The most powerful way to set up access controls is to use Condition based access. Conditions contain Claims-based access criteria expressions that must equate to true for the Action(s) specified in the Entitlement to be allowed. For example: access may only be allowed if the user is working from an office-based IP address. When the criteria equate to false then the Entitlement will not be allowed (block rule applies). If a user interaction has been configured in a Condition, this will be triggered when the access criteria equate to false. User interactions provide an alternative way for the user to unblock access - by updating claims or providing new claims that will now meet the access criteria. For example: providing multi-factor authentication could be an alternative method for gaining access if not working from an office-based IP address.
Before you start
Pre-configure the following elements:
MFA Provider for multi-factor user interactions, refer to MFA Providers
Identity Provider for password user interactions, refer to Identity Providers
Customized claims: to use customized claims refer to User Claims and Device claims
Background information:
For more detail about Conditions, refer to access control
About Claims, definitions and values, refer to Claims in Detail
Learn more about user interactions
Setting up MFA Providers MFA providers for user interactions
For tips on the real-time capabilities of the system to control access based on Conditions, refer to Real-time (re)evaluations
Use the Conditions form for:
Creating Conditions which can then be used for controlling when will be allowed by the Gateway
Setting claims-based access criteria which define the exact circumstances under which the Condition will evaluate to 'true'
Adding user interactions when the access criteria are not met such as entering a valid multi-factor authentication or just displaying a message to provide feedback to the user as to why the Condition evaluated to 'false'
Scheduling Condition re-evaluations to ensure the Gateway responds in a timely way to any change in the access criteria
Testing the access criteria to validate its behavior
For details on completing the form, refer to configure Conditions
Action Buttons
Action buttons are accessed by clicking the 3 dots to the right of each line item in the table or from the <Actions> button within the item. They are contextual, changing depending on the type of item and the state of the item.
View linked Entitlements. This analyzes the system configuration and determines all the Entitlements that use this Condition.