Update a resource rule
PUT/api/web/v2/resourcerules/:id
Update the specified resource rule. Caller requires the CONTEXTRULES:EDIT permission.
Request
Path Parameters
The UUID of the resource rule to be modified.
- application/json
Body
required
Array [
]
Array [
Array [
]
]
Array [
]
Array [
Array [
]
]
Array [
Array [
]
]
dateTimeContext
object
The DateTimeContext context specifies an allowed or disallowed date or time range. Only a date range or a time range can be specified. Risk is applied to the authentication if the current time is outside an allowed range or inside a disallowed range. A date range specifies a start and end date. For example 2019/01/01 to 2019/03/01. A time range species a start and end time and days of the week. For example Monday to Friday, 8am to 5pm.
If true, the startDateTime and endDateTime define the allowed range. If false, the startDateTime and endDateTime define the denied range.
If true, the startTime and endTime define the allowed time range. If false, the startTime and endTime define the denied time range.
If true, the resource rule evaluating the context will return Access Denied.
If specifying a date range, the end date of the range.
If specifying a time range, the end time of the range. The value should be of the form hh:mm:ss
Possible values: <= 100
The number of risk points that apply if this context applies.
If specifying a date range, the start date of the range.
If specifying a time range, the start time of the range. The value should be of the form hh:mm:ss
Possible values: [Mon
, Tue
, Wed
, Thu
, Fri
, Sat
, Sun
]
If specifying a time range, the days of the week to which the time range will apply.
zoneId
object
The timezone offset in which dates and times are considered. For example, a value like -05:00 to specify EST. Set the timezone value if you want to allow times 8am to 5pm in the customer's time zone and not the time zone of the service. If not specified, the default is Z for UTC.
rules
object
transitionRules
object[]
Possible values: [MONDAY
, TUESDAY
, WEDNESDAY
, THURSDAY
, FRIDAY
, SATURDAY
, SUNDAY
]
Possible values: [JANUARY
, FEBRUARY
, MARCH
, APRIL
, MAY
, JUNE
, JULY
, AUGUST
, SEPTEMBER
, OCTOBER
, NOVEMBER
, DECEMBER
]
offsetAfter
object
offsetBefore
object
standardOffset
object
Possible values: [UTC
, WALL
, STANDARD
]
transitions
object[]
duration
object
units
object[]
offsetAfter
object
offsetBefore
object
The description of the resource rule.
deviceCertificateContext
object
Device Certificate checks to see if the user presented a trusted device certificate that's valid. If not found, risk is applied.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
A flag indicating if single-sign on is disabled for this resource rule.
A flag indicating if this resource rule is enabled or not. Only enabled resource rules are considered during authentication.
The UUIDs of groups associated with this resource rule. The resource rule will only apply to users in one of the specified groups. When creating a resource rule, if no groupsIds are specified, the resource rule will apply to all users.
groups
object[]
deprecated
The groups associated with this resource rule. The resource rule only applies to users in one of the specified groups. If no groups are specified, the resource rule applies to all users. This attribute is ignored if the groupIds attribute is specified. The groupIds attribute should be used instead.
When the group was created.
The externalId of this group.
The UUID of this group. This value is generated when the group is created.
When the group was last modified.
The name of this group.
Possible values: [LDAP_AD
, MGMT_UI
]
The type of group indicating if this group was synchronized from a directory (LDAP_AD) or was created in Identity as a Service (MGMT_UI).
The UUID of the authentication flow to use when the risk score is High. Required with v2 APIs.
A flag indicating if Smart Login is enabled for High risk.This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the risk score is High. Only the values NONE, EXTERNAL, PASSWORD or DENY should be used for highRiskFirstStep. Other values are defined for backwards compatibility. Some values are not supported by all application types.This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is High. Some values are not supported by all application types.This parameter is deprecated, use the highRiskAuthenticationFlow attribute with v2 APIs.
ipContext
object
The IP context specifies allowed or denied IP address ranges or lists. Risk is applied to the authentication if the current IP address does not match an allowed IP address range/list or does match a denied IP address range/list.
