RSA Adaptive Authentication

(On-Premise) 7.1
Back Office Users Guide
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo, eFraudNetwork and EMC are either registered trademarks or trademarks of EMC Corporation in the
United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of
RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.

Copyright 20132014 EMC Corporation. All Rights Reserved. Published in the USA.
July 2013
Revised: March 2014
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Contents
Preface................................................................................................................................... 9
About This Guide................................................................................................................ 9
RSA Adaptive Authentication (On-Premise) Documentation ............................................ 9
Support and Service .......................................................................................................... 10
Before You Call Customer Support........................................................................... 10

Chapter 1: RSA Adaptive Authentication Back Office

Applications .....................................................................................................................11
Back Office Applications Overview ..................................................................................11
Back Office Application Suite ................................................................................... 12
Standalone Back Office Applications........................................................................ 13
Log On to a Back Office Application ............................................................................... 14
Log Off from a Back Office Application.......................................................................... 15
Password Change .............................................................................................................. 15
Change your Password...................................................................................................... 16
Reset a Forgotten Password .............................................................................................. 16
Localization and Internationalization of the Back Office Applications ........................... 17

Chapter 2: Managing Access to the Back Office Applications ........ 19

Access Management Application Overview..................................................................... 19
User Management ............................................................................................................. 19
Access the Application Users Page ........................................................................... 21
Application Users Page.............................................................................................. 21
View User Details ...................................................................................................... 21
Add a User ................................................................................................................. 22
Edit User Details ........................................................................................................ 23
Unlock a User ............................................................................................................ 23
Remove a User........................................................................................................... 24
Role Management ............................................................................................................. 24
Access the Application Roles Page ........................................................................... 25
Role Details................................................................................................................ 25
View Role Details ...................................................................................................... 26
Add a Role ................................................................................................................. 26
Edit a Custom Role .................................................................................................... 27
Remove a Role........................................................................................................... 27
Access Management Roles ........................................................................................ 28
Case Management Role Permissions ......................................................................... 31
Policy Management Role Permissions ...................................................................... 32
Organization Management ................................................................................................ 33
Access the Application Organizations Page .............................................................. 34
View Organization Details......................................................................................... 34
Add an Organization .................................................................................................. 34
Edit Organization Details........................................................................................... 35

Contents 3
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

View Available Organizations................................................................................... 35

Group Management........................................................................................................... 36
Access the Application Groups Page......................................................................... 36
Application Group Page............................................................................................. 36
View Group Details ................................................................................................... 37
Add a Group............................................................................................................... 37
Edit Group Details ..................................................................................................... 37

Chapter 3: Managing Policies ............................................................................... 39

Introduction to Policy Management.................................................................................. 39
Policies for Organizations.......................................................................................... 39
Reference Policy ........................................................................................................ 40
Additional Configuration Elements ........................................................................... 41
Policy Refresh............................................................................................................ 41
Introduction to Rules......................................................................................................... 41
Event Types ............................................................................................................... 42
Conditions .................................................................................................................. 42
Expressions ................................................................................................................ 44
Facts ........................................................................................................................... 44
Operators.................................................................................................................... 44
Actions ....................................................................................................................... 47
Authentication Methods............................................................................................. 47
Risk Score .................................................................................................................. 48
Case Creation ............................................................................................................. 49
Rule Status ................................................................................................................. 49
Status Change ............................................................................................................ 50
Rule Management ............................................................................................................. 51
Manage Rules Table .................................................................................................. 52
Sorting and Filtering Rules ........................................................................................ 53
Add a Rule ................................................................................................................. 53
Comparing Policy Facts............................................................................................. 55
Edit a Rule ................................................................................................................. 57
Delete a Rule.............................................................................................................. 58
General Rule Parameters ........................................................................................... 58
Request a Status Change for a Rule........................................................................... 60
Cancel a Status Change Request for a Rule............................................................... 60
Approve a Status Change Request for a Rule............................................................ 61
Reject a Status Change Request for a Rule................................................................ 61
Duplicate Rules to Another Organization.................................................................. 62
Policy Export and Import.................................................................................................. 63
Export Policy Data..................................................................................................... 63
Import Policy Data..................................................................................................... 64
List Management............................................................................................................... 65
Manage Lists Table.................................................................................................... 66
Add a List................................................................................................................... 67

4 Contents
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Add a Single Value to a List ...................................................................................... 67

Add a Range of IP Values to a List ........................................................................... 68
Import a Set of Values to a List ................................................................................. 69
Edit a List................................................................................................................... 70
Delete a List ............................................................................................................... 70
Hash the Values of a User ID List ............................................................................. 71
General List Parameters............................................................................................. 71
Custom Facts Management............................................................................................... 72
Manage Custom Facts Table...................................................................................... 72
Add a New Custom Fact ............................................................................................ 73
Edit a Custom Fact..................................................................................................... 73
Delete a Custom Fact ................................................................................................. 74
Custom Fact Parameters ............................................................................................ 74
Custom Event Type Management..................................................................................... 75
Manage Custom Event Types Table .......................................................................... 76
Add a Custom Event Type......................................................................................... 76
Edit a Custom Event Type ......................................................................................... 76
Custom Event Type Parameters................................................................................. 77
Policy Report..................................................................................................................... 78
Sample Policy Report ................................................................................................ 79
Generate a Policy Report ........................................................................................... 80

Chapter 4: Managing Cases ................................................................................... 83

Case Management Application Overview ........................................................................ 83
Case Management Functionality....................................................................................... 84
Flagged Activities ...................................................................................................... 84
Pending Activities and Cases..................................................................................... 85
Closed and Expired Cases.......................................................................................... 85
Actions Resulting from Triggered Rules ................................................................... 86
Terminating Open Authentication Sessions .............................................................. 86
Challenge Scenarios................................................................................................... 86
Case Assignment............................................................................................................... 88
Assign Manually Created Cases from the Lookup User Page................................... 88
Assign Manually Created Cases from the Research Activities Page......................... 89
Case Grouping................................................................................................................... 89
Default Group ............................................................................................................ 89
Operator Group .......................................................................................................... 89
Lifecycle Milestones of Cases .......................................................................................... 90
Case Workflows................................................................................................................ 90
Case Creation Workflow ........................................................................................... 90
Case Handling Workflow .......................................................................................... 90
Case Management Menu................................................................................................... 91
Recent Account Activity Fields ................................................................................. 94
Detailed Activity Information Fields ......................................................................... 95
Case Status ........................................................................................................................ 99

Contents 5
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Case Mode....................................................................................................................... 100

Process Queue Management ........................................................................................... 101
Case Priority ............................................................................................................ 101
Access the Process Queue Page............................................................................... 102
Stop Automatic Refresh of the Process Queue ........................................................ 102
Restart Automatic Refresh of the Process Queue .................................................... 102
Case Listing in the Process Queue........................................................................... 102
Case Locking and Unlocking................................................................................... 102
View the Queue............................................................................................................... 103
Access the View the Queue Page ............................................................................ 103
Filter the Queue Using the Filter Tab ...................................................................... 103
Filter the Queue Using the Advanced Tab............................................................... 104
Advanced Tab Fields ............................................................................................... 105
Look Up an End User...................................................................................................... 106
Case Update .................................................................................................................... 108
Update a Case Using Lookup User.......................................................................... 108
Update a Case in the Process Queue........................................................................ 108
Update Case Example .............................................................................................. 109
Manually Set a Resolution for an Activity...................................................................... 109
Case Resolution ........................................................................................................110
Operator Group Management ..........................................................................................111
Access the Manage Operator Group Page ................................................................111
Operator Group Definition........................................................................................111
Filters for Defining Operator Groups .......................................................................112
Add an Operator Group ............................................................................................112
Edit Operator Group Criteria ....................................................................................112
Delete an Operator Group.........................................................................................113
Operator and Operator Group Filters........................................................................113
Set a Default Operator Group ...................................................................................114
Operator Groups for a New Organization.................................................................114
Operator Management......................................................................................................115
Access the Manage Operators Page..........................................................................115
Add an Operator to an Operator Group ....................................................................115
Change the Operator Group of an Operator..............................................................115
Research Activities ..........................................................................................................116
Access the Research Activities Page ........................................................................116
Research Activities Filters ........................................................................................116
Search for Cases Using Research Activities Filters..................................................117
Display a Case ..........................................................................................................118
Edit a Case ................................................................................................................119
Update a Case Buttons ..............................................................................................119
Snooze Mode....................................................................................................................119
Apply Snooze Mode to a Case..................................................................................119
Top Risk Score Contributors........................................................................................... 120

