Policy scenarios

Several commonly used policy scenarios are provided as examples to help you author policies.

• Deny access based on a set of conditions
  A common policy scenario is to deny access based on a set of conditions.
• Deny access based on a set of conditions with an OR clause
  A common policy scenario is to use multiple conditions in a single rule and to join those conditions with And or Or. In this scenario, access is denied if either of the policy conditions that are joined by Or are true.
• Permitting access based on a set of conditions with an AND clause
  A common policy scenario is to use multiple conditions in a single rule and to join those conditions with And or Or. In this scenario, access is permitted if both of the policy conditions that are joined by And are true.
• Permitting access after one-time password authentication
  Security Verify Access can prompt users for one-time passwords when they request access to protected resources. We can use a policy to permit access to users who authenticated with a one-time password. Or, we can prompt them for the password and then permit access when they provide it.
• Enforce an authentication policy for every access per session
  We can enforce an authentication policy once per session or every time a user accesses a protected resource. In this scenario, the authentication service relies on the authenticationTypes credential attribute to determine which authentication policies the user successfully completed during the authentication session.
• Enforce an authentication mechanism once per session
  We can enforce an authentication mechanism once per session or every time a user accesses a protected resource. In this scenario, the authentication service relies on the authenticationMechanismTypes credential attributes to determine which authentication mechanisms the user successfully completed during the authentication session.
• Registering a device after user consent
  Device registration is the process that stores the device fingerprint of the user in the risk-based access database. The rules specified in a policy determine whether a device is registered silently or only after the user consents to the registration.

Parent topic: Access control policies