Risk policies enable you to customize the risk evaluations to your specific needs. Risk policies are containers for specific risk logic. You can define multiple risk policies and deploy them to initiate different authentication flow actions based on the calculated risk. By default, every PingOne environment has an associated system-level default risk policy set.
For more information about the default risk policies, see the example response in Read Risk Policy Sets. Each risk policy set contains a list of risk policies. The maximum number of policy sets per environment is 100; the maximum number of policies per policy set is 100.
Risk policies have the components:
Condition
A Boolean predicate that defines when the policy element is evaluated to true and when it is evaluated to false.
Result
Defines the final result of the risk evaluation when the condition is evaluated to true.
Value comparison conditions compare a placeholder to a value. For example:
{
"value": "${some.placeholder}",
"equals": "some value"
}
The value is the outcome of one of the risk predictors.
IP range conditions designate IP addresses for whitelisting and blacklisting.
{
"ipRange": ["1.1.1.1/16", "2.2.2.2/24"],
"contains": "${transaction.ip}"
}
Override policies are the ones with the highest priority. They should be listed at the beginning of the riskPolicies
array. They can have value comparison condition rules or IP range condition rules. The risk policy array can have no override policies or multiple override policies.
There are two methods of combining the predictors - Weights and Scores. When you use the Weights approach, you are determining relative weights that should be used when calculating the individual risk score for each predictor. When you use the Scores approach, you can exercise more control over the overall calculation because you can specify an exact numerical score that should be assigned when PingOne Protect determines that there is a medium or high risk level for a predictor.
Weighted policies allow you to combine results from multiple predictors.
Weighted policies determine risk based on aggregated weighted risk score. These policies must be listed in the riskPolicies
array after all override policies are specified. An aggregated risk score involves two weighted policies, and these policies must be the last policies in the riskPolicies
array.
The weighted policies that determine the aggregated risk score complement each other and are subject to these restrictions:
The first weighted policy should have result.level=MEDIUM
and the second should have result.level=HIGH
.
The value for the condition.aggregatedWeights
attribute for both policies must be the same.
The value for the condition.between.maxScore
attribute for the HIGH
weighted policy must be 100.
The value of the condition.between
attribute for the two policies must be complementary. For example, if the HIGH
policy has condition.between.minScore = 70
, the MEDIUM
policy should have condition.between.maxScore = 70
.
condition.type
should be set to AGGREGATED_WEIGHTS.
Choose the weight
value assigned to each predictor outcome according to its significance. The following example shows the weight
for two predictors: ipAddressReputation
at 9 and the weight
for geoVelocity
at 4. The maximum and minimum scores are set at 60 and 90, respectively:
{
"aggregatedWeights": [
{
"value": "${details.aggregatedWeights.ipAddressReputation}",
"weight": 9
},
{
"value": "${details.aggregatedWeights.geoVelocity}",
"weight": 4
}
],
"between": {
"minScore": 60,
"maxScore": 90
}
}
The value of value
consists of the identifier for a specific predictor, and it takes the form ${details.aggregatedWeights.geoVelocity}
, where the string after aggregatedWeights
is the compact name of the relevant predictor.
The JSON content below shows an example of a policy set that uses the Scores approach to risk calculation.
Details to note about the use of score policies:
If you are including overrides in the policy set, they must precede the score policies.
The policy set must include two score policies - one that includes the score range that should be translated into MEDIUM risk, and one that includes the score range that should be translated into HIGH risk.
In terms of order, the MEDIUM policy must precede the HIGH policy.
Use condition.between.minScore
and condition.between.maxScore
to define the ranges for MEDIUM risk and HIGH risk. The maxScore
for MEDIUM risk should always equal the minScore
for HIGH risk.
condition.type
should be set to AGGREGATED_SCORES.
