10-40 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

10.31 Changing the Order of Conditions in a Rule

Conditions in the rule are evaluated sequentially. Subsequent conditions are evaluated only if the current one was evaluated to be true. In other words, the evaluation stops when a condition is evaluated to be false. To change the order of a condition in a rule:

1. In the Navigation tree, select Rules. The Rules Search page is displayed.

2. Search for the rule which you want to edit.

3. Click the rule name in the Search Results table to open its Rule Details page in a

new tab. The Rule Details page provides the Summary, Preconditions, Conditions, and Results tabs.

4. In the Rule Details page, click the Conditions tab.

5. In the Conditions tab, select the condition in the top subtab.

6. Use the Reorder buttons reorder the condition.

7. Click Save to save your changes.

A confirmation dialog displays the status of the operation.

8. Click OK to dismiss the confirmation dialog.

9. Click Apply. The modified rule details were saved successfully.

10.32 Deleting Conditions

To delete conditions:

1. In the Navigation tree, select Conditions. The Conditions Search page is

displayed.

2. Enter the search criteria for the conditions you are interested in and click Search.

3. Select the conditions in the Search Results table and click Delete.

10.33 Deleting Conditions from a Rule

To delete a condition from a rule:

1. In the Navigation tree, select Rules. The Rules Search page is displayed.

2. Search for the rule that contains the conditions you want to delete.

3. Click the rule name in the Search Results table to open its Rule Details page.

4. In the Rule Details page, click the Conditions tab.

5. Select the condition of interest and click Delete.

The Delete button is enabled only if a row is selected or the search result has at least two rows. You cannot delete multiple conditions at a time in a given rule; you must select one condition at a time. Note: If rules are using the condition, deleting it affects the rules and policies that use it. Managing Policies, Rules, and Conditions 10-41 You can delete more than one condition, but not all conditions can be deleted. When the Delete button is clicked, the deletion is performed. You do not receive a message asking if you are sure you want to delete. The change is permanent.

10.34 Use Cases

This section describes example use cases for policies and rules.

10.34.1 Use Case: Rule Exception Group

Jeff, a Security Administrator, must create an exception user group to be used as a rule precondition. Jeff is creating a blacklisted country rule and realizes he should have an exception group so he creates a new user group named BLC: exception users. In the description he enters a note that CSR managers can add users that need to be permanently allowed access from a blacklisted country. When created, the user group is added as the precondition. After the rule is in production a CSR manager assists a user who has moved to a blacklisted country. He manually adds his User ID to the group so he has an exception to the rule and adds a note in his case to this effect.

1. Create a new user group named BLC: exception users.

Group name: BLC: exception users Group type: User ID In the description, enter a note to tell investigators, Add users that need to be permanently allowed access from a blacklisted country .

2. Select existing User IDs to add to the BLC: exception users group.

For information on creating user groups and then adding members, refer to Section 12.13, Searching for and Adding Existing Elements or Creating and Adding a New Element.

3. Create a rule in a post-authentication blacklisted country policy.

■ For rule condition, choose Location: IP in group. ■ In Pre-condition, select BLC: exception users as the exception group. 4. After the rule is in production an investigator assists a user who has moved to a blacklisted country. He manually adds his User ID to the group so he has an exception to that rule and adds a note in his case to this effect.

10.34.2 Use Case: Import Policy

You are Jennifer, a member of the security team at Acme Corp. You must configure Oracle Adaptive Access Manager to accomplish one of the use cases the team came up with focusing on high risk countries. Chuck, another team member, configured a pre-authentication policy in the Oracle Adaptive Access Manager offline environment to block login requests from high risk countries before authentication. You know this policy can work for your purposes. Chuck already exported the policy and now you must import it into production. Directions: Import the ZIP file that contains Chucks configured policies. He has name the file, PreAuth_Block_policy.zip. To import a policy: 1. Log in to OAAM Admin as an administrator.

