Inside the corporate network and within business hours, all employees can access the Human Resources (HR) portal using their password.
You want to secure the HR portal when it is accessed beyond business hours and from an external network.
To meet this requirement, you need to perform the following tasks:
Configure a risk policy with IP Address Rule and User Time of Login Rule.
Configure chains for low risk and medium risk levels.
Configure or modify an event for the HR portal and map the risk policy and chains to this event.
NOTE:If you do not configure a chain for the high risk level, no chain is prompted to the user for authentication in the high-risk scenarios. The access is denied in such a case.
Configure a risk policy
Click Risk Settings > Create a Risk Policy icon.
Specify the following details:
Policy Name: Specify the name. For example, Risk-Service-Employees-Access.
Description: Specify the purpose of this policy.
Configure IP Address Rule and User Time of Login Rule in the same sequence as follows. The rules are executed in the top to bottom sequence.
Rule |
Configuration Steps |
---|---|
IP Address Rule |
|
User Time of Login Rule |
|
Set up the risk levels:
Move the blue slider to 1 to indicate that if one rule fails, the risk is medium.
Move the green slider to 0 to indicate if no rules fail, the risk is low.
If both rules fail, then the risk is high.
Click Save.
Configure chains
Create the following chains:
Chain |
Steps |
---|---|
For the low risk level |
|
For the medium risk level |
|
For more information about chains, see Section 10.0, Creating a Chain.
Click Save.
Configure or modify an event for the HR portal
To create a new event:
Click Events > Add.
Specify a name for the event.
Set Is enabled to ON.
Select the type in Event type. For example, Generic.
Select MediumRisk and LowRisk chains that you created in Configure chains.
In Risk Policy, select the Risk-Service-Employees-Access policy.
Click Save.
To modify an existing event:
Click the edit icon against the event that you want to edit.
Select MediumRisk and LowRisk chains that you created in Configure chains.
In Risk Policy, select the Risk-Service-Employees-Access policy.
For more information about creating and editing an event, see Section 11.0, Configuring Events.
After you configure and implement this risk policy, the following are possible scenarios:
Scenario |
Number of Failed Rules |
Risk |
Result |
---|---|---|---|
An employee access the HR portal during business hours from the corporate network. |
Zero |
Low |
The user can authenticate using LowRisk or MediumRisk chain. |
An employee access the HR portal after business hours from the corporate network. |
One (User Time of Login Rule) |
Medium |
The user is required to authenticate using the MediumRisk chain. |
An employee accesses the HR portal during business hours but from an external network. |
One (IP Address Rule) |
Medium |
The user is required to authenticate using the MediumRisk chain. |
An employee accesses the HR portal after business hours from an external network. |
Two (IP Address Rule and User Time of Login Rule) |
High |
Access is denied. |