6 Contents
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Custom Facts................................................................................................................... 120

Chapter 5: Managing End-User Accounts................................................... 121

Customer Service Application Overview ....................................................................... 121
Find an End User............................................................................................................. 122
End Users Account History ........................................................................................... 123
End User Account History Information................................................................... 123
Activities within the Account History Information ................................................. 124
Account Locking............................................................................................................. 125
Lock an End Users Account ................................................................................... 125
Unlock an End Users Account ............................................................................... 125
Terminate an End Users Authentication Sessions ......................................................... 126
Reset an End Users Account.......................................................................................... 126
Account Unenrollment .................................................................................................... 127
Unenroll an End User .............................................................................................. 127
Watch an End Users Progress........................................................................................ 127

Chapter 6: Viewing and Analyzing Reports ............................................... 129

Report Viewer Application Overview ............................................................................ 129
Reports Directory Structure for the Report Viewer................................................. 130
View and Download Reports .......................................................................................... 130
Report Characteristics ..................................................................................................... 132
Report Types ................................................................................................................... 132
Report Format ................................................................................................................. 133
Example of Elements Common to All Reports ....................................................... 133
CSV Files................................................................................................................. 134
Standard Header and Footer .................................................................................... 135
Report Naming Convention ..................................................................................... 137
Report Content ................................................................................................................ 138
Billing Report .......................................................................................................... 139
Authentication Plug-In Billing Report..................................................................... 139
Blocked Users Report .............................................................................................. 140
Case Management and Case Management Trends Reports..................................... 141
eFraudNetwork Report ............................................................................................ 143
Forensic Summary Report ....................................................................................... 144
Policy Summary and Policy Summary Trends Reports........................................... 146
Risk Factor Report and Risk Factor Trends Reports ............................................... 147
System Usage and System Trends Reports.............................................................. 149

Appendix A: List of Facts ...................................................................................... 151

Appendix B: Rules in the Reference Policy ............................................... 167
Appendix C: List of Event Types ...................................................................... 175

Contents 7
RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Preface

About This Guide

This guide describes how to use the Back Office applications in
RSA Adaptive Authentication (On-Premise) 7.1. It is intended for administrators,
Fraud Analysts, Customer Service Representatives, Case Management Operators,
Policy Managers, and other trusted personnel. Do not make this guide available to the
general user population.

RSA Adaptive Authentication (On-Premise) Documentation

For more information about RSA Adaptive Authentication (On-Premise), see the
following documentation:
Authentication Plug-In Developers Guide. Describes the Authentication Plug-In
development process that enables external authentication providers to integrate
their products with RSA Adaptive Authentication (On-Premise).
Back Office Users Guide. Provides an overview of the following Back Office
applications: Policy Management, Case Management, Access Management,
Customer Service Administration, and the Report Viewer.
Bait Credentials Setup and Implementation Guide. Describes how to set up and
implement RSA bait credentials, which help provide you with accelerated fraud
detection and prevention capabilities.
Best Practices for Challenge Questions. Describes the best practices related to
challenge questions that RSA has evolved through experience at multiple
deployments.
Installation and Upgrade Guide. Describes detailed procedures on how to install,
upgrade, and configure RSA Adaptive Authentication (On-Premise).
Integration Guide. Describes how to integrate and deploy
RSA Adaptive Authentication (On-Premise).
Operations Guide. Provides information on how to administer and operate
RSA Adaptive Authentication (On-Premise) after upgrade. This guide also
describes how to configure Adaptive Authentication (On-Premise) within the
Configuration Framework.
Performance Guide. Provides information about performance testing and
performance test results for the current release version of
RSA Adaptive Authentication (On-Premise).
Product Overview Guide. Provides a high-level overview of
RSA Adaptive Authentication (On-Premise), including system architecture.

Preface 9
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Release Notes. Provides information about what is new and changed in this
release, as well as workarounds for known issues. It also includes the supported
platforms and work environments for platform certifications. The latest version of
the Release Notes is available on RSA SecurCare Online at
https://knowledge.rsasecurity.com.
Security Best Practices Guide. Provides recommendations for configuring your
network and RSA Adaptive Authentication (On-Premise) securely.
Web Services API Reference Guide. Describes RSA Adaptive Authentication
(On-Premise) web services API methods and parameters. This guide also
describes how to build your own web services clients and applications using web
services API to integrate and utilize the capabilities of Adaptive Authentication
(On-Premise).
Whats New. Highlights new features and enhancements in
RSA Adaptive Authentication (On-Premise) 7.1.
Workflows and Processes Guide. Describes the workflows and processes that
allow end users to interact with your system and that allow your system to interact
with RSA Adaptive Authentication (On-Premise).

Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.emc.com/support/rsa/index.htm

RSA Solution Gallery https://gallery.emc.com/community/marketplace/rsa?

view=overview

RSA SecurCare Online offers a knowledgebase that contains answers to common

questions and solutions to known problems. It also offers information on new releases,
important technical news, and software downloads.
The RSA Solution Gallery provides information about third-party hardware and
software products that have been certified to work with RSA products. The gallery
includes Secured by RSA Implementation Guides with step-by-step instructions and
other information about interoperation of RSA products with these third-party
products.

Before You Call Customer Support

Make sure that you have direct access to the computer running the Adaptive
Authentication (On-Premise) software.
Please have the following information available when you call:
Your RSA Customer/License ID.
Adaptive Authentication (On-Premise) software version number.
The make and model of the machine on which the problem occurs.
The name and version of the operating system under which the problem occurs.

10 Preface
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

1 RSA Adaptive Authentication Back Office

Applications
Back Office Applications Overview
Log On to a Back Office Application
Log Off from a Back Office Application
Password Change
Change your Password
Reset a Forgotten Password
Localization and Internationalization of the Back Office Applications
This chapter provides an overview of the RSA Adaptive Authentication (On-Premise)
Back Office applications and describes how to log on to the Back Office applications.

Back Office Applications Overview

The Back Office Applications are a set of GUI-based applications that enable users in
your organization to interact with the Adaptive Authentication system.
The applications in the Back Office Application Suite are connected to both the Core
Database and the Back Office Database. In addition, the Case Management
application is connected to the Case Management Database.

1: RSA Adaptive Authentication Back Office Applications 11

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Back Office Application Suite

The following table describes the applications in the Back Office Application Suite.

Back Office Application Description User Database

Administration Console The Administration Console Administrator Core Database

enables you to manage Back Office
system configuration Database
parameters according to your
Adaptive Authentication
implementation, business
requirements, and system
setup.

Note: Although the

application is located in the
Back Office Application
Suite, for information about
the Administration Console
see the Operations Guide.

Customer Service The Customer Service Customer Service Core Database

application helps the Representative Back Office
Customer Service Database
Representative search for and
modify end-user account
information as the end user
interacts with the Adaptive
Authentication system. In
this way, a representative can
assist end users with online
account troubleshooting. The
Customer Service application
provides logs of end-user
activity within the Adaptive
Authentication system for
monitoring by the
representative. A Customer
Service Representative can
delete end users and lock,
unlock and reset accounts.

12 1: RSA Adaptive Authentication Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Back Office Application Description User Database

Policy Management The Policy Management Rule Manager Core Database

application is used to create Back Office
and manage rules, lists, Database
custom facts, and custom
event types. Together, these
elements form an
organizational policy, which
is executed by the Policy
Engine.

Standalone Back Office Applications

The following table describes the Back Office applications that exist as standalone
applications.

Back Office Application Description User Database

Access Management The Access Management System Administrator Core Database

application allows you to Back Office
manage access to the Back Database
Office applications. You can
use it to create and manage
users, roles, organizations,
and groups for the Back
Office applications.

Note: You can also use the

External Identity Provider
framework to manage users
in an External Identity Store.
For more information, see the
Operations Guide.

Case Management The Case Management Fraud Analyst, IT Core Database

application is used to review Administrator, Fraud Back Office
any events that have been Analyst Manager Database
flagged as risky by the Case
Adaptive Authentication Management
system and require review by Database
a Fraud Analyst.

WS Credentials The WS Credentials Administrator Core Database

application is used to create Back Office
and manage users who can Database
access Web Services and
SOAP requests.

1: RSA Adaptive Authentication Back Office Applications 13

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Back Office Application Description User Database

Report Viewer With the Report Viewer Security Analyst Back Office
application, you can view Database
daily, weekly, and monthly
reports created by the RSA
Data Center. Reports from
the RSA Data center are
synchronized with the Report
Viewer application for
accurate reading of the files.

