Approval Policy adds an extra layer of protection to your approval requests. You can specify whether approvers, based on the following conditions, need to perform MFA before they can approve or reject requests submitted to them:
- User's IP address
- Device platform
- Risk level
By default, all approvers can approve or reject requests without receiving MFA prompts.
Create an Approval Policy
Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Firewall > Policy > Approval and click + Approval Policy.
- Enter the following information:
- Policy Name: Enter a name for the policy.
- Description: Enter a description for the policy.
Validity Period: Specify the validity period of the policy.
- Always: The policy is always effective unless you disable it.
- Specified time range: The policy is only effective within the specified time range. Tick the "Based on users' time zones" checkbox to ensure the time range reflects users' time zones.
- Recurring schedule: The policy is effective based on the recurring schedule.
- Applied Forms: Click Add Forms to Policy, select forms that this policy will apply to, and click Done.
- Click Save.
- Verify your account with an MFA method.
- You can continue to create an approval policy rule or create it later.
Create an Approval Policy Rule
- Do either of the following:
- Create a new policy and rule: You'll be prompted to create a rule after a policy is created.
- Create a rule in an existing policy: Go to Security > Identity Firewall > Policy > Approval, click an existing policy, go to Rules, and click Create.
- Enter the Rule Name and tick “Enable this rule“ to enable it.
- Go to Exclude Users (Optional) and click the “+“ icon to select the users you want to exclude from this rule. No user is selected by default.
- Go to Who does this rule apply to and select the users to whom the rule applies.
- Go to Conditions and set the following:
If the user's IP is: Specify the network zone to which this rule applies.
- Anywhere: The action is triggered no matter what the user's IP is. This is selected by default.
- Inside Zone: The action takes effect when the user's IP is within the set network zone range.
- Outside Zone: The action takes effect when the user's IP is outside of the network zone range.
And if their device platform is: Specify the device this rule applies to.
- Default is set to “Any Device”.
- Device types:
- Mobile: iOS, Android, and other mobile devices (e.g., BlackBerry).
- Desktop: macOS, Windows, and other desktops (e.g., Linux).
And if their client is: Specify the client this rule applies to.
- Default is set to “Any client”.
- Client types:
- Identity Enterprise desktop app: macOS and Windows
- Identity Enterprise mobile app: iOS and Android
- Identity Enterprise Manager
- Identity Enterprise Portal
- Identity Enterprise app on UniFi Talk
And if their behavior is: Specify the behavior this rule applies to. Note: This condition is not available in the Identity Enterprise Basic Plan.
- Select the default behavior rule or the one you have created.
- If multiple behaviors are selected, this rule will be triggered if one of the conditions is satisfied.
- The behaviors mentioned will be assessed along with other defined rules. If the stated conditions are satisfied, the action stated in the "Then user's access is" section (Allowed or Denied) will either permit the user to sign in or prompt them to undergo MFA.
- If an IP address or network zone has been included and a behavior that specifies an IP address is also included, all the criteria must be met for the rule to be enforced.
- And if their risk level is: Define the risk level for triggering the action. Risk scoring is calculated using past activities. Note: This condition is not available in the Identity Enterprise Basic Plan.
- If the user's IP is: Specify the network zone to which this rule applies.
- Go to Actions and specify whether MFA is required for approving or rejecting an approval request. If a policy specifies a particular MFA method, you cannot remove that MFA method until it is removed from all policies that require it.
- Not Required: Users can approve or reject an approval request without verifying their account.
Any Factor: Users can verify their identity using any MFA method.
When to Prompt for MFA:
- Every sign-on: MFA is required when each time a user attempts to approve or reject an approval request.
When signing in with a new device: When users opt for "Do not ask me again" on the identity authentication window while attempting to approve or reject an approval request from a new device, their MFA information gets saved in the cookies of their trusted devices after a successful approval or rejection. This means that they won't be prompted for MFA again as long as the cookies remain valid.
- Select "Don't prompt me again for MFA" by default: If this checkbox is ticked, the Don't prompt me again for MFA checkbox will be automatically selected by default on the user's identity authentication window.
After MFA lifetime for device cookie expires: When users opt for "Do not ask me again for the next [Number] minutes/hours/days" on the identity authentication window, their MFA information gets saved in the cookies of their trusted devices after a successful approval or rejection. This means that they won't be prompted for MFA again as long as the cookies remain valid. Once the MFA lifetime for the device cookie expires, users will be required to undergo MFA again.
- MFA Lifetime: Set the MFA lifetime to a specific number of minutes, hours, or days.
- When to Prompt for MFA:
Factor Sequence: Specify the factors required for user identity authentication. You can configure multiple factors to request users to complete a two-step authentication process. Once configured, users must authenticate using both the primary MFA and secondary MFA.
- Primary MFA (Required): This option only appears when "Factor Sequence" is selected. Click Add Secondary MFA if needed.
- Specific Factor: Select a factor for user identity authentication. Once configured, users must authenticate every time they attempt to approve or reject an approval request.
- MFA Settings: Click it to go to Security > MFA and configure MFA methods.
- Click Add Rule.