22.2 Allowing Employees to Access the Human Resources Portal Outside the Corporate Network

Inside the corporate network and within business hours, all employees can access the Human Resources (HR) portal using their password.

You want to secure the HR portal when it is accessed beyond business hours and from an external network.

To meet this requirement, you need to perform the following tasks:

  1. Configure a risk policy with IP Address Rule and User Time of Login Rule.

  2. Configure chains for low risk and medium risk levels.

  3. Configure or modify an event for the HR portal and map the risk policy and chains to this event.

    NOTE:If you do not configure a chain for the high risk level, no chain is prompted to the user for authentication in the high-risk scenarios. The access is denied in such a case.

Configure a risk policy

  1. Click Risk Settings > Create a Risk Policy icon.

  2. Specify the following details:

    • Policy Name: Specify the name. For example, Risk-Service-Employees-Access.

    • Description: Specify the purpose of this policy.

  3. Configure IP Address Rule and User Time of Login Rule in the same sequence as follows. The rules are executed in the top to bottom sequence.

    Rule

    Configuration Steps

    IP Address Rule

    1. Click Add Rule.

    2. Specify the rule name and the description.

    3. Select IP Address Rule from Choose a Rule Type.

    4. Select Is from Allow if IP address in the list.

    5. Select IP address range in Manually enter the Data source.

    6. Specify the range of the IP address.

      For example, 10.0.0.0 to 10.255.255.255

    7. Click Save.

    User Time of Login Rule

    1. Click Add Rule.

    2. Specify the rule name and the description.

    3. Select User Time of Login Rule from Choose a Rule Type.

    4. Select Is from User time of login.

    5. Select the date range from Monday to Friday.

    6. Select the time range from 9:00 AM to 6:00 PM.

    7. Click Save.

  4. Set up the risk levels:

    • Move the blue slider to 1 to indicate that if one rule fails, the risk is medium.

    • Move the green slider to 0 to indicate if no rules fail, the risk is low.

    • If both rules fail, then the risk is high.

  5. Click Save.

Configure chains

  1. Create the following chains:

    Chain

    Steps

    For the low risk level

    1. Click Chains > Add.

    2. Specify a name for the chain in Name. For example, LowRisk.

    3. Specify a Short name.

    4. Set Is enabled to ON to enable the chain.

    5. Select Methods you want to add to the chain. For example, Password.

    6. Specify the groups that will use the authentication chain in Roles and Groups.

    7. Expand Risk Settings by clicking +.

    8. In Minimum Risk Level, select Low.

    9. Click Save.

    For the medium risk level

    1. Click Chains > Add.

    2. Specify a name for the chain in Name. For example, MediumRisk.

    3. Specify a Short name.

    4. Set Is enabled to ON to enable the chain.

    5. Select Methods you want to add to the chain. For example, Password and SMS OTP.

    6. Specify the groups that will use the authentication chain in Roles and Groups.

    7. Expand Risk Settings by clicking +.

    8. In Minimum Risk Level, select Medium.

    9. Click Save.

    For more information about chains, see Section 10.0, Creating a Chain.

  2. Click Save.

Configure or modify an event for the HR portal

  1. To create a new event:

    1. Click Events > Add.

    2. Specify a name for the event.

    3. Set Is enabled to ON.

    4. Select the type in Event type. For example, Generic.

    5. Select MediumRisk and LowRisk chains that you created in Configure chains.

    6. In Risk Policy, select the Risk-Service-Employees-Access policy.

    7. Click Save.

  2. To modify an existing event:

    1. Click the edit icon against the event that you want to edit.

    2. Select MediumRisk and LowRisk chains that you created in Configure chains.

    3. In Risk Policy, select the Risk-Service-Employees-Access policy.

For more information about creating and editing an event, see Section 11.0, Configuring Events.

After you configure and implement this risk policy, the following are possible scenarios:

Scenario

Number of Failed Rules

Risk

Result

An employee access the HR portal during business hours from the corporate network.

Zero

Low

The user can authenticate using LowRisk or MediumRisk chain.

An employee access the HR portal after business hours from the corporate network.

One

(User Time of Login Rule)

Medium

The user is required to authenticate using the MediumRisk chain.

An employee accesses the HR portal during business hours but from an external network.

One

(IP Address Rule)

Medium

The user is required to authenticate using the MediumRisk chain.

An employee accesses the HR portal after business hours from an external network.

Two

(IP Address Rule and User Time of Login Rule)

High

Access is denied.