Log On to a Back Office Application

To log on to a Back Office application:
1. Do one of the following:
To log on to the Policy Management, Administration Console, or Customer
Service applications, go to http://<servername:port>/backoffice.

Note: Fore more information about the Administration Console, see the
Operations Guide.

To log on to the Access Management application, go to

http://<servername:port>/accessmanagement.
To log on to the Case Management application, go to
http://<servername:port>/casemanagement.
To log on to the WS Credential application, go to
http://<servername:port>/wscredentialmanager.
To log on to the Report Viewer application, go to
http://<servername:port>/reportviewer.
2. On the Logon page, enter your user name and password, and click Login.

14 1: RSA Adaptive Authentication Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

3. From the Organization drop-down menu, select the organization that you want to
view.
The organizations are displayed hierarchically, with child organizations listed
below parent organizations.

Log Off from a Back Office Application

To log off from a Back Office application:
Click the Logout link in the top frame of any Back Office application page.

Note: By default, Back Office applications log off users who are inactive for 30
minutes. You can configure this time period in the Administration Console. For more
information, see the topic about configuring Back Office applications parameters in
the chapter Administration Console in the Operations Guide.

Password Change
When the system administrator defines a user password, the password is automatically
assigned an expiration date. This date is configurable in the Administration Console.
The default value is 90 days. For more information, see the Operations Guide. If you
attempt to log on to a Back Office application using an expired password, a window
opens in which you can define a new password. The new password is required for the
next logon attempt.
An administrator may change your password for any one of several reasons, for
example:
The administrator suspects that your password was compromised.
Your password is routinely changed for preemptive security reasons.

1: RSA Adaptive Authentication Back Office Applications 15

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Change your Password

You must change your password if the password has expired or if the system
administrator resets your password.
You are required to enter your current password before the system will allow you to
change your password. If you forget your current password, you are not allowed to
redefine the password or select a new password. For more information, see Reset a
Forgotten Password on page 16.
The organization can configure the password length and valid characters.
The new password must meet the requirement defined on the Change Password page.
The requirement often involves choosing a password with a minimum of eight
characters, including at least one number, one letter, and one special character from
the following character set: ( ) * & ^ % $ # @ !. The password must not resemble the
logon name too closely. The specific requirements can be configured locally.

To change your password:

1. Log On to a Back Office Application.
2. Enter your logon name and original password in the appropriate fields.
3. Enter your new password.
4. In the Re-type New Password field, enter your new password to confirm the
password.
5. Click Next to save your changes and return to the logon page.

Reset a Forgotten Password

If you forget your password, your system administrator can provide you with a
temporary password. You must reset your password again immediately upon your next
logon.

To reset your forgotten password:

1. Log on to the Back Office Application Suite using the temporary password.
You are automatically directed to the Set New Password page.
2. In the New Password field, enter your new password.
3. In the Re-type New Password field, enter your new password to confirm the
password.
4. Click Confirm to save your changes and continue.

Note: You cannot access the Case Management application until you set a new
password.

16 1: RSA Adaptive Authentication Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Localization and Internationalization of the Back Office Applications

The Adaptive Authentication system is designed so that the user interface, input,
display, and other features of the Back Office applications can be adapted to various
languages and regions. You can use any number of languages when interacting with
the Back Office applications. You can add location-specific text to meet the needs of
your user demographic.

Note: The system supports localization of the Back Office applications to one
language. You cannot use different languages for different users, organizations, or
applications.

For more information, see the Operations Guide.

1: RSA Adaptive Authentication Back Office Applications 17

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

2 Managing Access to the Back Office

Applications
Access Management Application Overview
User Management
Role Management
Organization Management
Group Management
This chapter provides an overview of how to manage access to the Back Office
applications using the Access Management application. It explains how to use the
Access Management application to manage users, roles, organizations, and groups in
the RSA Adaptive Authentication (On-Premise) system.

Access Management Application Overview

The Access Management application allows you to manage access to the Back Office
applications. The Access Management application allows you to create users,
organizations, and groups for use within the Adaptive Authentication system. You can
also use it to manage user roles and permissions, and associate users with roles and
organizations.

Note: You can also use the External Identity Provider framework to manage users in
an External Identity Store. For more information, see the Operations Guide.

User Management
You can manage users and their ability to access the Back Office applications by
adding users, viewing user details, editing user details, unlocking users, and removing
users from the system. You use the Application Users page to perform tasks related to
user management. Users created in Access Management are not end-user customers,
but rather belong to an organization using the Adaptive Authentication system.
The following users are created by the system by default:
admin

Note: Do not use the admin user provided by the system as a regular user. RSA
recommends that you use the admin user to create additional admin users that you
can assign to people within your organization. You must maintain the system
admin user as a superuser.

2: Managing Access to the Back Office Applications 19

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

editor
fraudanalyst
reviewer
You cannot remove these users from the system or edit user details, as indicated on the
UI.
A newly created user can be associated with any of the following:
Role. The level of authorization for a user. A role can be associated with one or
more module. Each role can be associated with different permissions. For more
information, including a definition of predefined roles in the system, see Role
Management on page 24.

Important: A user with an assigned role can only access a Back Office application
if the role is also associated with the corresponding module. Predefined roles are
automatically associated with corresponding modules. The modules available
correspond to the Back Office applications. For a list of modules associated with
each role, see Access Management Roles on page 28.

Organization. An organization, along with a user name, is the unique identifier of

an end user.
For more information, see Organization Management on page 33. For more
details about the configuration structure for organizations, see the Operations
Guide.
If a new Back Office application user is created or an existing Back Office application
users permissions are updated, the permissions available for assignment to that user
are the same as the permissions of the user who creates or updates the user. For
example, if a user has Read/Create/Update/Delete permissions, the new or updated
user can have only those permissions or a subset of them. A new user can never have a
higher level of permissions than that of the person who created or updated that user.

Important: Users cannot change their own permissions using the Access Management
application.

Default User Passwords

Each predefined user is populated with a password that is the same as the user name,
for example, user=operator, password=operator. The system automatically prompts
the user to change the password at the initial logon.

Important: If a user does not log on immediately after installation, RSA recommends
that the administrator change the default password to prevent security breaches.

20 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Access the Application Users Page

You use the Application Users page to perform tasks related to user management. The
main page of the Access Management application, the Application Users page, is
displayed by default when you log on to the application.

To access the Application Users page:

From the Access Management menu, select User List.

Application Users Page

The Application Users page provides information about users in the Access
Management system, as described in the following table.

Column Name Description

User Name Users logon name. Sortable column.

First Name Users first name. Sortable column.

Last Name Users last name. Sortable column.

Organizations Lists all of the organizations to which the user has access.

Modules Lists the RSA Back Office applications that the user has permission to
use.

Roles Lists the users current roles.

Locked Indicates if the user account is locked. If a user attempts to log on to

any Back Office application with an incorrect password too many
times, the user is locked out.
For more information about password configuration, see the topic that
discusses configuring Back Office applications parameters in the
Operations Guide.

Action Contains links to the View, Edit, and Remove pages, depending on the
users permissions:
View. View all user details (read-only).
Edit. Edit all user details.
Remove. Remove user names from the system.

Note: Predefined user names cannot be removed.

View User Details

All roles can view user details for all users in the system.

To view user details:

On the Application Users page, in the Action column for the user, click View.
The View User Details section displays the user details in read-only format.

2: Managing Access to the Back Office Applications 21

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Add a User
You add a user in the Access Management application to create a user who can access
the Back Office applications.

Note: On the initial logon to the system, a new user is required to change the default
password.

To add a user:
1. On the Application Users page, click Add New User.
The User Details page is displayed.
2. In the Add User Details section, enter the user details.
The following table describes the actions required for each of the fields in the Add
User Details section.

Field Name Action

User Name Enter a unique name for the user. This is a required field.

Note: A user name must be unique. You cannot enter a user name
that is identical to an existing user name.

Password Enter a password for the user. This is a required field.

Note: The password must be at least 8 characters long and contain

at least one character from each of the following groups: uppercase
letters, digits, special characters such as - _ . ! @ # % ^ * $).

Confirm Enter the user password. This is a required field.

Password

First Name Enter the users first name.

Last Name Enter the users family name (surname).

Email Enter the users email address.

Phone Enter the users phone number.

Locked At Indicates lock out details, including the lock-out time, for a user
who repeatedly enters an incorrect password and exceeds the
allowed number of authentication attempts.

