. The rules in the reference policy help protect against many common fraud risks. After you import the reference policy, you can add rules and edit or delete rules as you see fit.
40
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Additional Configuration Elements The Policy Management application enables the configuration of the following elements that you can use to construct rules: Custom Facts. You can add facts that are not included in the default fact list. For more information, see Custom Facts Management on p age 72. Custom Event Types.You can define event types that are not included in the standard delivery. For more information, see Custom Event Type Management. Lists. You can lists that are noton included in the standard delivery. For more information, seeadd List Management p age 65.
Policy Refresh The policy refresh process seamlessly implements changes made to a policy in the production environment, without the need to restart the application servers. The Adaptive Authentication system polls the Policy Management Database to check for policy revisions every sixty seconds. Types of policy revisions that trigger the policy refresh process include the creation of any rules or lists, changes made to any rules (edit, delete, or status change) or lists (edit, delete, or update values), duplication of a policy, and import of a policy. For more information on rule status changes, see Status Change on p age 50. A policy is loaded to the Policy Engine if both of the following conditions are met: •
Revisions have been made to the policy after the current version was loaded to the Policy Engine.
•
The status of the revised rule is, or was, Production or Test.
For more information on the policy refresh process, see the Operations Guide. Note: A policy refresh impacts the data that is available in a Policy Report. For more
information, see Generate a Policy Report on p age 80.
Introduction to Rules A rule contains an event type, a condition or set of conditions, and an action. The action is triggered by an event when the condition or conditions are met. For example, a Deny action can be triggered for the Sign In event type, if the Risk Score is above 900. A rule also contains other details, such as the name of the rule and the status of the rule. For more information about these rule details, see General Rule Parameters on page 58. You can assign a priority to each rule, and the rules are checked in the order of their priority. The lower the number, the higher the priority. For example, a rule with a priority of 3 is checked before a rule with a priority of 5. After one rule is found to be true, the action is triggered, and the system stops checking the rules with lower priority.
Managing 3: Policies
41
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
It is possible that no production rules will be activated when an end user performs a certain event. This may occur if an organization does not have any rules in its policy or if none of the existing rules are triggered. In such a case, a default, fallback rule is activated. When the fallback rule is activated, the Allow action is triggered. For more information, see Actions on p age 47.
Event Types An event type is an end-user activity that is protected by the Adaptive Authentication system. An event type triggers a rule when the conditions associated with the rule are met. For example, if the event type is Payment, the selected rule will apply when the end user makes a deposit online. The Adaptive Authentication system is shipped with a predefined list of event types. For more information, see Appendix C, List of Event Types. In addition to event types in this predefined list, you can create custom event types. For more information, see Custom Event Type Management on p age 75. Note: A single rule can be applied to multiple event types. In this situation, if any of
the events occur and all the conditions are met, the rule is triggered.
Conditions Conditions are built from the following logical elements: •
Expressions
•
Facts
• Operators A condition is a set of logically defined expressions that must be fulfilled for the action of a rule to be triggered. Each rule can contain multiple conditions, which are connected to each other by the AND operator. If all conditions are true, the rule is triggered and the defined action is performed. For more information, see Expressions on page 44.
Each condition consists of at least one expression. Multiple expressions within a condition can be logically connected to each other by the OR or AND operators. For more information, see Operators on p age 44.
42
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
The following figure shows the logical workflow of a condition after an event is performed.
Condition Logic Workflow t n e v E
Event performed as defined in rule
Yes
Yes
Is expression within condition true?
No
Does another expression exist within this condition?
Does another expression exist within this condition? Yes
Check Operator connecting expressions
n io it d n o C
Check Operator connecting expressions
No
AND operator
OR operator (default)
AND operator
No
Condition is not met
OR operator (default)
Condition is not met
Does another condition exist within this rule? No
n io t c A
Action is triggered
Action is not triggered
The following example shows the various components that can make up a condition. The sample expression represents the number of days that have passed since the account was opened:
Managing 3: Policies
•
Expression: IF days since end user changed the address is Equal to 5
•
Category: Account Details
•
Fact: # of Days Since Last Address Change (Integer)
43
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
•
Operators: Equal to
•
Value: 5
Expressions An expression is the basic building block of a condition and can be thought of as the first half of an If-Then conditional statement. The action is the second half. If the expressions within a condition are true, then the action is performed. Expressions can be made up of logically connected facts, operators, and values. Several expressions can be combined with the operators OR or AND.
