The Administering Access Manager for Mobile topics explain
how to administer context-based access.
Overview of context-based access
Context-based access provides access decision and enforcement that is based on a dynamic
risk assessment or confidence level of a transaction. Context-based access uses behavioral and
contextual data analytics to calculate risk.
Risk management overview
Context-based access policy decisions can be based on the risk score. The risk score is
calculated based on the active risk profile attributes that are retrieved from the user.
Attributes
Attributes specify the context of a request that you want
to be evaluated as part of an access decision. For example, an attribute
might be information in a request, such as a user name, or information
in an external source, such as a user's age in a user registry or
an information type in a database.
Attribute collection service
The attribute collection service is a Representational State Transfer (REST) service. It
can collect web browser and location information from the user for calculating the risk
score.
Attribute matchers
An attribute matcher compares the values of a specified
attribute in the incoming device fingerprint with the existing device
fingerprint of the user. Context-based access uses the information
that is returned by the attribute matchers to calculate the risk score.
Obligations
Obligations are used in policies to inform the enforcement point that more actions are
required before access is granted or denied to a protected resource.
Authentication policies
Authentication policies are workflows that dictate the authentication mechanisms that are
required so that the user can access a resource.
Risk profiles
The risk engine uses the active risk profile to calculate
risk scores for incoming requests. The administrator can create risk
profiles or use predefined risk profiles that are provided on IBM® Security Access Manager for
Mobile.
Access control policies
An access control policy is a set of conditions that, after
they have been evaluated, determine access decisions.
Device fingerprints
Device registration is the process that stores the device
fingerprint of the user in the context-based access database.
Runtime database
The runtime database stores user data such as session attributes
and device fingerprints.
Policy information points
Policy information points gather information from the request
or other sources, such as databases.
Extensions
Use extensions so that you can implement your own obligation
handler and authentication mechanism.
Deploying pending changes
Some configuration and administration changes require an
extra deployment step.
Template files
Template files are HTML pages that are presented to your
users during the authentication process. The pages
prompt users for authentication information, such
as user names and passwords, or present information to users, such
as one-time passwords, status, or errors.
User self-administration tasks
Administrators can configure context-based access to enable
users to perform certain self-management tasks.
Access Control
Access Control links include Policies, Resources, Attributes,
and Obligations.
Attributes
Attributes links include Risk Profile, Attributes, and
Matchers.
Authentication
Authentication links include Policies, Mechanisms, and
Advanced.
Obligations
Obligations links include Policies, Resources, Attributes
and Obligations.
Risk Profile
Risk Profile links include Attributes and Matchers.