Add Risk Evaluation

Risk evaluation calculates the risk result and sets the access based on low, medium, and high risk. All risk factors are connected to the Risk Evaluation node. The Risk Evaluation must include an access result to set authentication requirements to allow or deny access.

The following example shows a risk evaluation that requires second-factor authentication only if the risk is low, password and second-factor authentication for medium risk, and deny access for high risk.

Configure the risk evaluation and save the resource rule

1. Click or hover over the Risk Evaluation node. The node displays three dots as shown in the following figure.

2. Click each for low risk (the green dot) and add an Authentication Flow or select Allow or Deny.

3. Repeat this step to add risk evaluation for medium and high risk.

4. Update the required Authentication Flow, as follows:

a. Click the low risk Authentication Flow node. The Authentication Flow settings appear.

b. Click Select Authentication Flow. A list of available authentication flows appears.

c. Select the Authentication Flow required for the risk level.

You can optionally click Create Authentication Flow if the one required does not appear in the list. See Create authentication flows.

d. Repeat these steps for medium and high risk, as required.

5. Add Risk Weights. Risk Weights set the impact of each failed risk factor on the total risk score. The higher the percentage (%), the greater the risk factor influences the final risk calculation.

a. Click the Risk Evaluation node.

b. Click the Risk Weights slider. The Risk Weight slider appears.

See an example.

c. Click and drag the slider to set the risk weight percentage for each risk factor in the resource rule.

6. Click the Risk Levels tab. Risk Levels set the thresholds that evaluate users into high, medium, or low risk based on their total risk score. The Risk Level determines the authentication required to access the protected resource.

See an example.

a. Click and drag the slider to set the risk level percentage (%) to set the Risk Level assessment to determine whether a user is evaluated as high, medium, or low risk.

7. Optional. use the Risk Simulation to simulate different access scenarios. The simulation helps you see the total risk score based on risk weight and risk thresholds.

See an example.

a. Click the Risk Simulation tab.

b. Toggle the risk factors on or off to see the total risk score based on the weights and thresholds for different simulations.

c. If required after using the simulator, adjust the Risk Weights and Risk Levels.

8. You can now save the resource rule. To do so,

a. Click anywhere in the Canvas to display the General Settings.

b. Click Save.

Note: If Save is not available, there is an error in the resource rule graph. Check the error messages in the Task bar. See Error messages for more information.