2. In the Navigation tree, select Policies. The Policies Search page is displayed.

10-42 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager

3. Click Import Policy in the Policies Search page. The Import Policy screen is

displayed.

4. Click Browse and search for PreAuth_Block_policy.zip.

5. Click OK to upload PreAuth_Block_policy.zip.

A confirmation dialog displays the status of the operation. A list also appears showing numbers for Number of Policies Added, Number of Policies Updated , Number of Policies Not Updated, and Number of Policies Deleted . The imported policy is listed in the Imported List section. The policy is added to the system or it overwritesupdates an existing policy depending on whether the same policy name exists. If the name already exists, the policy is updated. If the name does not exist, the imported policy is added to the system. An error is displayed if you try to import files in an invalid format or an empty ZIP file.

6. Click OK to dismiss the confirmation dialog.

7. In the Policy Search page, verify that the policy appears in the Search Results

table.

10.34.3 Use Case: Create a Policy

You must configure a login use case that can result in a KBA challenge. It is usually best practice to use KBA challenges only after successful authentication by the primary method. A post-authentication KBA challenge policy did not already exist so you must create a new one. The security team wants this policy to be applied to all users in the deployment. Directions: Create a new post-authentication KBA challenge policy that applies to all users. Name the policy, KBA Challenge. To create a policy: 1. Log in to OAAM Admin as an administrator.

2. In the Navigation tree, double-click Policies.

3. In the Policies Search page, click the New Policy button.

The New Policy page appears. In the Summary tab, the default values for the new policy are displayed as follows: ■ Policy Status: Active ■ Checkpoint: Pre-Authentication ■ Scoring Engine: Average ■ Weight: 100 4. Create a new post-authentication security policy.

a. For Policy Name, enter KBA Challenge.

b. For Description, enter a description for the KBA Challenge policy.

c. For Checkpoint, select Post-Authentication.

For information on checkpoints, see Section 10.1.4, Checkpoints. Managing Policies, Rules, and Conditions 10-43 d. Modify the policy status, scoring engine, and weight according to your requirements. By default, the policy status is Active. A policy that is disabled is not enforced at the checkpoint. For more information on the Scoring Engine, see Chapter 14, Using the Scoring Engine.

e. Click Apply.

A confirmation dialog displays the status of the operation. If you click Apply and the required fields are not filled in an error message is displayed.

f. Click OK to dismiss the confirmation dialog.

5. Configure the policy to run for all users.

a. Click the Group Linking tab.

b. For Run Mode, select All Users.

Since All Users is selected for the run mode, the policy is executed run for all users. Specifying a run mode is a mandatory step in order for the policy to execute. It enables the policy to executerun for a set of users or all users. For information, see Section 10.9, Linking Policy to All Users or a User ID Group.

c. Click Apply.

A confirmation dialog displays the status of the operation.

d. Click OK to dismiss the confirmation dialog.

If the KBA Challenge policy was created successfully, it would be listed in the Search Results table of the Policies Search page. Although not covered in this use case, for the policy to function, you must add a rule to the policy either by creating a new rule within a policy Section 10.12, Adding a New Rule or by copying an existing one Section 10.15, Copying a Rule to a Policy to the policy.

10.34.4 Use Case: Add New Rule

After you have created a security policy see Section 10.34.3, Use Case: Create a Policy. you are ready to create a new rule to perform the risk evaluation in your use case. The use case requires an evaluation of the physical distance between the location a user is logging in from now verses the last location he came from. This rule calculates the velocityspeed required to travel between the location given the time. The security team has determined that if the user appears to travel faster then 500 miles per hour between location and the device used is different then the user should be given a KBA challenge. Directions: Create a new rule, User Velocity and use the out-of-the-box condition, User: Velocity from last successful login. To add a new rule: 1. Log in to OAAM Admin as an administrator.

2. In the Navigation tree, double-click Policies. The Policies Search page is

displayed. 3. Search for KBA Challenge.