Configure the Risk Model

  • 2 minute read
Prev Next

NOTE

Risk Model has been deprecated. However, you can still use risk scores for access control.

The Risk Model provides a way to map user risk scores to the sensitivity of Entitlements. Review the Before you start section before configuring. When you're ready to Configure the Risk Model, complete the following fields:

  • User Risk Source. Select the source of the user risk score to be used in the risk model. The Risk Model is designed for use with ZTP, however an externally computed claim value (claims.user.agScripted.risk.score) can also be used. See Access Control modes for more details.

  • User Claim Script. Uses the User Claim Script result (claims.user.agScripted.risk.score) as the risk score.

  • Rule Defined in ZTP. Select the ZTP configured rule to be used for calculating the risk score.

  • Configure Risk Matrix. Click on the nine cells to select one of the three outcomes <DENY>, <USER ACTION> or <ALLOW>. Only one type of user action (pushed to the user's device) can be specified for the matrix. The outcome is derived from just two inputs sensitivity and user risk. Each of the cells can have its own outcome, but typically <DENY> is more likely to be used for high sensitivity hosts being accessed by high risk users, and <ALLOW> for low sensitivity low risk users.

  • Sensitivity. Sensitivity is set in Entitlements > Access Controls. When Risk Based Access is selected the outcome for each level of sensitivity (based on user risk) is defined by this matrix.

  • User Risk. User risk claim value will trigger the outcome defined in one of the three columns High (3), Medium (2) and Low (1).

  • Matrix settings:

  • Allow. Permits use of the Entitlement(s).

  • Deny. Denies use of the Entitlement(s) .

  • User Action. Requires user to perform 'Require MFA' or 'Password' to permit use of the Entitlement(s). This will be using a pre-configured IdP or MFA provider.

  • User Action Settings. Only one type of pre-configured provider can be used for User Actions when using the Risk Model. Under the covers, this works in a similar way to the user interactions defined within Conditions. When the access criteria is set (in a Condition) the time period is set to define how long user response claim remains valid. This is also the case for the Risk Model, but in order to simplify the task of configuration, the time period is preset to 240 minutes (4 hours). So a typical user will be asked to enter their OTP in the morning and again in the afternoon.

  • Password. Select the identity provider to be used for the User Action.

  • Require MFA. Select the MFA provider to be used for the User Action.

  • User Messages. Messages to be displayed to users for <USER ACTION> and <DENY> outcomes. There are two separate message fields provided one for each outcome.

Related articles