This chapter explains the management and use of the policy set in Oracle Adaptive Access Manager.
This chapter contains these topics:
This section introduces you to the concept of policy set and how it is used in Oracle Adaptive Access Manager. It includes the following sections:
The policy set is a level of evaluation logic above the individual policies. The policy set logic is a collection of functionality that executes after all the policies have executed for a checkpoint. This functionality includes the calculation of the final risk score and any overrides.
The policy set can be used to create action or score based overrides. The overrides allow an administrator to account for special circumstances where the actions or score generated by the policies may have an undesired effect. For example, to prevent a call center from being swamped by calls if a rule is configured too conservatively, an administrator can create an action override to convert a "Block" action if there are an extremely high number of blocks in a short period of time.
The policy set has a few key features:
The scoring engine used to combine the scores generated by the individual policies into the final risk score is configured here.
It can be used to create an action or a score override.
Action and score overrides can be used to change the outcomes of a checkpoint.
When you create an Action Override, you specify an action to replace the action triggered by individual rule. For example, an action override, which is based on "time" and "action," can be used to limit the number of blocks or to control the number of registrations with a specified time frame.
When you create a Score Override, you specify an action group, or an alert group, or both to be triggered when the final risk score for a checkpoint falls within the specified range. For example, if you set the score range to 500 - 1000 and specify an alert group, the alerts are generated if the checkpoint risk score falls between 500 and 1000.
Only one policy set is available.
To access the Policy Set Details page:
Expand the Navigation tree.
From the Navigation tree, select Policy Set.
Policy Set Details is displayed.
Alternatively, you can open the Policy Set Details page by:
Right-clicking Policy Set in the Navigation tree and selecting Open Policy Set from the context menu.
Selecting Policy Set in the Navigation tree and then choosing Open Policy Set from the Actions menu.
Clicking the Open Policy Set button in the Navigation tree toolbar.
The Policy Set Details page enables you to view and edit the details of a policy set.
It provides the following four tabs:
Summary - Shows general details of the policy set and enables you to edit the details and select a scoring engine.
Score Overrides - Enables you to set a score override
Action Overrides - Enables you to set an action override
To add or edit a score override:
Navigate to the Policy Set Details page.
Click the Score Overrides tab.
A list of existing score override appears.
To add a score override, click Add.
To edit a score override, select the override and click Edit.
The Add Score Override or Edit Score Override dialog appears.
Select the checkpoint you want this override to be applied to.
Enter the minimum and maximum scores.
The override triggers if the score falls between the minimum and maximum scores.
Select the action that you want triggered in an override.
Select the alert to which you want triggered in an override.
Click Apply.
To add or edit an action override:
Note:
If a user/device/IP is already presented with the action in the given duration, it continues with the same action and override is not supplied.Navigate to the Policy Set Details page.
Click in the Action Overrides tab.
A list of existing action overrides appears.
To add an action override, click Add.
To edit an action override, select the override and click Edit.
The Add Action Override or Edit Action Override dialog appears.
Select the checkpoint you want this override to be applied to.
In the From Action field, select the action that you want replaced.
For example, you might select Block so that you can convert the block to a challenge question.
Specifying the To Action is optional. The From Action and To Action can be same.
In the To Action field, select the action you want to use for the replacement.
For example, you might select Challenge to convert a block to a challenge.
From the Alert Group list, select the alert you want generated when this event occurs.
Alerts are indicators (messages) to personnel (CSR, Investigators, and so on). An alert group contains graded messages that can be triggered by a rule.
Alert groups are used as results within rules so that when a rule is triggered all of the alerts within the groups are activated.
For Duration, enter the number of minutes within which you want the To Action to be triggered.
For example, you might enter the number "30" so that if within 30 minutes there are more than 100 block, the system stops blocking people and starts challenging those people who would have been blocked.
For Count, enter the number of events generated by the From Action.
For example, you might enter "100" to indicate more than ten blocks.
The count of the actions are incremented only if the action is from a different user, IP, and device.
The count is updated only when the user, IP, and device are all unique. For example, if these are not unique and if a device is blocked, the device continues to be block in the specified duration instead of being challenged.