3. In the Organizations section, from the Available list, select the organizations to
which you want the user to have access, and click the right-arrow to include them
in the Selected list.
For more information about Organizations, see Organization Management on
page 33.

22 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

4. In the Roles section, from the Available list, select the roles that you want to
assign to the user, and click the right-arrow to include them in the Selected list.
5. Click Save.

Edit User Details

You can edit user details to change any relevant information about an Adaptive
Authentication system user. The Edit User Details section enables authorized users to
edit other users details including first name, last name, email address, phone number,
organizations, and roles.
A users permissions relate to all users below that users organization in the hierarchy.
For example, if a user has permission to update users in the parent organization, the
same user also has permission to update users in the suborganizations within the
parent organization hierarchy.

To edit user details:

1. On the Application Users page, in the Action column to the right of the user
name, click Edit.
The User Details page is displayed.
2. On the User Details page, in the Edit User Details section, edit the user details by
modifying the users password, first name, last name, email address, and phone
number in the relative fields, if necessary.

Note: Completion of fields preceded by an asterisk (User Name, Password, and

Confirm Password fields) is mandatory. The fields are populated with existing
entries, which you can edit.
If a Back Office users password is changed, a change of password is requested
upon the users next logon to a Back Office application.

3. From the Available lists, select the organizations and roles that you want to
associate with that user, and click the right arrow to move the selections to the
Selected lists.
4. Click Save.

Unlock a User
If a user attempts to log on, but access is locked, an administrator must reset the user
password. Resetting the password unlocks the user immediately. If the administrator
user does not change the password, the lock-out is released after a set period of time,
and the user can try to log on again.

Note: The default time frame is 30 minutes, but you can configure this time in the
Administration Console. For more information, see the section about configuring
Back Office applications parameters in the Operation Guide.

2: Managing Access to the Back Office Applications 23

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To reset a password and unlock a user:

1. On the User Management page, in the Edit User Details section, in the Password
field, enter a new password.
2. In the Confirm Password field, enter the new password to confirm the password.
3. Click Save.

Remove a User
If a user can be removed from the system, the Remove link is displayed in the user
interface. The Remove link is not displayed for predefined users.

To remove a user:
1. On the Application Users page, in the row for the user that you want to remove,
click Remove in the Action column.
2. When prompted to confirm the removal, click OK.

Role Management
Each user is assigned a role, and each role is associated with different permissions.
You can manage the various Back Office user roles by adding roles, editing roles, and
removing roles from the system. You use the Application Roles page to manage roles.
For more information on system roles, see Access Management Roles on page 28.
For a user to access a Back Office application, you must assign the user one or more
roles. Each role is associated with one or more modules. In the Access Management
system, a module represents one of the Back Office applications.

Important: The Access Management application supports the creation of custom

roles. However, RSA recommends applying only predefined roles to Access
Management users. These roles reflect common user needs and include the
appropriate permissions for each Back Office user.

A user with an assigned role can only access a Back Office application if the role is
also associated with the corresponding module. By default, roles are associated with
their corresponding modules.
In general, a user only sees interface elements that relate to the specific permissions
assigned to the user. For example, if a user has PolicyManager permissions but does
not have ListManager permissions, the user sees the Manage Lists screen but does not
see the buttons used for creating and deleting lists or the blue hyperlinks used to edit
lists. Similarly, a user without permissions related to the Policy Management module
does not see the Policy Management tab in the Back Office Application Suite.

Note: The spelling of the role names in the user interface do not include spaces. For
example, the fraud analyst role is written as fraudanalyst, and the operator manager
role is written as operatormanager.

24 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Access the Application Roles Page

You use the Application Roles page to manage user roles.

To access the Application Roles page:

From the Access Management menu, select Roles.
The Application Roles page is displayed.

Role Details
The Roles table displays all of the roles in the system and the related details. The
following table describes the columns displayed in the Roles table.

Column Name Description

Role Name Name of a role in the system (both predefined and user-created roles).
Sortable column.

Description Description of the role, such as what a user with the role is allowed to
do within the system.

Mode Permissions associated with that role. Modes include create, read,
update, and delete. The checkbox for a mode is selected if the mode is
allowed for the role. Sortable column.

Important: The modes available are only relevant for roles used within
the Access Management application.

Modules Lists the Back Office applications that the role has permission to use.

2: Managing Access to the Back Office Applications 25

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Column Name Description

Action Custom roles contain View, Edit, and Remove links in this column.
Predefined roles contain the View link in this column.

Note: Predefined roles cannot be removed.

View Role Details

All roles can view details for all roles in the system. Role details are read-only. For
more information, see Role Details on page 25.

To view role details:

On the Application Roles page, in the row of the role that you want to view, click
View.
The View Role Details page includes the role name, a role description, mode
permissions, and accessible modules.

Add a Role
You can create a role to associate a group of users with a given set of permissions.
When you add a role in the Access Management application, you are creating a role
within the Back Office applications.

To add a role:
1. On the Applications Roles page, click Add New Role.
The Role Details page is displayed.
2. In the Role Name field, enter a unique name for the new role.
3. (Optional) In the Description field, enter a description of the role.
4. In the Mode section, select one or more checkboxes to define the permissions for
the role. The possible permissions are Create, Read, Update and Delete.

Note: The Create, Read, Update, and Delete parameters in this section only affect
role permissions for the Access Management application.

5. In the Modules section, from the Available list, select one or more modules.
6. Click the right-arrow to move the modules into the Selected list.
7. Click Save.

26 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Edit a Custom Role

You can edit custom roles by changing the modes and modules associated with a
particular role. You cannot edit predefined roles.

To edit an existing role:

1. On the Application Roles page, from the Roles list, select the role that you want to
edit.
The Roles Details page is displayed.
2. In the Action column, click Edit.
3. Modify entries in the fields as necessary.
4. (Optional) To change your entries back to the original values, click Reset.
The Edit Role Details page returns to the latest settings before you clicked Edit.
5. Click Save.

Remove a Role
You can remove a role from the system if you do not need the role anymore. After you
remove a role, the role no longer appears in the Roles list. You cannot remove
predefined roles from the system.

Important: Removing a role from the system may limit the ability of current users to
access certain Back Office applications. If a current user is assigned a role, and then
that role is deleted, the user will no longer have the permissions associated with the
deleted role.

To remove a role:
1. On the Application Roles page, from the Roles list, select the role that you want to
remove.
2. In the Action column, click Remove.
3. In the confirmation message, click OK.

2: Managing Access to the Back Office Applications 27

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Access Management Roles

The following table describes the predefined roles that are available in the Access
Management system.

Important: A user with an assigned role can access a Back Office application only if
the role is also associated with the corresponding module. By default, roles are
associated with the corresponding modules.

Role Name Description Associated Module

admin An administrative role with access to all applications. A user accessmanagement

with this role can perform most actions but does not necessarily administration
have Update or Delete permissions in all applications. For casemanagement
example, in the Policy Management application, a user with the
csr
admin role can view rules and lists, but cannot create or edit
rules and lists. PolicyManagement
reports
Note: If you used the AdminTool application in an earlier scheduler
version of Adaptive Authentication, you should now use the wscredentialmanager
Policy Management menu to access functions available on the
Lists Administration tab.

csr A user with this role can view and update activities in the csr
(Customer Customer Service application, and can view the Lookup User casemanagement
Support page in the Case Management application. A user with the csr
Representative) role can handle user calls, view recent activities of a user to
troubleshoot the user problem, and search all users, not just
those with cases.
For more information on the specific permissions associated
with this rule, see Case Management Role Permissions on
page 31.

CMAPIExtract A user with this role can retrieve and view Case Management casemanagementAPI
data concerning events (activities) and cases.

Note: If either this role, CMAPIUpdate, or both are the only

roles that exist for a user, the users password will not have an
expiration date. Additionally, a user with this role does not need
to change the password during the first logon.

28 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Role Name Description Associated Module

CMAPIUpdate A user with this role can retrieve, view, and update Case casemanagementAPI
Management data concerning events (activities) and cases. With
this particular role, a user can lock data retrieved for update
purposes.

Note: If either this role, CMAPIExtract, or both are the only

roles that exist for a user, the users password will not have an
expiration date. Additionally, a user with this role does not need
to change the password during the first logon.

fraudanalyst A user with this role can research and analyze fraud patterns to casemanagement
define antifraud strategies, and verify whether cases include
fraudulent activity.
For more information on the specific permissions associated
with this rule, see Case Management Role Permissions on
page 31.

ListManager A user with this role can view, edit, and delete lists. A List PolicyManagement
Manager user can view rules, custom facts, and custom event
types but cannot create, edit, or delete these objects.