The UUID of an existing IP List that defines IPs that can access the resource. Risk applies if the given IP address is not found in the IP List. If specified, the allowed IP List takes precedence over the denied IP List.
List of IP Address ranges (in CIDR notation) that are allowed access the resource. Risk applies if the given IP address is not in one of the allowed IP ranges. If specified, the allowed IP values take precedence over the denied IP values.
The UUID of an existing IP List that defines IPs that cannot access the resource. Risk applies if the given IP address is found in the IP List. The denied IP List is ignored if an allowed IP List is specified.
List of IP Address ranges (in CIDR notation) that cannot access the resource. Risk applies if the given IP address is in one of the denied IP ranges. The denied IP values are ignored if allowed IP ranges are specified.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
Possible values: [CUSTOM
, IPLIST
]
The type of IpContext. If not specified, this value defaults to CUSTOM.
kbaContext
object
The KBA context allows the settings for knowledge-based authentication to be overridden for a particular resource rule. For example, a different challenge size can be specified.
Number of questions that the user must answer. If not provided, the default QA challenge size in the KBA settings is used.
If true, the resource rule evaluating the context will return Access Denied.
Number of questions that the user could answer incorrectly and still be considered a valid response. If not provided, the default wrong answers allowed in the KBA settings is used.
locationContext
object
The location context specifies allowed or denied country codes. Risk is applied to the authentication if the location of the current IP address does not match an allowed country or matches a disallowed country.
If true, the list of countries defines allowed countries. If false, the list of countries defines denied countries.
If true, then allows anonymous/TOR IP addresses. If false, then denies anonymous/TOR IP addresses.
List of country codes (ISO alpha-2) that can access(allowed=true) or not access (allowed=false).
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
locationHistoryContext
object
Location history checks to see if the location of the current IP address matches a location from a previous authentication. If the current location does not match history, risk is applied.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
The UUID of the authentication flow to use when the risk score is Low. Required with v2 APIs.
A flag indicating if Smart Login is enabled for Low risk.This parameter is deprecated, use the lowhRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the risk score is Low. Only the values NONE, EXTERNAL, PASSWORD should be used for lowRiskFirstStep. The value DENY can only be specified for low risk authentication when using Smart Login, otherwise DENY can only be specified for medium or high risk values. Other values are defined for backwards compatibility. Some values are not supported by all application types. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is Low. Some values are not supported by all application types. This parameter is deprecated, use the lowRiskAuthenticationFlow attribute with v2 APIs.
Possible values: <= 100
Risk scores below this value are considered Low risk.
machineContext
object
Represents a Machine Authenticator authentication context. When defined, a Machine Authentication authenticator is expected in the authentication request. Risk will apply if the machine authentication authenticator is not present or if the risk for the machine authentication authentication is greater than the risk limit define for the Machine context.
If true, the resource rule evaluating the context will return Access Denied.
The risk points apply if the machine authenticator risk is below or equal to this value.
Possible values: <= 100
The number of risk points that apply if this context applies.
The UUID of the authentication flow to use when the risk score is Medium. Required with v2 APIs.
A flag indicating if Smart Login is enabled for Medium risk.This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, EXTERNAL
, PASSWORD
, KBA
, OTP
, TOKEN
, TOKENPUSH
, SMARTCREDENTIALPUSH
, IDP
, PASSKEY
, SMART_LOGIN
, USER_CERTIFICATE
, FACE
, DENY
]
The authenticator type to use in the first step of a two-step authentication scenario when the risk score is Medium. Only the values NONE, EXTERNAL, PASSWORD or DENY should be used for mediumRiskFirstStep. Other values are defined for backwards compatibility. Some values are not supported by all application types. This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.