Click Apply.
To edit a policy set:
Navigate to the Policy Set Details page.
To edit the policy set's general information, make the changes you want in the Summary tab and then click Apply.
You can change the Policy Set's scoring engine and description.
For information on Scoring Engines, see Chapter 14, "Using the Scoring Engine." OAAM Admin uses the scoring engine to calculate the numeric score applied when calculating risk level.
If the changes are successful, a confirmation that the policy set details have updated successfully appears.
To add or edit the score overrides, follow the instructions in Section 13.4, "Adding or Editing a Score Override."
To edit the action overrides, follow the instructions in Section 13.5, "Adding or Editing an Action Override."
This section describes example use cases for using policy set.
William is a Security Administrator and he must set the score and action overrides such that when the score is between 500 and 700 for Pre-Authentication, a special alert is triggered for immediate attention by the fraud investigators and the users are "blocked instead of being "challenged."
Edit Score Override
When you create a Score Override, you specify an action group, or an alert group, or an action and an alert group you want to be triggered when a score falls within a specific range. For example, if you have set a minimum score of 500, you can specify an action or alert group that you want to be triggered when the score reaches 501.
Checkpoint: Pre-Authentication
Minimum score: 500
500 is the minimum score allowed before the score override is triggered.
Maximum score: 700
700 is the maximum score allowed before the score override is triggered.
Alert Group: new alert
Alerts are indicators (messages) to personnel (CSR, Investigators, and so on). An alert group contains graded messages that can be triggered by a rule.
Alert groups are used as results within rules so that when a rule is triggered all of the alerts within the groups are activated.
Action Group: Block
Oracle Adaptive Access Manager does not allow the user to access the system if he is blocked.
Edit Action Override
When you create an Action Override, you specify an action to replace the action triggered by individual rule. For example, an action override, which is based on "time" and "action," can be used to limit the number of blocks or to control the number of registrations with a specified time frame.
Checkpoint: Pre-Authentication
From Action: Challenge
To Action: Block
Alert Group: new alert
William is a Security Administrator and he must set the score and action overrides such that when the score is between 500 and 700 for Pre-Authentication, a special alert is triggered for immediate attention by the fraud investigators and the users are "blocked instead of being "challenged." But there are about 10 training folks and they are given temp allows for the next 1 week. How do the action and score overrides affect these users?
Edit Score Override
When you create a Score Override, you specify an action or alert group, or an action and an alert group you want to be triggered when a score falls within a specific range. For example, if you have set a minimum score of 500, you can specify an action or alert group that you want to be triggered when the score reaches 501.
Checkpoint: Pre-Authentication
Minimum score: 500
500 is the minimum score allowed before the score override is triggered.
Maximum score: 700
700 is the maximum score allowed before the score override is triggered.
Alert Group: new alert
Alerts are indicators (messages) to personnel (CSR, Investigators, and so on). An alert group contains graded messages that can be triggered by a rule.
Alert groups are used as results within rules so that when a rule is triggered all of the alerts within the groups are activated.
Action Group: Block
Oracle Adaptive Access Manager does not allow the user to access the system if he is blocked.
Edit Action Override
When you create an Action Override, you specify an action to replace the action triggered by individual rule. For example, an action override, which is based on "time" and "action," can be used to limit the number of blocks or to control the number of registrations with a specified time frame.
Checkpoint: Pre-Authentication
From Action: Challenge
To Action: Block
Alert Group: new alert
Create Training Folks group.
Select group in Exclude group of Pre-conditions of all Challenge rules.
This section outlines some best practices for using policy sets.
Before you import a policy set into a production system, you should be aware that you are about to replace the entire system configuration in the production system. Export the current policy set before the actual import since you do not want to lose the current configuration. If the import fails or if there are any other issues that you did not anticipate. After you have imported the policy set, there is no way for you to perform an undo. When you have a backup available, you can import that configuration into your system immediately if the import fails.
Only when an export is successful, should you import the policy set from the offline system into the online system.
When the configurable actions are exported with a policy set. You should copy the Java classes to the specified directory after the import so that the configurable actions are not broken when they are imported back into a system.