Note: A user with this role can only edit lists if the user has
access to the default organization.

For more information on the specific permissions associated

with this rule, see Policy Management Role Permissions on
page 32.

operator A user with this role can review, work with, and manipulate casemanagement
cases in the Case Management application. A user with the
operator role can search for a relevant case, update a case, and
move to the next case. A user with this role might have specific
expertise, such as with account takeover fraud.

Note: Before an operator is assigned cases or begins to update

cases, the operator must be assigned to an operator group. For
more information, see Add an Operator to an Operator Group on
page 115.

For more information on the specific permissions associated

with this rule, see Case Management Role Permissions on
page 31.

2: Managing Access to the Back Office Applications 29

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Role Name Description Associated Module

operatormanager A user with this role can supervise activity in the Case casemanagement
Management application, and perform the following actions:
Manage operators
Supervise case reviews performed by operators
Audit an operators work queue to increase productivity
Override operator decisions in cases
Define custom sorting and case filtering
Divide operators logically rather than randomly

Note: By default, the Case Management application evenly and

randomly divides the work load of cases between operators.

For more information on the specific permissions associated

with this rule, see Case Management Role Permissions on
page 31.

PolicyManager A user with this role can create, edit, and delete rules, custom PolicyManagement
facts, and custom event types. A user with the PolicyManager
role can approve a status change made to a rule by another user.
A user with the PolicyManager role can also view lists but
cannot create, edit, or delete lists.

Note: Only a user with the PolicyManager role who has access
to the default organization can create, edit, or delete custom facts
or custom event types.

For more information on the specific permissions associated

with this rule, see Policy Management Role Permissions on
page 32

PolicyViewer A user with this role can view rules, custom facts, custom event PolicyManagement
types, and lists.
For more information on the specific permissions associated
with this rule, see Policy Management Role Permissions on
page 32

30 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Role Name Description Associated Module

RuleManager A user with this role can create, edit, and delete rules, custom PolicyManagement
facts, and custom event types but cannot approve pending rules.

Note: Only a user with the RuleManager role who has access to
the default organization can create, edit, or delete custom facts
or custom event types.

This user can view lists but cannot create, edit, or delete them.
This user can submit a request to change the status of a rule, but
a PolicyManager or SeniorPolicyManager user must approve
the request before the status change occurs.
For more information on the specific permissions associated
with this rule, see Policy Management Role Permissions on
page 32.

SeniorPolicy A user with this role can create, edit, and delete rules, custom PolicyManagement
Manager facts, and custom event types, as well as approve all pending
rules. A user with this role can approve a status change made to
a rule by another user, and can also perform self-approval on
status changes made to a rule. This user can view lists but
cannot create, edit, or delete lists.

Note: Only a user with the SeniorPolicyManager role who has

access to the default organization can create, edit, or delete
custom facts or custom event types.

For more information on the specific permissions associated

with this rule, see Policy Management Role Permissions on
page 32

Case Management Role Permissions

The following table shows the permissions available for each role associated with the
Case Management application. Case Management permissions are separated
according to the various pages available in the application.

Operator Fraud
Permission Admin Operator CSR
Manager Analyst

Process X X X X
Queue

Lookup User X X X X X

View the X X X
Queue

2: Managing Access to the Back Office Applications 31

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Operator Fraud
Permission Admin Operator CSR
Manager Analyst

Manage X X
Operator
Group

Manage X X
Operator

Research X X X X
Activities

Policy Management Role Permissions

The following table shows the permissions available for each role associated with the
Policy Management application. Policy Management permissions are separated
according to the various actions available in the application.

Important: Some permissions are available only to users that are granted access to the
default organization.

Policy
Policy Manager /
Policy Rule List
Manager / Senior
Policy Viewer Rule Manager List Manager
Permission Senior Policy
Viewer (Default Manager (Default Manager (Default
Policy Manager
Org) Org) Org)
Manager (Default
Org)

View Rule X X X X X X X X

Edit Rule / X X X X
Request
Status Change

Approve X X
Status Change
(for Others)

View Custom X X X X X X X X
Fact

Edit Custom X X
Fact

View Custom X X X X X X X X
Event Type

Edit Custom X X
Event Type

32 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Policy
Policy Manager /
Policy Rule List
Manager / Senior
Policy Viewer Rule Manager List Manager
Permission Senior Policy
Viewer (Default Manager (Default Manager (Default
Policy Manager
Org) Org) Org)
Manager (Default
Org)

View List X X X X X X X X

View List X X X X
Content

Edit List X

Import / X
Export

Create Policy X X X X X X X X
Report

Duplicate X X
Rule

The following conditions also apply to the Policy Management role permissions:
A user with the SeniorPolicyManager role can also perform self-approval on
status changes made to a rule.
Only a user with access to the default organization can view the
Last Modified By and Created By fields in the Manage Lists, Manage Custom
Facts, and Manage Custom Event Types pages.
Any role that is associated with the PolicyManagement module receives the same
permissions as the PolicyViewer role. A user with this role can view rules, custom
facts, custom event types, and lists and can also create policy reports.

Organization Management
Each organization consists of a collection of users. An organization can also have
multiple groups. You can manage organizations by adding organizations, viewing
organizational details, and editing organizational details. You use the Application
Organizations page to display and manage all of the organizations that exist in the
system.
The hierarchy of organizations in the Access Management application and in the
Adaptive Authentication system is defined as follows:
An organization identifies any user who belongs to the organization.
A user of the Back Office applications is identified by a unique user name. This
uniqueness allows a user to belong to more than one organization.

2: Managing Access to the Back Office Applications 33

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

An end user is identified by a user name and organization. Two end users with the
same user name can belong to different organizations.
Organizations can include suborganizations. The organization is the parent and
each sub-organization is a child in the system hierarchy.

Note: RSA supports up to four levels in the hierarchy of organizations. This

means that you can create up to three levels of suborganizations under the default
organization. Adding additional levels of suborganizations has a negative impact
on system performance and is not recommended. The limitation of the number of
organization levels in the hierarchy does not relate to the total number of
organizations allowed in the system.

An organization cannot be deleted from the system. All organizations are stored in
the database.
An organization can only be viewed by a user who has access to that organization
or its parent organizations. A user with access to the default organization, can
view all organizations.

Access the Application Organizations Page

You use the Application Organizations page to display and manage all of the
organizations that exist in the system.

To access the Application Organizations page:

From the Access Management menu, select Organizations.

View Organization Details

To view organization details:
On the Application Organizations page, in the Action column, click View in the row
of the organization that you want to view.
The link is only displayed if you have View permission. Details are displayed in the
View Organization Details page.

Add an Organization
When you add an organization in the Access Management application, you create a
organization within the Adaptive Authentication system. After an organization is
created in the system, you cannot remove the organization. You cannot edit the name
of an organization. After you create an organization in the system, you cannot change
the name. Only the organization description and parent can be changed.

To add an organization:
1. On the Application Organizations page, click Add New Organization.
The Organization Details page is displayed.

34 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

2. On the Organization Details page, do the following:

a. In the Organization Name field, enter a unique name for the organization.
This is a mandatory field.

Note: You cannot use the following characters:

[^<>&]*.
The maximum length of organization names is 50 characters.

b. In the Organization Description field, enter a description for the

organization.
c. From the Organization Parent list, select a parent organization for the new
organization. In the list, default is the root organization in the system and is
the parent of all organizations.
3. Click Save.

Note: If you attempt to create a loop in the hierarchy, for example, an organization
is both a child and parent of the same organization, an error message appears and
the organization is not saved.

Edit Organization Details

You can edit a rule to change any of the details. You cannot edit the name of an
organization. After you create an organization in the system, you cannot change the
name.

To edit organization details:

1. On the Application Organizations page, in the row of the organization that you
want to edit, click Edit.
The Edit link is only displayed if you have Edit permission.
2. On the Edit Organization Details page, edit the organization description or change
the parent of the organization.

Important: If you change the parent of the organization, it may take up to five
minutes for the change to be reflected in the system.

3. Click Save.

View Available Organizations

You can view organizations in the Edit User Details page. Newly added organizations
are available for viewing immediately.

To view the available organizations:

Click Edit User > Organizations > Available.

