Configure the Risk model

  • 2 minute read
Prev Next

Provides a way to map user risk scores to the sensitivity of Entitlements. You may wish to review the Before you start. When you're ready to Configure the Risk model, complete the fields in the form.

Risk Model

User Risk Source

Select the source of the user risk score to be used in the risk model. The Risk Model is designed for use with ZTP, however an externally computed claim value (Claims.user.agScripted.risk.score) can also be used. See Access Control modes for more details.

User Claim Script

Uses the User Claim Script result (claims.user.agScripted.risk.score) as the risk score.

Rule Defined in ZTP

Select the ZTP configured rule to be used for calculating the risk score.

Configure Risk Matrix

Click on the nine cells to select one of the three outcomes <DENY>, <USER ACTION> or <ALLOW>. Only one type of user action (pushed to the user's device) can be specified for the matrix. The outcome is derived from just two inputs sensitivity and user risk. Each of the cells can have its own outcome, but typically <DENY> is more likely to be used for high sensitivity hosts being accessed by high risk users, and <ALLOW> for low sensitivity low risk users.

Sensitivity

Sensitivity is set in Entitlements > Access Controls. When Risk Based Access is selected the outcome for each level of sensitivity (based on user risk) is defined by this matrix.

User Risk

User risk claim value will trigger the outcome defined in one of the three columns High (3), Medium (2) and Low (1).

Matrix settings

Allow

Permits use of the Entitlement(s).

Deny

Denies use of the Entitlement(s) .

User Action

Requires user to perform 'Require MFA' or 'Password' to permit use of the Entitlement(s). This will be using a pre-configured IdP or MFA provider.

User Action Settings

Only one type of pre-configured provider can be used for User Actions when using the Risk Model. Under the covers, this works in a similar way to the user interactions defined within Conditions. When the access criteria is set (in a Condition) the time period is set to define how long user response claim remains valid. This is also the case for the Risk Model, but in order to simplify the task of configuration, the time period is preset to 240 minutes (4 hours). So a typical user will be asked to enter their OTP in the morning and again in the afternoon.

Password

Select the identity provider to be used for the User Action.

Require MFA

Select the MFA provider to be used for the User Action.

User Messages

Messages to be displayed to users for <USER ACTION> and <DENY> outcomes. There are two separate message fields provided one for each outcome.

Related articles
  • Risk Model
    Admin Guide > Admin Guide v6.6 > Admin UI > Access > Risk Model
  • Risk Model
    Admin Guide > Admin Guide v6.5 > Admin UI > Access > Risk Model
  • Access Control modes
    Admin Guide > Admin Guide v6.5 > General administration > Access management > Using Entitlements > Applying access controls