Facts A fact is a core data element that the Policy Engine processes to determine if the rule is triggered. A fact might contain information about the device, the end user, or the end-user activities. Examples: •
Change from previous risk score.
•
Whether or not Java is disabled.
•
The city's IP city code.
The Adaptive Authentication system is shipped with a default fact list. For more information, see Appendix A, List of Facts. In addition to default facts, you can create custom facts. For more information, see Custom Facts Management on p age 72.
Categories Facts are grouped into categories for accessibility purposes. For example, the Risk Score category groups facts that relate to the risk score of the current event, such as Transaction Risk Scoreand Change From Previous Risk Score.
Values A value is a quantifiable attribute of a fact that defines the situation during which a rule is triggered. Values are divided into the following categories: Technical. For example, the contents of a predefined list. Numeric. For example, the Risk Score. Boolean. For example, whether the device IP is different from the event IP (A true or false value).
Operators An operator is a logical or mathematical function that connects multiple data elements. Operators can be used to define fact values, to connect multiple expressions, and to connect multiple conditions.
44
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Fact Operators The following operators can be used when defining fact values. O p e r a to r
RelevantFactType
Equals
• Boolean • Country • Double • ENUM • Float • Integer • IP Address • Long • Risk Score • String
Not equal
• Country • Double • ENUM • Float • Integer • IP Address • Long • Risk Score • String
Empty
• Country • ENUM • String
Greater than
• Double • Float • Integer • Long • Risk Score
Greater or Equals
• Double • Long • Risk Score
Less than
• Double • Float • Integer • Long • Risk Score
Managing 3: Policies
45
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
O p e r a to r
RelevantFactType
Less or Equals
• Double • Long • Risk Score
ContainsinString
String
Not Contains in String
String
Between
• Double
Note: Between specifies a
• Float
• Integer range of values that includes the range boundaries. A value • IP Address • Long between x and y is greater than or equal to x and less • Risk Score than or equal to y.
Not Between Note: Not Between specifies
• Double • Float
• Integer values outside an inclusive range. A value not between x • IP Address and y is less than x or greater • Long than y. • Risk Score
Within
• String • User ID
Not within
• String • User ID
Note: The relevant operators will differ from fact to fact. The Within and Not Within
operators are relevant only for the List category.
Expression Operators The following operators are available for use between expressions.
46
Operator
Description
AND
Connects all expressions within a condition so that the rule is triggered only if all expressions are true.
OR
Connectsallexpressions within aconditionso thatthe rule is triggered if any of the expressions within a condition is true.
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Condition Operator The following operator is available for use between conditions.
Actions
Operator
Description
AND
Connects all conditions within a rule so that the rule is triggered only if all conditions are true.
An action is a predefined outcome that occurs when the condition is fulfilled and the rule is triggered. Actions are performed only if the rule status is Production. For more information, see Rule Status on p age 49. Only one action can be defined for each rule. The exception to this is the Review action, which can be set to generate a case together with another action. The following table describes the different action types. To configure these parameters, see General Rule Parameters on p age 58. Ac t i o n
Description
CaseCreated
Allow
Allow the end user to access the system or to continue with the transaction.
Manually
Challenge
Request that the end user authenticate by selecting one of the authentication methods.
Manually (When authentication fails, succeeds, or in both
For more information, see Authentication Methods on page 47.
situations)
The Rule Manager can select whether a case is created in Case Management if authentication succeeds or fails. Deny
Deny the end user access to the system or deny the transaction.
Manually
Review
Flag the transaction for review by creating a case in the Case Management application.
Automatically
Authentication Methods You can use authentication methods to challenge end users to perform an action that verifies their identity before they are allowed to continue. These methods are used in high-risk situations to prevent fraudulent activity. The particular challenge method used depends upon which rule is triggered. The end user must successfully pass the challenge to continue with the current activity. The following authentication methods are available in the Adaptive Authentication system: Knowledge-Based Authentication (KBA). The end user is asked a series of personalized questions based on available data sources.