2: Managing Access to the Back Office Applications 35

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Group Management
A group is a subunit of an organization. Groups provide a way of further organizing
end users within organizations. You can create a hierarchy of groups, but all groups in
a hierarchy must belong to the same organization.
Groups in the Access Management application relate to the Adaptive Authentication
system as follows:
There is no default group.
An end user can belong to any group within an organization.
An end user can be moved from one group to another within an organization.
An end user in a specific organization cannot belong to more than one group.
Any user with roles that allow read, write, or create in the Access Management
application is permitted to correspondingly view, edit, or add groups.

Access the Application Groups Page

You access the Application Groups page to add a group, view group details, and edit
group details. For more information, see Application Group Page on page 36.

To access the Application Groups page:

From the Access Management menu, select Groups.

Application Group Page

You can use the Applications Groups Page to add a group, view group details, and edit
group details.
The Application Groups page provides information about groups in the Access
Management system, as described in the following table.

Column Name Description

Group Name Group name. Sortable column.

Organization Name of the organization to which the group belongs. Sortable column.
Name

Group Description of the group. This description is editable, depending on the

Description rights of the user. Sortable column.

Group Parent The parent of the group in the group hierarchy. Sortable column.

Action Lists the actions that the user is permitted to perform. A link for each
available action is provided.

36 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

View Group Details

All roles can view group details for all groups in the system.

To view group details:

On the Groups Application page, in the table, click View.
The Group Details page is displayed. Information in View Group Details section is
not editable.

Add a Group
You can add a group to organize end users within an organization. The Group Name
and the Organization Name together serve as a unique key.

Before You Begin

You must have Create permissions to add a group.
You can only add a group to a group that you create.

To add a group:
1. At the bottom of the Application Groups page, click Add New Group.
2. On the Group Details page, in the Add Group Details section, do the following:
a. In the Group Name field, enter a name for the group.

Note: You cannot use the following characters:

[^<>&]*.
The maximum length of group names is 50 characters.

b. From the Organization Name list, select an organization.

c. In the Group Description field, enter a description for the group.
Make the description unique so that the group can be easily identified.
d. (Optional) From the Group Parent list, select a group parent with which to
associate the new group in the group hierarchy.
e. Click Save.

Edit Group Details

You can edit only the group description and the group parent. You can create a
hierarchy of groups, but all groups in a hierarchy must belong to the same
organization.

Note: If you create a loop in the hierarchy, for example, if a group is both a parent and
a child of the same group, an error message appears.

2: Managing Access to the Back Office Applications 37

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To edit group details:

1. On the Application Groups page, in the row of the group that you want to edit,
click Edit.
The Edit link is only displayed if you have Edit permission.
2. On the Group Details page, edit the group description and change the group parent
as necessary.
You cannot edit the name of a group.

Important: If you change the parent of the group, it may take up to five minutes
for the change to be reflected in the system.

3. Click Save.

38 2: Managing Access to the Back Office Applications

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

3 Managing Policies
Introduction to Policy Management
Introduction to Rules
Rule Management
Policy Export and Import
List Management
Custom Facts Management
Custom Event Type Management
Policy Report
The Policy Management application helps organizations create a risk-management
policy in line with the unique security needs of the organizations. Well-defined
policies help prevent harmful, fraudulent activity and keep the number of false
positives to a minimum. Each policy contains a set of rules that define actions that
take place in specific circumstances. For more information, see Introduction to Rules
on page 41.
The Policy Management application acts as an additional security layer on top of the
Risk Engine, which provides the core functionality of determining the risk level of a
given event. The Policy Management application uses the Risk Engine, along with
other data, and allows you to define a policy based on this data. The rules that you
create in your organizational policy are loaded into the Policy Engine of the Policy
Management application, which then executes the policy.

Introduction to Policy Management

A policy is made up of a set of rules. You can create a policy by adding rules in the
Policy Management application. Each rule is applied for at least one event type and
contains one or more conditions and an action. A rule defines the actions triggered by
various event types, given specific sets of conditions. The specific rules that you
create depend on the security needs of your organization.
For more information, see Introduction to Rules on page 41.

Policies for Organizations

Each policy reflects a set of rules relevant for a specific organization. In a
multi-organization environment, each organization has a policy. When you select an
organization on which you want to work, the relevant policy is displayed in the Policy
Management application. For more information about selecting an organization, see
Log On to a Back Office Application on page 14.

3: Managing Policies 39
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

You can create an organization in the Access Management application. For more
information, see Organization Management on page 33. When you create an
organization, a blank policy is automatically created to correspond with the
organization. You can base the policy of a newly created organization on that of an
existing one by duplicating rules from another organization. For more information, see
Duplicate Rules to Another Organization on page 62.

Reference Policy
The Adaptive Authentication system includes a default reference policy that you can
import into the Policy Management application. You can use the reference policy as a
starting point for constructing the policy for your organization.
The reference policy includes a predefined set of rules that are based upon both
sign-on and transaction event types. The rules in the reference policy cover a broad
range of end-user event types and protect against common fraud risks. For more
information about the rules that make up the reference policy, see Appendix B, Rules
in the Reference Policy.
The rules in the reference policy are both risk-based and device-based. Risk-based
rules rely on data taken from the Risk Engine, while device-based rules rely on device
matching and data taken from end-user devices. Risk-based rules can be activated
only after the necessary Risk Engine learning period. Before the learning period is
over, the risk score is not consistent and may not reflect end-user behavior for the
specific customer population. For more information, see Risk Score on page 48.
The rules in the reference policy have a status of Work in Progress. To activate the
rules, you must change the status of the rules to either Test or Production. For more
information, see Status Change on page 50.
Rules in the reference policy with an action of Challenge are assigned the following
Authentication Methods, in order:
OOB PHONE
OOB SMS
KBA
QUESTION

Note: You must configure Authentication Methods before the methods are applied to
end users. For more information, see the Operations Guide.

The reference policy .zip file is available in the main_directory\utils_7.1.0.0.0 folder.

The .zip file contains the file Reference_Policy.xml. A checksum file,
Reference_Policy.xml.md5, is also created to check for any possible corruption in the
plain file. For more information on how to import policy data, see Import Policy Data
on page 64.

Note: Depending on your organizational policy needs, RSA recommends that you
consider importing the reference policy after product installation. The rules in the
reference policy help protect against many common fraud risks. After you import the
reference policy, you can add rules and edit or delete rules as you see fit.

40 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Additional Configuration Elements

The Policy Management application enables the configuration of the following
elements that you can use to construct rules:
Custom Facts. You can add facts that are not included in the default fact list. For
more information, see Custom Facts Management on page 72.
Custom Event Types. You can define event types that are not included in the
standard delivery. For more information, see Custom Event Type Management.
Lists. You can add lists that are not included in the standard delivery. For more
information, see List Management on page 65.

Policy Refresh
The policy refresh process seamlessly implements changes made to a policy in the
production environment, without the need to restart the application servers. The
Adaptive Authentication system polls the Policy Management Database to check for
policy revisions every sixty seconds.
Types of policy revisions that trigger the policy refresh process include the creation of
any rules or lists, changes made to any rules (edit, delete, or status change) or lists
(edit, delete, or update values), duplication of a policy, and import of a policy. For
more information on rule status changes, see Status Change on page 50.
A policy is loaded to the Policy Engine if both of the following conditions are met:
Revisions have been made to the policy after the current version was loaded to the
Policy Engine.
The status of the revised rule is, or was, Production or Test.
For more information on the policy refresh process, see the Operations Guide.

Note: A policy refresh impacts the data that is available in a Policy Report. For more
information, see Generate a Policy Report on page 80.

Introduction to Rules
A rule contains an event type, a condition or set of conditions, and an action. The
action is triggered by an event when the condition or conditions are met. For example,
a Deny action can be triggered for the Sign In event type, if the Risk Score is above
900.
A rule also contains other details, such as the name of the rule and the status of the
rule. For more information about these rule details, see General Rule Parameters on
page 58.
You can assign a priority to each rule, and the rules are checked in the order of their
priority. The lower the number, the higher the priority. For example, a rule with a
priority of 3 is checked before a rule with a priority of 5. After one rule is found to be
true, the action is triggered, and the system stops checking the rules with lower
priority.

3: Managing Policies 41
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

It is possible that no production rules will be activated when an end user performs a
certain event. This may occur if an organization does not have any rules in its policy
or if none of the existing rules are triggered. In such a case, a default, fallback rule is
activated. When the fallback rule is activated, the Allow action is triggered. For more
information, see Actions on page 47.

Event Types
An event type is an end-user activity that is protected by the Adaptive Authentication
system. An event type triggers a rule when the conditions associated with the rule are
met. For example, if the event type is Payment, the selected rule will apply when the
end user makes a deposit online.
The Adaptive Authentication system is shipped with a predefined list of event types.
For more information, see Appendix C, List of Event Types. In addition to event types
in this predefined list, you can create custom event types. For more information, see
Custom Event Type Management on page 75.

