Managing policy rules

You can add policy rules either when you create a policy or when you edit a policy.

1. Add a rule.
   1. From either Add policy or by editing an existing policy, navigate to the Add rule button.
   2. Click Add rule.
   3. Enter the rule name.
   4. Optional: Add a description for the rule.
   5. Click Next.
   6. Select the condition type, attribute, operator, and value.
      When you select a condition type, the operators in the menu are filtered according to the selected condition type.

      Note: For native app policies first contact rules, the following condition types are available.

      • Location attributes
        • Network location (IP)
        • Country
        • City
      • OIDC/OAUTH context
        • client_type

      Table 1. Policy options

      Condition type	Operation	Condition values
      Adaptive access These attributes are available if Adaptive access is selected for the policy.
      New device	Is Is not	Detected.
      New geolocation	Is Is not	Detected.
      Last MFA on device	Less than Greater than	Number of days since an MFA was performed on the device. The value can be 1-740 days. The default setting is 90 days.
      Risky device	Is Is not	Detected.
      Risky connection	Is Is not	Detected.
      Country	Is one of Is none of	Specify a condition value.
      City	Is one of Is none of	Specify a condition value.
      Internet service provider	Contains each of Is one of Is none of	Specify a condition value.
      Remote IP	Is one of Is none of	Specify a condition value.
      Behavioral anomaly	Is Is not	Detected.
      OIDC/OAUTH context
      acr_values	Contains each of Is none of Is one of	Specify a condition value.
      claims	Contains each of Is none of Is one of	Specify a condition value.
      client_type	Contains each of Is none of Is one of	Specify a condition value.
      code_challenge_exist	Is Is not	Detected.
      redirect_uir_scheme	Contains each of Is none of Is one of	Specify a condition value.
      request_type	Contains each of Is none of Is one of	Specify a condition value.
      response_method	Contains each of Is none of Is one of	Specify a condition value.
      response_mode	Contains each of Is none of Is one of	Specify a condition value.
      response_type	Contains each of Is none of Is one of	Specify a condition value.
      scope	Contains each of Is none of Is one of	Specify a condition value.
      Custom attributes
      Any attributes that you added	Contains each of Is none of Is one of Attribute starts with Attribute ends with Attribute is present (no value)	Specify a condition value.
      Device attributes
      Device platform	Is one of Is none of	Select one or more platforms.
      Device compliance	Is one of Is none of	Select one or more compliance states.
      Location attributes These attributes are not available if Adaptive access is selected for the policy.
      Network location (IP)	Is one of Is none of	Provide an IP address or a comma-separated list of IP addresses, an IP range, or an IP address with subnet.
      Location history	Is Is not	Verified.
      Country	Is one of Is none of	Provide a country or a comma-separated list of three letter country codes based on the following ISO standard. See https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3.
      City	Is one of Is none of	Specify a condition value.
      User attributes
      Group membership	Contains each of Is none of Is one of	Provide a group or a comma-separated list of groups. Note: Comma-separated Active Directory group names must be wrapped in double quotation marks. For example, “cn=w3id-block-list,ou=memberlist,ou=ibmgroups,o=ibm.com”.
      realmName	Contains each of Is none of Is one of	Provide the name of the realm.

   7. Optional: Select Add Condition to add more condition types, attributes, operations, and values to the policy rule.
   8. Select Next.
   9. Select the action for the policy from the menu.
      • Block (Override)
      • MFA (Override)
      • Allow (Override)
      • Block
      • MFA always
      • MFA per session
      • Allow

      If you select an MFA action, you also need to specify the MFA method. You can select any available method or select one or more specific methods. The available selections depend on what is configured for your tenant. For example,

      • Email OTP
      • FIDO2
      • SMS OTP
      • Time-based OTP
      • IBM Verify app
      • Voice OTP
   10. Select Add rule.
       The rule type is added to the list of policy rules.
2. Edit or delete a rule.
   1. Select the policy that you want to change the rules for.
   2. Select Edit draft .
   3. In the Policy rules section, click the for the rule you want to edit.
      You can change the rule name. Add a condition, change existing condition operators, or values, or change the action for the rule.
   4. Select Next.
   5. Optional: From the Policy rules section, you can use the and icons to sequence the order that the rules are evaluated.
      The evaluation occurs in descending order. The default rule is always last in the sequence.
   6. Optional: From the Policy rules section, you can use the Delete icon to delete a rule.
   7. Select Save draft.