Managing 3: Policies
47
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Email (OOBEMAIL). The end user receives an automated email with instructions to enter a confirmation code. Phone (OOBPHONE). The end user receives an automated phone call with instructions to enter a confirmation code. SMS (OOBSMS). The end user receives an automated text message with instructions to enter a confirmation code. One-time password (OTP). The end user is asked to enter a password that is only valid for a single session. Secret Questions (QUESTION).The end user is asked to provide answers to a number of security questions previously defined by the genuine user. Note: You can configure existing authentication methods using the c-config-mcf.xml
file. For more information, see the Operations Guide. You can install additional authentication methods for use in the Adaptive Authentication system. For more information, see the Authentication Plug-in Developer’s Guide. After you install additional authentication methods, you can add these methods to the list of methods available in the Policy Management application. You can do this using the Authentication Methods parameter located in the Authentication Methods component of the Administration Console. You can also use this parameter to remove existing, built-in authentication methods from the list that appears in the Policy Management application. For more information, see the chapter “Configure Authentication Methods” in the Operations Guide. Important: If you delete a method in the Administration Console that is currently
being used in rules, any rules with this action will still be triggered, but you will not be able to assign the deleted method to new rules. To completely delete an authentication method, you must remove the method from the configuration files. When you select the Challenge action, you can define which method is used to challenge the end user. You can select and prioritize multiple methods from the available list. The system selects the first available method relevant for the end user. The end user can only be challenged using authentication methods for which the end user is registered. For example, if SMS, email, and Phone are selected as Authentication Methods with SMS having highest priority, email second priority, and Phone lowest priority, an end user who is not registered for SMS is challenged with the email method.
Risk Score Risk Score is one of the fact categories that you can use to create a rule in the Policy Management application. The RSA Risk Engine evaluates each online activity, tracking over one hundred indicators to detect fraudulent activity. The Risk Engine produces a unique risk score, between 0 and 1,000, for each online activity. The higher the risk score, the greater the likelihood that an activity is fraudulent.
48
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
You can use the risk score to understand the risk level of an activity in relation to all end user activities. For example, if you choose to challenge any activity with a risk score greater than 900, you can expect 0.25 percent of all activities to be reviewed. This information also helps you estimate the number of cases that operators need to process. Risk-based rules should only be promoted to Production status after the necessary Risk Engine learning period. Until this period has finished, the risk score is not stable and may not be entirely accurate. During the learning period, you can run risk-based rules with a status of Test in order to examine the potential results of your policy. Note: If you upgrade from a previous version of Adaptive Authentication, you can
continue to use risk-based rules without waiting for the Risk Engine learning period to finish. For more information, see the section about Risk Engine Parameters in the Operation Guide.
Case Creation You can flag a transaction for review by creating a case. When a transaction is flagged, a case is created in the Case Management application when the rule is triggered. The Create Case feature performs the same action as the Review action but can be applied in addition to the actions that you apply to a rule. Creating a case is optional and does not need to be applied. If you select the Challenge action, you can choose to create a case when the end user passes authentication, fails authentication, or in both situations. For more information, see Chapter 4, Managing Cases.
Rule Status You can assign one of the following statuses when creating a rule: Work in Progress. The rule does not run on production data. Test. The rule runs on production data, but no action takes place (except for the option to create a case). Statistics are collected to analyze the effectiveness of test rules. When a rule is triggered, the activity is recorded in the database. Production. The rule runs on production data and actions take place.
In addition, the following status can also apply to rules: Suspended. The rule was recently running on production data (had a status of Test or Production) but was suspended for some reason.
To properly manage a policy, you can test rules before you put the rules into production. This testing allows you to view the potential results of a newly created rule without directly affecting the end-user activity. After a rule has been sufficiently tested and appears stable, you can move the rule to production, where the rule is fully implemented.
Managing 3: Policies
49
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
While a rule has a status of Test, it is still triggered if it has a higher priority than a rule with a status of Production. In such a situation, the action of the rule in production is triggered in addition to any case created by the rule.
Status Change Before the rule status can be changed, some rules require the approval of a user with PolicyManager or SeniorPolicyManager permissions. For more information on rule statuses, see Rule Status. The following figure shows the possible status changes that can be made for rules.
