Rule conditions
Rules within a security policy can have two types of user authentication and authorization conditions: Access Requests and MFA. When a resource has multiple rules with both Access Requests and MFA enabled, users can access a resource as long as they meet all the conditions.
Consider a scenario where a security admin sets up a policy containing several rules that include Access Requests, privilege sets, and Gateway conditions. In this case, users are presented with multiple connection options. In the following example, the policy contains multiple rules with various conditions. This results in five connection options for the user to select. If the user fulfills all the requirements for any given rule, they're granted access to the resource.
If the user has Access Requests approved 35 minutes ago and then completes the MFA challenge within 10 minutes, the user is granted access as Rule 2 conditions are satisfied. However, if the user has Access Requests approved 28 minutes ago, and then completes the MFA challenge after 70 minutes, the user won't be granted access, because none of the rule conditions are satisfied.
Rule 1
- Access Requests: Manager approval with 30-minutes validity
- MFA: phishing resistant with re-authentication frequency of 15 minutes
Rule 2
- Access Requests: Manager approval with 45-minutes validity
- MFA: Phishing resistant with re-authentication frequency of 10 minutes
Rule 3
- Access Requests: Director approval with 60-minutes validity
- MFA: Phishing resistant with re-authentication frequency of eight minutes
Rule 4
-
Access Requests: Director approval with validity for 15 minutes
Rule 5
- MFA: Phishing resistant with re-authentication frequency of five minutes
Rules for secrets hierarchical structure
When rules are defined at different levels of a hierarchy, the rules that are linked closer to the target resource take precedence. This means that if rules are defined on the target resource itself, those rules would override any rules linked to parent folders in the hierarchy. If there are no rules defined on the target resource, the nearest parent folder with matching rules is used instead.
For example, consider the following secret folder structure: A → B → C. If a user tries to access resource C, any rules linked to C with matching permissions apply. If there are no rules defined on C, but there are rules defined on A or B, then the rules on B apply.