Note: A single rule can be applied to multiple event types. In this situation, if any of
the events occur and all the conditions are met, the rule is triggered.

Conditions
Conditions are built from the following logical elements:
Expressions
Facts
Operators
A condition is a set of logically defined expressions that must be fulfilled for the
action of a rule to be triggered. Each rule can contain multiple conditions, which are
connected to each other by the AND operator. If all conditions are true, the rule is
triggered and the defined action is performed. For more information, see Expressions
on page 44.
Each condition consists of at least one expression. Multiple expressions within a
condition can be logically connected to each other by the OR or AND operators. For
more information, see Operators on page 44.

42 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The following figure shows the logical workflow of a condition after an event is
performed.

Condition Logic Workflow

Event
Event performed as
defined in rule

Is expression within
Yes No
condition true?

Does another Does another

expression exist within expression exist within
this condition? this condition?
Yes Yes

Check Operator Check Operator

connecting connecting
expressions expressions

No
Condition

OR OR
AND AND
operator No operator
operator operator
(default) (default)

Condition is Condition is
not met not met

Does another
condition exist within
this rule?

No
Action

Action is triggered Action is not triggered

The following example shows the various components that can make up a condition.
The sample expression represents the number of days that have passed since the
account was opened:
Expression: IF days since end user changed the address is Equal to 5
Category: Account Details
Fact: # of Days Since Last Address Change (Integer)

3: Managing Policies 43
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Operators: Equal to
Value: 5

Expressions
An expression is the basic building block of a condition and can be thought of as the
first half of an If-Then conditional statement. The action is the second half. If the
expressions within a condition are true, then the action is performed.
Expressions can be made up of logically connected facts, operators, and values.
Several expressions can be combined with the operators OR or AND.

Facts
A fact is a core data element that the Policy Engine processes to determine if the rule
is triggered. A fact might contain information about the device, the end user, or the
end-user activities.
Examples:
Change from previous risk score.
Whether or not Java is disabled.
The city's IP city code.
The Adaptive Authentication system is shipped with a default fact list. For more
information, see Appendix A, List of Facts. In addition to default facts, you can create
custom facts. For more information, see Custom Facts Management on page 72.

Categories
Facts are grouped into categories for accessibility purposes. For example, the Risk
Score category groups facts that relate to the risk score of the current event, such as
Transaction Risk Score and Change From Previous Risk Score.

Values
A value is a quantifiable attribute of a fact that defines the situation during which a
rule is triggered. Values are divided into the following categories:
Technical. For example, the contents of a predefined list.
Numeric. For example, the Risk Score.
Boolean. For example, whether the device IP is different from the event IP (A true
or false value).

Operators
An operator is a logical or mathematical function that connects multiple data
elements. Operators can be used to define fact values, to connect multiple expressions,
and to connect multiple conditions.

44 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Fact Operators
The following operators can be used when defining fact values.

Operator Relevant Fact Type

Equals Boolean
Country
Double
ENUM
Float
Integer
IP Address
Long
Risk Score
String

Not equal Country

Double
ENUM
Float
Integer
IP Address
Long
Risk Score
String

Empty Country
ENUM
String

Greater than Double

Float
Integer
Long
Risk Score

Greater or Equals Double

Long
Risk Score

Less than Double

Float
Integer
Long
Risk Score

3: Managing Policies 45
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Operator Relevant Fact Type

Less or Equals Double

Long
Risk Score

Contains in String String

Not Contains in String String

Between Double
Float
Note: Between specifies a
Integer
range of values that includes
the range boundaries. A value IP Address
between x and y is greater Long
than or equal to x and less Risk Score
than or equal to y.

Not Between Double

Float
Note: Not Between specifies
Integer
values outside an inclusive
range. A value not between x IP Address
and y is less than x or greater Long
than y. Risk Score

Within String
User ID

Not within String

User ID

Note: The relevant operators will differ from fact to fact. The Within and Not Within
operators are relevant only for the List category.

Expression Operators
The following operators are available for use between expressions.

Operator Description

AND Connects all expressions within a condition so that the rule is

triggered only if all expressions are true.

OR Connects all expressions within a condition so that the rule is

triggered if any of the expressions within a condition is true.

46 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Condition Operator
The following operator is available for use between conditions.

Operator Description

AND Connects all conditions within a rule so that the rule is

triggered only if all conditions are true.

Actions
An action is a predefined outcome that occurs when the condition is fulfilled and the
rule is triggered. Actions are performed only if the rule status is Production. For more
information, see Rule Status on page 49.
Only one action can be defined for each rule. The exception to this is the Review
action, which can be set to generate a case together with another action.
The following table describes the different action types. To configure these
parameters, see General Rule Parameters on page 58.

Action Description Case Created

Allow Allow the end user to access the system or to Manually

continue with the transaction.

Challenge Request that the end user authenticate by selecting Manually (When
one of the authentication methods. authentication fails,
For more information, see Authentication Methods succeeds, or in both
on page 47. situations)
The Rule Manager can select whether a case is
created in Case Management if authentication
succeeds or fails.

Deny Deny the end user access to the system or deny the Manually
transaction.

Review Flag the transaction for review by creating a case in Automatically

the Case Management application.

Authentication Methods
You can use authentication methods to challenge end users to perform an action that
verifies their identity before they are allowed to continue. These methods are used in
high-risk situations to prevent fraudulent activity. The particular challenge method
used depends upon which rule is triggered. The end user must successfully pass the
challenge to continue with the current activity.
The following authentication methods are available in the Adaptive Authentication
system:
Knowledge-Based Authentication (KBA). The end user is asked a series of
personalized questions based on available data sources.

3: Managing Policies 47
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Email (OOBEMAIL). The end user receives an automated email with

instructions to enter a confirmation code.
Phone (OOBPHONE). The end user receives an automated phone call with
instructions to enter a confirmation code.
SMS (OOBSMS). The end user receives an automated text message with
instructions to enter a confirmation code.
One-time password (OTP). The end user is asked to enter a password that is only
valid for a single session.
Secret Questions (QUESTION). The end user is asked to provide answers to a
number of security questions previously defined by the genuine user.

Note: You can configure existing authentication methods using the c-config-mcf.xml
file. For more information, see the Operations Guide.

You can install additional authentication methods for use in the Adaptive
Authentication system. For more information, see the Authentication Plug-in
Developers Guide.
After you install additional authentication methods, you can add these methods to the
list of methods available in the Policy Management application. You can do this using
the Authentication Methods parameter located in the Authentication Methods
component of the Administration Console. You can also use this parameter to remove
existing, built-in authentication methods from the list that appears in the Policy
Management application. For more information, see the chapter Configure
Authentication Methods in the Operations Guide.

Important: If you delete a method in the Administration Console that is currently

being used in rules, any rules with this action will still be triggered, but you will not be
able to assign the deleted method to new rules. To completely delete an authentication
method, you must remove the method from the configuration files.

When you select the Challenge action, you can define which method is used to
challenge the end user. You can select and prioritize multiple methods from the
available list. The system selects the first available method relevant for the end user.
The end user can only be challenged using authentication methods for which the end
user is registered.
For example, if SMS, email, and Phone are selected as Authentication Methods with
SMS having highest priority, email second priority, and Phone lowest priority, an end
user who is not registered for SMS is challenged with the email method.

Risk Score
Risk Score is one of the fact categories that you can use to create a rule in the Policy
Management application. The RSA Risk Engine evaluates each online activity,
tracking over one hundred indicators to detect fraudulent activity. The Risk Engine
produces a unique risk score, between 0 and 1,000, for each online activity. The higher
the risk score, the greater the likelihood that an activity is fraudulent.

48 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

You can use the risk score to understand the risk level of an activity in relation to all
end user activities. For example, if you choose to challenge any activity with a risk
score greater than 900, you can expect 0.25 percent of all activities to be reviewed.
This information also helps you estimate the number of cases that operators need to
process.
Risk-based rules should only be promoted to Production status after the necessary
Risk Engine learning period. Until this period has finished, the risk score is not stable
and may not be entirely accurate. During the learning period, you can run risk-based
rules with a status of Test in order to examine the potential results of your policy.

Note: If you upgrade from a previous version of Adaptive Authentication, you can
continue to use risk-based rules without waiting for the Risk Engine learning period to
finish.

For more information, see the section about Risk Engine Parameters in the Operation
Guide.