The following table lists all status changes that require the approval of a user with PolicyManager or SeniorPolicyManager permissions. Current Status (Change From)
50
Pending Status (Change To)
WorkinProgress
Test
WorkinProgress
Production
Test
Production
Test
Suspended
Production
Suspended
Production
Test
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Current Status (Change From)
Pending Status (Change To)
Suspended
Production
Suspended
Test
If you want to change the status of a rule, you must first submit a status change request. If the status change requires approval, the pending status of the rule reflects the status that you requested. A user with sufficient permissions must approve the status change request for the current status to change. If the rule does not require approval, the current status is changed immediately. Each rule has an indication of the current and pending state of the rule, as follows: Current Status. The status that the rule has right now. Pending Status. The status that will be applied to the rule if a status change request is approved by a user with sufficient permissions.
You cannot edit or delete a rule with a status of either or Production, or any rule that has a pending status. To edit or delete such a rule, you must first change the status to either Suspended or Work in Progress.
Rule Management You can use the New Rule wizard to create rules. After you create and save a rule, the rule appears in the Manage Rules table. You can manage rules using the Manage Rules table.
Managing 3: Policies
51
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Manage Rules Table From the Manage Rules table, you can view details of all rules in one location. The rules presented in the table belong to a policy that is defined by the user. For more information about policies, see Chapter 3, Managing Policies.
You can use the toolbar at the top of the table to perform relevant policy actions, such as adding a new rule or exporting a policy. After you create and save a rule, it appears in the Manage Rules table. After you delete a rule, the rule no longer appears in the Manage Rules table. You can also use the table to easily select and manage existing rules. After you select a rule, you can edit or delete the rule. When you select a rule from the Manage Rules tables, a detailed summary of the rule appears in the section under the Manage Rules table. Note: Only the last comment is displayed. If there are multiple comments, you can
click the hyperlink to view all comments. Note: You can use your mouse to hover overX items found on the toolbar to see a
breakdown of the number of rules according to the current status.
52
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Sorting and Filtering Rules When you log on, the rules in the table are automatically sorted by the Date Modified column, but you can sort the rules by other columns as well. You can sort rules alphabetically in either direction. Note: You cannot sort rules by the Event Type column.
You can filter rules by Event Type, Current Status, Pending Status, and Action, using a checkbox to select the field or fields that you would like to view. For example, you can use the filter in the Action column to view only those rules that have Deny as the action. You can rearrange the columns on the Manage Rules table by dragging and dropping a column to another location.
Add a Rule You can add a rule to define what action the Adaptive Authentication system takes during online transactions. You can use the New Rule wizard to define and create these rules. Each rule dictates an action to be taken for a particular end-user behavior. Before You Begin
•
Select the relevant organization or group.
•
You must have Rule Manager, PolicyManager, or SeniorPolicyManager role permissions. For more information, see Role Management on page 24.
To add a rule:
1. Click the Manage Rules link in the Policy Management application. 2. Click New > New Rule. 3. Complete the fields on the General page. For a description of each field, see General Rule Parameters on p age 58. 4. Click Next. 5. On the Conditions page, do the following: a.
From the Category drop-down list, select a category. Note: The data in the Fact and Operator drop-down lists changes according
to the category selected. The order of the two lists varies according to the category selected. The Operator list might appear before the Fact list. b. From the Fact drop-down list, select a fact. For more information, see Appendix A, List of Facts. c.
From the Operator drop-down list, select an operator.
d. In each Value field, enter a value.
Managing 3: Policies
53
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
e.
(Optional) To add a new expression, click Add New Expression, and repeat steps a through d. To define how multiple expressions are connected to each other, from the Join Multiple Expressions bydrop-down list, select AND or OR. The selected operator will apply to all expressions within the condition.
f.
(Optional) To remove an expression, click Remove expression. Each condition must contain at least one expression. You can only remove an expression if there are at least two expressions.
g. (Optional) To duplicate an expression, click Duplicate. When you duplicate an expression, all the fields are copied except the value field or fields. h. (Optional) To add a new condition, click Add New Condition, and repeat steps a through e.
6. Click Next. 7. On the Actions page, do the following: a.
From the Action drop-down list, select an action. For a description of the available actions, see Actions on p age 47. Note: If you select Challenge, an Authentication Method section appears.