Possible values: [NONE
, KBA
, TEMP_ACCESS_CODE
, OTP
, GRID
, TOKEN
, TOKENPUSH
, FIDO
, USER_CERTIFICATE
, SMARTCREDENTIALPUSH
, FACE
]
The authenticator type to use during in the second step of a two-step authentication scenario when the risk score is Medium. Some values are not supported by all application types.This parameter is deprecated, use the mediumRiskAuthenticationFlow attribute with v2 APIs.
Possible values: <= 100
Risk scores below this value are considered Medium risk. Risk scores equal or greater than this value are considered High risk.
The name of the resource rule.
When updating a resource rule, if removeDateTimeContext is set to true, the existing date time context is removed. This attribute is ignored when creating a resource rule.
When updating a resource rule, if removeDeviceCertificateContext is set to true, the existing device certificate context is removed. This attribute is ignored when creating a resource rule.
When updating a resource rule, if removeIPContext is set to true, the existing IP context is removed. This attribute is ignored when creating a resource rule.
When updating a resource rule, if removeKBAContext is set to true, the existing KBA context is removed. This attribute is ignored when creating a resource rule.
When updating a resource rule, if removeLocationContext is set to true, the existing location context is removed. This attribute is ignored when creating a resource rule.
When updating a resource rule, if removeLocationHistoryContext is set to true, the existing location history context is removed. This attribute is ignored when creating a resource rule.
When updating a resource rule, if removeMachineContext is set to true, the existing machine context is removed. This attribute is ignored when creating a resource rule.
When updating a resource rule, if removeTravelVelocityContext is set to true, the existing travel velocity context is removed. This attribute is ignored when creating a resource rule.
The UUID of the resource to which this resource rule is assigned. This value is only used when creating a resource rule.
riskEngineContexts
object[]
If risk engine rules are defined, the transaction contexts specify the level at which risk is applied to the authentication request if the corresponding risk engine rules trigger risk. If set to null, no changes are made. If set to an empty set, transaction contexts are removed.
If true, the resource rule evaluating the context will return Access Denied.
The name of this transaction context.
The risk points apply if the accumulated risk of each configured transaction rule is above this value.
Possible values: <= 100
The number of risk points that apply if this context applies.
transactionRuleRisks
object[]
required
The transaction rules associated with this context.
Possible values: >= 1
and <= 100
The risk score that applies if this transaction rule is triggered.
The id of the transaction rule associated with this risk definition.
A flag indicating if second factor will be skipped if user doesn't exist when the first factor was EXTERNAL.
A flag indicating if this resource rule enforces strict access. Strict access means that if this rule denies access, the user is denied access even if other resource rules allow access.
transactionContexts
object[]
If transaction details are specified during an authentication request, the transaction contexts specify the level at which risk is applied to the authentication request if the corresponding transaction rules trigger risk. A maximum of two are allowed. If set to null, no changes are made. If set to an empty set, transaction contexts are removed.
If true, the resource rule evaluating the context will return Access Denied.
The name of this transaction context.
The risk points apply if the accumulated risk of each configured transaction rule is above this value.
Possible values: <= 100
The number of risk points that apply if this context applies.
transactionRuleRisks
object[]
required
The transaction rules associated with this context.
Possible values: >= 1
and <= 100
The risk score that applies if this transaction rule is triggered.
The id of the transaction rule associated with this risk definition.
travelVelocityContext
object
Travel velocity checks to see if the time between authentications at different locations means the user has traveled faster than a given velocity. If the velocity is exceeded, risk applies.
If true, the resource rule evaluating the context will return Access Denied.
Possible values: <= 100
The number of risk points that apply if this context applies.
Responses
- 200
- 400
- 401
- 403
- 404
- 409
Successful
Bad Request
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Access denied
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Forbidden
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Not Found
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}
Conflict
- application/json
- Schema
- Example (from schema)
Schema
Error Codes specific to cause of failure.
Additional Error Message describing the error.
Optional additional error information.
{
"errorCode": "invalid_user_response",
"errorMessage": "Application id cannot be null",
"parameters": [
{}
]
}