Policy objects are the individually configurable components of a policy, such as network locations. You configure policy objects and then add them to authentication policies.
You can configure these kinds of policy objects:
Network location policy objects enable you to specify a list of IP addresses. You can then configure authentication policies that only apply when users authenticate from the IP addresses in the specified network location.
Time schedule policy objects enable you to specify the dates and times when authentication policies apply to user authentications. When you add a time schedule to an authentication policy, the policy only applies when a user authenticates during the specified time schedule.
Geofence policy objects enable you to specify a list of countries. You can then configure authentication policies that only apply when users authenticate from those countries. You might do this if you want to enforce different MFA requirements for different locations, or if you want to block authentication from specific countries.
Geokinetics policy objects enable you to create policy objects that compare the user's current location and the location of their last valid authentication. AuthPoint automatically denies authentications from a location the user could not have travelled to since their previous authentication, based on the distance and time between authentications.
When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location.
We recommend that you create a second policy for the same groups and resources without the policy object. Users who only have a policy that includes a policy object do not get access to the resource when the conditions of the policy object do not apply to the authentication (because they do not have a policy that applies, not because authentication is denied).
- Users who only have a policy that includes a network location do not get access to the resource when they authenticate outside of that network location.
- Users who only have a policy that includes a time schedule do not get access when they authenticate outside the hours of that time schedule.
- Users who only have a policy to allow access that includes a geofence do not get access to the resource when they authenticate outside of the specified countries.
If you have two policies (one with a policy object and one without), assign a higher priority to the policy with the policy object. For more information, see About Policy Precedence.
Geokinetics policy objects work differently than other policy objects because they apply after an authentication is complete. Geokinetics do not affect the conditions of an authentication, so when you add a geokinetics policy object to an authentication policy, you do not have to create a second policy without the geokinetics policy object.