From the Available Methods list, highlight the method to use to challenge end users, and click the right arrow to move it to the Selected Method(s) list. You can add as many methods as you like. To prioritize the methods within the Selected Method(s) list, use the up and down arrows.
54
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
b. To create a case, select Create a Case. Note: If you select Challenge, two checkboxes appear, which allow you to
create a case when authentication fails or when it succeeds. Select the appropriate checkbox. 8. Click Next. 9. Review the rule details on the Summary page. To edit any part of the rule, click Edit at the top right of the section that you want to change. 10. Click Finish.
Comparing Policy Facts The Policy Management application allows you to compare between any two facts, regardless of the fact type (custom, built-in or calculated), as long as the two facts are of the same data type.
Fact Comparison Operators The following table lists the operators which you can use to compare facts. O p e r a to r EqualtoFact
CompatiblewithDataType Alldatatypes
FactTypes • Boolean • ENUM • String • Numeric • IP Address • User ID • Country
Not Equal to Fact
All data types
• Boolean • ENUM • String • Numeric • IP Address • User ID • Country
GreaterthanFact
Numericdatatypes
Numeric
GreaterthanorEqualtoFact
Numericdatatypes
Numeric
LessthanFact Less than or Equal to Fact
Numericdatatypes Numeric data types
Numeric Numeric
ContainsStringFact
Managing 3: Policies
Stringdatatypes
String
55
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
O p e r a to r
CompatiblewithDataType
Not Contains String Fact
String data types
FactTypes String
The following operators are not supported by the Comparison of Policy Facts enhancement: •
Between
•
Not Between
•
Within
•
Not Within
•
Is Empty
Compare Facts You can use the Rule wizard to compare facts within rules that you create. Before You Begin
•
Select the relevant organization or group.
•
You must have RuleManager, PolicyManager, or SeniorPolicyManager role permissions. For more information, see Role Management on page 24.
•
Perform the Add a Rule procedure, as described in Add a Rule on p age 53, until the step to define the rule expression on the Conditions page.
To compare facts:
1. Select a source category from the Category drop-down list. 2. Select the source fact from the Fact drop-down list. 3. Select a fact comparison operator from the Operator drop-down list. Note: This selection determines if the purpose of the rule is to compare facts. The
Rule wizard utility adjusts the user-interface accordingly. 4. Choose a target category, considering the following: •
The default selection for the target category is the same as the source category.
•
The target Category drop-down list includes all categories.
5. Choose a target fact, considering the following: •
The default selection for the Target fact is empty.
•
The target Fact drop-down list includes only the facts with the same data type
as the source fact. 6. The Rule wizard utility makes adjustments to the user-interface, if the following changes are made: •
56
If a target category other than the source category is selected, the target fact field is reset.
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
•
If the fact comparison operator is changed to a non-fact comparison operator, the target category and fact are reset to a non-fact comparison expression target format.
Edit a Rule You can edit a rule to change any of the details. All rule fields are available for editing. To edit a rule with a status of or Production, you must first change the status to Work in Progress or Suspended. For more information, see Status Change on p age 50. To edit a rule:
1. Click the Manage Rules link in the Policy Management application. 2. In the Manage Rules table, click the Rule Name of the rule that you want to edit. The Summary page is displayed.
3. Click Edit at the top right of the section that you want to change. 4. Change the section as necessary. Use the Next and Back buttons to navigate between sections, or click the section links at the top of the screen (General, Conditions, Actions, and Summary). 5. Click Save & Exit to save your changes and return to the Manage Rules table.
Managing 3: Policies
57
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Delete a Rule You can delete a rule to remove the rule from the system and prevent the rule from functioning. When you delete a rule, the rule is no longer available in the Manage Rules table. To delete a rule:
1. Click the Manage Rules link in the Policy Management application. 2. Select the checkbox of the rule or rules you want to delete. 3. Click Delete.
General Rule Parameters The following table describes the general rule parameters, available on the General page of the New Rule wizard. Parameter
Description
Required
Rule Name
Unique name that you assign to the rule. The rule name is unique per policy. An informative name, for example, Challenge Forbidden IP Address, can help to quickly locate the rule and understand the purpose of the rule.