The condition
object should contain an aggregatedScores
object that consists of an array of value
/score
pairs. The value of value
consists of the identifier for a specific predictor, and it takes the form ${details.userLocationAnomaly.level}
, where the string between details
and level
is the compact name of the relevant predictor. The value of score
is the score you want to assign to that predictor when it is determined that there is a high risk for the predictor. If it is determined that there is medium risk, the predictor will automatically be assigned a score equal to half of the value you specified for high risk.
The array in condition.aggregatedScores
must be identical in the MEDIUM policy that you define and the HIGH policy that you define.
{
"id": "944fa7b4-e280-4932-80e7-01853ac9ce6d",
"name": "aa",
"default": false,
"defaultResult": {
"level": "Low"
},
"riskPolicies": [
{
"name": "ANONYMOUS_NETWORK_DETECTION",
"result": {
"level": "HIGH"
},
"condition": {
"value": "${details.anonymousNetworkDetected}",
"equals": true
}
},
{
"name": "GEOVELOCITY_ANOMALY",
"result": {
"level": "MEDIUM"
},
"condition": {
"value": "${details.impossibleTravel}",
"equals": true
}
},
{
"name": "Medium score policy",
"result": {
"level": "MEDIUM"
},
"condition": {
"type" : "AGGREGATED_SCORES",
"aggregatedScores": [
{
"value": "${details.userLocationAnomaly.level}",
"score": 40
},
{
"value": "${details.anonymousNetwork.level}",
"score": 60
},
{
"value": "${details.ipRisk.level}",
"score": 40
}
],
"between": {
"minScore": 700,
"maxScore": 900
}
}
},
{
"name": "High score policy",
"result": {
"level": "HIGH"
},
"condition": {
"type" : "AGGREGATED_SCORES",
"aggregatedScores": [
{
"value": "${details.userLocationAnomaly.level}",
"score": 40
},
{
"value": "${details.anonymousNetwork.level}",
"score": 60
},
{
"value": "${details.ipRisk.level}",
"score": 40
}
],
"between": {
"minScore": 900,
"maxScore": 1000
}
}
}
]
}
The condition.type
field indicates the type of policy you are defining. It can take any of the following values:
Risk staging policy allows you to test a policy set in parallel with another policy set. You link an existing policy set to the test policy set with a triggers
object in the existing policy set, which points to the test policy set in its triggers.policySet
object. Every time the existing policy set runs, it triggers the test policy set to also run. While in staging, the test policy set runs but only records its evaluation. A trigger expires 3 months from when it is set. Use Update Risk Policy Set to add the triggers
object to an existing policy set.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
createdAt |
Date | Required | Immutable | The date and time the resource was created (format ISO-8061). |
default |
Boolean | Optional | Mutable | Indicates whether this risk policy set is the environment’s default risk policy set. This is used whenever an explicit policySet ID is not specified in the risk evaluation request. If this property is not specified when you create or update a risk policy, the value defaults to false , and this risk policy set is not regarded as the default risk policy set for the environment. If you set this property to true , the default property of all other risk policies in the environment is set to false . |
defaultResult |
Object | Optional | Mutable | Contains the default result returned if none of the conditions in the policy are evaluated to true. At this time, the defaultResult.level value must be LOW . |
description |
String | Optional | Mutable | A description for this policy set. Valid characters consist of any Unicode letter, mark (for example, accent, umlaut), numeric character, punctuation character, or space. Maximum size is 1024 characters. |
environment.id |
String | Required | Immutable | The environment resource’s unique identifier. |
evaluatedPredictors |
String array | Optional | Mutable | The IDs for the predictors to evaluate in this policy set. In POST and PUT requests, if this property is null, all of the licensed predictors are used. |
id |
String | Required | Immutable | The resource’s unique identifier. |
name |
String | Required | Mutable | The name for this policy set. Valid characters consist of any Unicode letter, mark (such as, accent, umlaut), # (numeric), / (forward slash), . (period), ’ (apostrophe), _ (underscore), space, or - (hyphen). Maximum size is 256 characters. |
riskPolicies |
String array | Required | Mutable | The conditions associated with this policy set. See also [Risk policies data model]{#risk-policies-data-model} below. |
triggers |
Object[] | Optional | Mutable | Array that contains trigger definitions for staging mode. |
triggers.type |
String | Required | Immutable | Trigger type; must be POLICY_SET_STAGING . |
triggers.policySet |
Object | Required | Immutable | Contains the policy set identifier to trigger. |
triggers.policySet.id |
String | Required | Immutable | UUID of the policy set to trigger in staging mode. |
triggers.expiresAt |
String | Required | Immutable | Date and time at which the trigger expires. |
updatedAt |
Date | Required | Immutable | The date and time the resource was last updated (format ISO-8061). |
This table lists the fields and objects that can be included in each of the elements in the riskPolicies
array.
