Guide
TrainingSupportCommunity

Manage policies

Suggest Edits

As an admin, you're constantly trying to balance protecting the organization's resources security with a need to empower your users instead of hindering their productivity. With ​Akamai MFA​ policies, you can reconcile those conflicting objectives and flexibly apply access controls that ensure compliance with the corporate security requirements.

All ​Akamai MFA​ policies contain the following basic elements, also referred to as subpolicies:

  • Unenrolled User. Defines the policy that you want to apply to unenrolled users attempting to access protected applications. This subpolicy also lets you take action in the event that an unprovisioned user attempts to access a service that requires multi-factor authentication. See Configure policy for an unenrolled and enrolled user to learn more.

  • Enrolled User. Defines the policy that you want to apply to the users who exist in the ​Akamai​ MFA service and have at least one authentication device assigned to their account. See Configure policy for an unenrolled and enrolled user to learn more.

  • Smart Device. Lets you define conditions that devices registered in ​Akamai MFA​ must meet before they can be used for authentication purposes. See Configure your device posture policy to learn more.

  • Device Location. Lets you control access based on the geolocation of the user's access device. See Configure your device posture policy to learn more.

  • Network Locations. Lets you control access based on the network location of the user's access device. See Configure your device posture policy to learn more.

  • Authentication Factors. Provides you with a list of supported authentication methods that you can enable for users. See Allowed authentication methods.

  • Browser. Lets you indicate the allowed and denied browsers used to access the protected applications. See Configure your device posture policy to learn more.

  • OS. Lets you indicate allowed and denied operating systems running on devices used to access the protected applications and receive push notifications. See Configure your device posture policy to learn more.

  • Lockout. Lets you define the allowed number of failed login attempts. If the user exceeds this number, their account is automatically locked-out for the period of time that you specified in the Lockout duration field. See Configure your lockout policy to learn more.

You can edit settings of the above subpolicies for the following policy types:

  • Global policy. This is a high-level policy that contains the default and recommended security rules. This policy is assigned to your organization during the onboarding and is applied globally across your environment. It affects all users across all integrations. You cannot delete the global policy, but you can edit its settings. You can also create a custom policy with more specific rules that override the global policy.

  • Custom policies. These are more granular, configurable access control rules that let you selectively apply criteria belonging to a given subpolicy. With custom policies, you can configure security restrictions that differ from the global policy, and apply them to a selected resource. For example, you can designate that only devices with enabled device attestation or biometric lock can access a particularly sensitive application. You can also assign less restrictive authentication requirements to a group of users working with less sensitive resources.

In ​Akamai MFA​ you can assign your custom policies to one or multiple integrations, groups, users.

When you're configuring your policy system, remember that ​Akamai MFA​ policies are evaluated in order from most specific (i.e. the policy that refers to individual users) to most general (i.e. the policy that refers to the entire organization). This means that the following rules apply to ​Akamai MFA​ policies:

  • The user policy overrides all other policies.

  • The group policy overrides the integration and global policies.

  • The integration policy overrides the global policy.

If two policies are equally specific, for example, both are group policies, and they comprise conflicting settings, then the most restrictive subpolicies are applied.

The Policies page lets you view all configured policies in your organization. Policies display in the table, which gives you an immediate insight into the affected resources, and applied restrictions.

With the Policies, you can also:

  • Clone the existing policies by clicking Clone policy. See Configure custom policies.

  • Create new policies by clicking Add policy.

  • Display the policy's settings by clicking its name. See Edit the global policy.

  • Update the list of integrations, groups, and users that are assigned to each of the configured policies by clicking the Associate (clip) icon in the Assigned To column. See Configure custom policies.

Updated over 2 years ago