Yes
The maximum length of rule names is 80 characters. You can use special characters in the rule name. Description
An explanatory note describing the purpose or function of the rule.
No
The maximum length of the description is 500 characters. Status
The current status for this rule. The following options are available:
Yes
• Work In Progress . The rule can be edited but is not running on production data. • Test. The rule is running on production data, and cases can be created, but no action takes place. • Production. The rule is running on production data, and all actions take place.
Any rule assigned a status of Test or Production is initially saved with a status of Work In Progress. After a user with PolicyManager or SeniorPolicyManager permissions approve the status change, the rule will reflect the srcinally assigned status.
58
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Parameter
Description
Required
Comment
A free-text field that can be used to explain changes or additions made to the rule.You can add several comments to a rule, which are displayed one after another.
No
The maximum length of a comment is 500 characters. You can view all comments associated with a rule by clicking the View Previous Comments link in the Summary section on the Manage Rules newtime window list of comments withscreen. the dateAand each displays commenta was added and the name of the person who added each comment. The table is sorted according to the most recently added comments. You can edit only the current comment. Previous comments are displayed as read-only. Event Type
The type of end-user activity that triggers a rule when all rule conditions are met.
Yes
In addition to predefined event types, custom event types appear in this list, marked with an icon. You can select one event type or several event types. Order
The priority assigned to a rule, indicating the order in which the rule is triggered. A lower number represents a higher priority and a higher number represents a lower priority. When a production rule is triggered, all rules with a lower priority will not be triggered.
Yes
The default value for this field is one position lower than the lowest-ordered existing rule. For example, if the lowest-ordered existing rule is 8, the default value is 9. To add a rule as last in line, leave the default value that is displayed in the field. If you choose a value currently assigned to an existing rule, the existing rule and all lower-ordered rules are moved one priority level lower. For example, if you assign a priority of 5 to a rule, the existing rule with a priority of 5 is assigned a lower priority of 6, and similarly with all other rules. The Available Range values represent the possible values that you can assign to the rule. The highest value in the range of values is automatically assigned as the order of the rule. The Policy Engine receives and evaluates only rules with a status of or Production. A rule with a status of Work in Progress is not sent to the Policy Engine. In such a case, the Policy Engine checks the relative order of the remaining rules. For example, if there are three rules in the system, and the rule with an order of 2 has rules a status of orders Work in the will Policy Engine receives the with ofProgress, 1 and 3 and assign the latter ruleonly a lower priority.
Managing 3: Policies
59
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Request a Status Change for a Rule You can request a status change for a rule to redefine the purpose of a rule within your organizational policy. For example, you can change the status of a rule from Production to Suspended if you see that the rule is not furthering the security goals of your organization. Depending on the status change request that you make, the new status that you choose may initially appear as a pending status. If so, a user with sufficient permissions must approve the status change request for the status to change from pending status to current status. For more information, see Status Change on p age 50. To change the status of a rule:
1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to change the status. 3. From the Status drop-down list, select Request Status Change. 4. In the Request Status Change dialog box, select a new status from the New Status drop-down list. 5. (Optional) In the Comment field, enter a description related to the current status change. This comment will appear when a user with PolicyManager or SeniorPolicyManager permissions reviews the status change. The description should help the reviewer understand why the status was changed. 6. Click Set Status.
Cancel a Status Change Request for a Rule You can cancel a status change request to retract a previously sent request to change the status of a rule. When you cancel a status change request, the pending status is removed and the status of the rule remains the current status. You can cancel a status change request only if you are the user who made the request. You can only cancel a status change request of a rule with a pending status. To cancel a status change request for a rule:
1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to cancel the status change request. 3. From the Status drop-down list, select Cancel Request. 4. Click Yes. Note: You can cancel only one status change request at a time.
60
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Approve a Status Change Request for a Rule You can approve a status change request for a rule to confirm a status change. You can only approve the status of a rule with a pending status. A pending status indicates that the status of the rule has been changed and requires approval before the new status takes effect. You can approve the status of only one rule at a time. Before You Begin
You must have PolicyManager or SeniorPolicyManager role permissions to approve the status of a rule. For more information, see Role Management on p age 24. Note: A user with PolicyManager permissions can approve the status of a rule only if
the request was made by another user. A SeniorPolicyManager can approve all status change requests. To approve the status of a rule:
1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to approve the status. 3. From the Status drop-down list, select Approve Status. 4. In the Approve Status dialog box, review the rule status details. If you approve the status change, the status listed in the Pending Status field will become the Current Status. The Pending Status field will then be empty. 5. (Optional) In the Comments field, enter a description related to the status approval. 6. Click Approve.
