Prerequisites and background information for creating Conditions

The most powerful way to set up access controls is to use Condition based access. Conditions contain claims-based access criteria expressions that must equate to true for the action(s) specified in the Entitlement to be allowed. For example, access may only be allowed if the user is working from an office-based IP address. When the criteria equate to false, the Entitlement will not be allowed (block rule applies).

If a user interaction has been configured in a Condition, this will be triggered when the access criteria equate to false. User interactions provide an alternative way for a user to unblock access by updating claims or providing new claims that will now meet the access criteria. For example, providing multi-factor authentication could be an alternative method for gaining access if a user isn’t working from an office-based IP address.

Before you start

Pre-configure the following elements:

MFA Provider. For multi-factor user interactions, refer to MFA Providers.
Identity Provider. For password user interactions, refer to Identity Providers.
Customized claims. To use customized claims, refer to User Claims and Device claims.

Background information:

For more detail about Conditions, refer to access control.
For more information about Claims, definitions, and values, refer to Claims in Detail.
Learn more about user interactions.
See MFA Providers for information about using them for user interactions.
For tips on the real-time capabilities of the system to control access based on Conditions, refer to Real-time (re)evaluations.

Use the Conditions page for:

Creating Conditions used for controlling when Entitlements are allowed by the Gateway.
Setting claims-based access criteria that define the circumstances under which the Condition will evaluate to true.
Adding user interactions when the access criteria are not met, such as entering a valid multi-factor authentication or displaying a message to provide feedback to the user as to why the Condition evaluated to false.
Scheduling Condition re-evaluations to ensure the Gateway responds in a timely way to any change in access criteria.
Testing access criteria to validate its behavior.

When you are ready to start configuring Conditions, see the Configure Conditions section.

Action Buttons

Action buttons are accessed by clicking the three dots icon ( Three circular shapes stacked vertically on a dark background, selected to access a menu. ) to the right of each line item in the table or from the <Actions> button within the item. They are contextual, changing depending on the type of item and the state of the item. The action button for Conditions displays the following option:

View linked Entitlements. This analyzes the system configuration and determines all the Entitlements that use this Condition.