Property | Type | Required? | Mutable? | Description |
---|---|---|---|---|
condition |
Object | Required | Mutable | Contains the condition logic that determines when a policy is evaluated to true and when it is evaluated to false. |
condition.aggregatedScores |
Array | Required/Optional | Mutable | Required for score-based policies. The elements in the array are value -score pairs, representing the score that should be assigned to a specific predictor when it is determined that there is a high risk for the predictor. |
condition.aggregatedScores.value |
String | Required | Mutable | Text that identifies a specific risk predictor in the environment. It uses the form ${details.xxxxxxx.level} , where the string between details and level is the compact name of the relevant predictor. |
condition.aggregatedScores.score |
Integer | Required | Mutable | The score you want to assign to the predictor when it is determined that there is a high risk for the predictor. Value should be between 0 and 100. If it is determined that there is medium risk, the predictor will automatically be assigned a score equal to half of the value you specified for high risk. |
condition.type |
String | Required | Mutable | Indicates the type of policy you are defining. Can be one of the following values: AGGREGATED_SCORES, AGGREGATED_WEIGHTS, VALUE_COMPARISON, and IP_RANGE (for override policies or custom predictors). |
condition.between.minScore |
Integer | Required/Optional | Mutable | Required for policies of type AGGREGATED_SCORES or AGGREGATED_WEIGHTS. The beginning of the risk score range that will be translated into the specified risk level (MEDIUM or HIGH). Must be between 0 and 1000. |
condition.between.maxScore |
Integer | Required/Optional | Mutable | Required for policies of type AGGREGATED_SCORES or AGGREGATED_WEIGHTS. The end of the risk score range that will be translated into the specified risk level (MEDIUM or HIGH). Must be between 0 and 1000. |
createdAt |
Date | Required | Immutable | The date and time the resource was first created (format ISO-8061). |
description |
String | Optional | Mutable | A description for this risk policy. Valid characters consist of any Unicode letter, mark (for example, accent, umlaut), # (numeric), / (forward slash), . (period), ’ (apostrophe), _ (underscore), space, or - (hyphen). Maximum size is 1024 characters. |
environment.id |
String | Required | Immutable | The environment resource’s unique identifier. |
id |
String | Required | Immutable | The resource’s unique identifier. |
name |
String | Required | Mutable | A name for the risk policy. Valid characters consist of any Unicode letter, mark (for example, accent, umlaut), # (numeric), / (forward slash), . (period), ’ (apostrophe), _ (underscore), space, or - (hyphen). Maximum size is 256 characters. |
priority |
Integer | Required | Mutable | The index of the element in the riskPolicies array. |
result.level |
String | Required | Mutable | Contains the result returned if the condition is evaluated as true. If several policies are evaluated as true, the result related to the lowest priority condition is returned. For more information, see the Result attribute data model in Risk Evaluations. |
updatedAt |
Date | Required | Immutable | The date and time the resource was last updated (format ISO-8061). |
To see the effects of these events for an API call, see the event types in the Audit Report, Audit Activities API, or Webhook stream.
Service | Event |
---|---|
risk_admin | POLICY_SET.CREATED |
risk_admin | POLICY_SET.UPDATED |
risk_admin | POLICY_SET.DELETED |