Reject a Status Change Request for a Rule You can reject the status of a rule to deny a status change and keep the rule status as is. You can only reject the status of a rule with a pending status. A pending status indicates that the rule’s status has been changed and requires review before the new status can take effect. You can reject the status of only one rule at a time. Before You Begin
You must have PolicyManager or SeniorPolicyManager role permissions to reject the status of a rule. For more information, see Role Management on p age 24. Note: A user with PolicyManager permissions can reject the status of a rule only if the
request was made by another user. A SeniorPolicyManager can reject all status change requests.
Managing 3: Policies
61
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
To reject the status of a rule:
1. Click the Manage Rules link in the Policy Management application. 2. From the Manage Rules table, select the rule for which you want to reject the status. 3. From the Status drop-down list, select Reject Status. 4. In the Reject Status dialog box, review the rule status details. If you reject the status change, the status listed in the Pending Status field will be removed, and the Current Status will remain as it is. 5. (Optional) In the Comments field, enter a description related to the status rejection. 6. Click Reject.
Duplicate Rules to Another Organization You can duplicate all rules to copy all rule data from one organization to another organization or from one organization to multiple organizations. You can then make changes or adjustments to the new policy as necessary. When you duplicate all rules to an organization, you replace all existing rules for that organization. This includes all rules with a status of Work in Progress and Suspended, in addition to those with a status of and Production. The rules are copied as is, with the same rule details, conditions, and actions. You must be logged on to an organization to duplicate the rules to another organization. When you duplicate rules, the last modified date is changed for the rules in the target organization. Important: Do not make any changes to the policy while you perform the duplicate
action.
Before You Begin
Ensure that you have PolicyManager or SeniorPolicyManager role permissions. You must also have these permissions for the organization to which you want to duplicate the rules. For more information, see Role Management on p age 24. To duplicate all rules to another organization:
1. Click the Manage Rules link in the Policy Management application. 2. Click New > Duplicate All Rules. 3. Select one or more target organizations. 4. Click Duplicate. Note: After the completion of the duplicate process, a policy refresh occurs. The
duplicated rules are immediately activated in the target organization, and the rule status of all rules remains the same. Policy data that existed before the duplicate action is removed from the database and will not appear on a Policy Report. For more information, see Policy Refresh on p age 41.
62
Managing 3: Policies
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
Policy Export and Import You can export all policy management data to duplicate all organizational policies in order to create parallel environments for both testing and production purposes. Additionally, you can export policy data to save a backup of your policy. When you export or import policy data, you transfer data from all organizational policies. This data includes rules, lists and their values, custom facts and custom event types. The system saves the exported file on the server as an XML file. An MD5 checksum file is also created during the export process to check for any possible corruption in the XML file. This ensures the integrity of the exported file during the import operation.Only users with permission to access the default organization can perform the export and import policy actions. When you export the policy data, the file is saved on the server and not locally. This is done for security reasons, in order to reduce the risk of unauthorized access to the file. You can configure the file location in the Administration Console. For more information, see the Operations Guide. To duplicate all policies from the source environment to the target environment, you must perform the following actions. 1. Export policy data from the source environment. 2. Copy the exported files to the target environment. 3. Import policy data on the target environment.
Export Policy Data You can export all policy data to duplicate all organizational policies in order to create parallel environments for both testing and production purposes. Additionally, you can export policy data to save a backup of your policy. When you export all policy data, you export data from all organizational policies. Exported data includes rules, lists and their values, custom facts, and custom event types. Before You Begin
You must have permission to access the default organization in order to perform the import policy action.
Managing 3: Policies
63
RSA Adaptive Authentication (On-Premise) 7.1 Back Office User’s Guide
To export a policy:
1. Click the Manage Rules link in the Policy Management application. 2. Click Export Policy. The Export Policy dialog box displays the location of the export directory. The name of the exported file is aaboPolicyExportFile_