Manage Resource Rules

Resource rules protect access to applications by setting access restrictions. In an Instant ID as a Service account, the Administration Portal and User Portal Edit applications are available. When a user attempts to authenticate to the application, and/or edit their profile (if enabled), the resource rule determines how a user must authenticate to gain access. For example,

You must configure First Factor and Second Factors. These settings allow administrators to clearly define the authenticators users are prompted to use when they authenticate to IInstant ID as a Service.

You might set multiple resource rules to access the application. For example:

• Resource rule 1 allows some groups to access the application and some not
• Resource rule 2 forces some groups of users to have different authentication

You must configure First Factor and Second Factors settings. These settings define the authenticators users are prompted to use when they authenticate to an application.

• The selected First Factor authenticator determines whether a user must authenticate using their password or whether they skip directly to second factor authentication. If the first factor is set to Skip Password, a user must respond to a Second Factor authenticator.

  Note: Before setting Password as the first factor authenticator, ensure that the administrator user has a password configured. For instructions, refer to Enable Password Authenticator.

• The Second Factors list is ordered by preference from top to bottom.
  • Only selected authenticators in that list can be used to complete a second factor authentication challenge.
  • During authentication, the resource rule prompts the user to complete the First Factor authentication.
  • Once the user completes the first factor challenge, the user is prompted with the most preferred second-factor authentication challenge. If a user does not have a specific authenticator, they are prompted to log in using the next-most preferred authenticator on the list.

    For example, if Entrust Soft Token appears at the top of the list of second factor authenticators, the user is prompted to authenticate using Entrust Soft Token. If the user does not have an Entrust Soft Token, the user is prompted to authenticate using the next second factor authenticator in the list, and so on.

Consider these examples:

• Example 1: First Factor is set to Skip Password. Second Factors are set to Entrust Soft Token and One Time Password, in that order. The user logs in to Instant ID as a Service using Entrust Soft Token Push. If the user does not have Entrust Soft Token push, the user selects Use an alternative authenticator on the log in screen, and selects OTP from the list.
• Example 2: First Factor is set to Password. Second Factors is set to Temporary Access Code. The user logs in to Instant ID as a Service using their Instant ID as a Service password. If the user does not have Entrust Soft Token push, the user selects Use an alternative authenticator on the log in screen, and selects OTP from the list.
• Example 3: You want to create multiple resource rules for different users of your account. For example,
  • Resource rule A for Group A is set to Skip First Factor and second factor set to OTP and Entrust ST.
  • Resource rule B for Group B is set to First Factor Password with no second factors selected. Users authenticate using password only.
  • Resource rule C for Group C is set to Skip First Factor and Second Factor set to all four options (For example, some users only have Temporary Access Code. When logging in, they select Alternate Authentication on the second factor authentication page to be able to authenticate using their Temporary Access Code).
  • Resource rule for no group selected (all groups) is set to Skip First Factor and second factor OTP. Users must authenticate by OTP. There are no other options.

If an application has multiple resource rules, Instant ID as a Service selects the resource rule to be used as follows:

• Ignores the resource rules for which the user’s group does not match
• Selects from the remaining resource rules alphabetically based on name

Topics in this section:

• Create a Resource Rule
• Edit Resource Rules