Case Creation
You can flag a transaction for review by creating a case. When a transaction is
flagged, a case is created in the Case Management application when the rule is
triggered.
The Create Case feature performs the same action as the Review action but can be
applied in addition to the actions that you apply to a rule. Creating a case is optional
and does not need to be applied.
If you select the Challenge action, you can choose to create a case when the end user
passes authentication, fails authentication, or in both situations.
For more information, see Chapter 4, Managing Cases.

Rule Status
You can assign one of the following statuses when creating a rule:
Work in Progress. The rule does not run on production data.
Test. The rule runs on production data, but no action takes place (except for the
option to create a case). Statistics are collected to analyze the effectiveness of test
rules. When a rule is triggered, the activity is recorded in the database.
Production. The rule runs on production data and actions take place.
In addition, the following status can also apply to rules:
Suspended. The rule was recently running on production data (had a status of Test
or Production) but was suspended for some reason.
To properly manage a policy, you can test rules before you put the rules into
production. This testing allows you to view the potential results of a newly created
rule without directly affecting the end-user activity. After a rule has been sufficiently
tested and appears stable, you can move the rule to production, where the rule is fully
implemented.

3: Managing Policies 49
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

While a rule has a status of Test, it is still triggered if it has a higher priority than a rule
with a status of Production. In such a situation, the action of the rule in production is
triggered in addition to any case created by the rule.

Status Change
Before the rule status can be changed, some rules require the approval of a user with
PolicyManager or SeniorPolicyManager permissions. For more information on rule
statuses, see Rule Status.
The following figure shows the possible status changes that can be made for rules.

The following table lists all status changes that require the approval of a user with
PolicyManager or SeniorPolicyManager permissions.

Current Status (Change From) Pending Status (Change To)

Work in Progress Test

Work in Progress Production

Test Production

Test Suspended

Production Suspended

Production Test

50 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Current Status (Change From) Pending Status (Change To)

Suspended Production

Suspended Test

If you want to change the status of a rule, you must first submit a status change
request. If the status change requires approval, the pending status of the rule reflects
the status that you requested. A user with sufficient permissions must approve the
status change request for the current status to change. If the rule does not require
approval, the current status is changed immediately.
Each rule has an indication of the current and pending state of the rule, as follows:
Current Status. The status that the rule has right now.
Pending Status. The status that will be applied to the rule if a status change
request is approved by a user with sufficient permissions.
You cannot edit or delete a rule with a status of either or Production, or any rule that
has a pending status. To edit or delete such a rule, you must first change the status to
either Suspended or Work in Progress.

Rule Management
You can use the New Rule wizard to create rules. After you create and save a rule, the
rule appears in the Manage Rules table. You can manage rules using the Manage Rules
table.

3: Managing Policies 51
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Manage Rules Table

From the Manage Rules table, you can view details of all rules in one location. The
rules presented in the table belong to a policy that is defined by the user. For more
information about policies, see Chapter 3, Managing Policies.

You can use the toolbar at the top of the table to perform relevant policy actions, such
as adding a new rule or exporting a policy. After you create and save a rule, it appears
in the Manage Rules table. After you delete a rule, the rule no longer appears in the
Manage Rules table.
You can also use the table to easily select and manage existing rules. After you select a
rule, you can edit or delete the rule. When you select a rule from the Manage Rules
tables, a detailed summary of the rule appears in the section under the Manage Rules
table.

Note: Only the last comment is displayed. If there are multiple comments, you can
click the hyperlink to view all comments.

Note: You can use your mouse to hover over X items found on the toolbar to see a
breakdown of the number of rules according to the current status.

52 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Sorting and Filtering Rules

When you log on, the rules in the table are automatically sorted by the Date Modified
column, but you can sort the rules by other columns as well. You can sort rules
alphabetically in either direction.

Note: You cannot sort rules by the Event Type column.

You can filter rules by Event Type, Current Status, Pending Status, and Action, using a
checkbox to select the field or fields that you would like to view. For example, you can
use the filter in the Action column to view only those rules that have Deny as the
action.
You can rearrange the columns on the Manage Rules table by dragging and dropping a
column to another location.

Add a Rule
You can add a rule to define what action the Adaptive Authentication system takes
during online transactions. You can use the New Rule wizard to define and create
these rules. Each rule dictates an action to be taken for a particular end-user behavior.

Before You Begin

Select the relevant organization or group.
You must have Rule Manager, PolicyManager, or SeniorPolicyManager role
permissions. For more information, see Role Management on page 24.

To add a rule:
1. Click the Manage Rules link in the Policy Management application.
2. Click New > New Rule.
3. Complete the fields on the General page. For a description of each field, see
General Rule Parameters on page 58.
4. Click Next.
5. On the Conditions page, do the following:
a. From the Category drop-down list, select a category.

Note: The data in the Fact and Operator drop-down lists changes according
to the category selected. The order of the two lists varies according to the
category selected. The Operator list might appear before the Fact list.

b. From the Fact drop-down list, select a fact.

For more information, see Appendix A, List of Facts.
c. From the Operator drop-down list, select an operator.
d. In each Value field, enter a value.

3: Managing Policies 53
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

e. (Optional) To add a new expression, click Add New Expression, and repeat
steps a through d.
To define how multiple expressions are connected to each other, from the Join
Multiple Expressions by drop-down list, select AND or OR. The selected
operator will apply to all expressions within the condition.
f. (Optional) To remove an expression, click Remove expression.
Each condition must contain at least one expression. You can only remove an
expression if there are at least two expressions.
g. (Optional) To duplicate an expression, click Duplicate.
When you duplicate an expression, all the fields are copied except the value
field or fields.
h. (Optional) To add a new condition, click Add New Condition, and repeat
steps a through e.

6. Click Next.
7. On the Actions page, do the following:
a. From the Action drop-down list, select an action.
For a description of the available actions, see Actions on page 47.

Note: If you select Challenge, an Authentication Method section appears.

From the Available Methods list, highlight the method to use to challenge
end users, and click the right arrow to move it to the Selected Method(s) list.
You can add as many methods as you like. To prioritize the methods within
the Selected Method(s) list, use the up and down arrows.

54 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

b. To create a case, select Create a Case.

Note: If you select Challenge, two checkboxes appear, which allow you to
create a case when authentication fails or when it succeeds. Select the
appropriate checkbox.

8. Click Next.
9. Review the rule details on the Summary page. To edit any part of the rule, click
Edit at the top right of the section that you want to change.
10. Click Finish.

Comparing Policy Facts

The Policy Management application allows you to compare between any two facts,
regardless of the fact type (custom, built-in or calculated), as long as the two facts are
of the same data type.

Fact Comparison Operators

The following table lists the operators which you can use to compare facts.

Operator Compatible with Data Type Fact Types

Equal to Fact All data types Boolean

ENUM
String
Numeric
IP Address
User ID
Country

Not Equal to Fact All data types Boolean

ENUM
String
Numeric
IP Address
User ID
Country

Greater than Fact Numeric data types Numeric

Greater than or Equal to Fact Numeric data types Numeric

Less than Fact Numeric data types Numeric

Less than or Equal to Fact Numeric data types Numeric

Contains String Fact String data types String

3: Managing Policies 55
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Operator Compatible with Data Type Fact Types

Not Contains String Fact String data types String

The following operators are not supported by the Comparison of Policy Facts
enhancement:
Between
Not Between
Within
Not Within
Is Empty

Compare Facts
You can use the Rule wizard to compare facts within rules that you create.

Before You Begin

Select the relevant organization or group.
You must have RuleManager, PolicyManager, or SeniorPolicyManager role
permissions. For more information, see Role Management on page 24.
Perform the Add a Rule procedure, as described in Add a Rule on page 53, until
the step to define the rule expression on the Conditions page.

To compare facts:
1. Select a source category from the Category drop-down list.
2. Select the source fact from the Fact drop-down list.
3. Select a fact comparison operator from the Operator drop-down list.

Note: This selection determines if the purpose of the rule is to compare facts. The
Rule wizard utility adjusts the user-interface accordingly.

4. Choose a target category, considering the following:

The default selection for the target category is the same as the source category.
The target Category drop-down list includes all categories.
5. Choose a target fact, considering the following:
The default selection for the Target fact is empty.
The target Fact drop-down list includes only the facts with the same data type
as the source fact.
6. The Rule wizard utility makes adjustments to the user-interface, if the following
changes are made:
If a target category other than the source category is selected, the target fact
field is reset.

56 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

If the fact comparison operator is changed to a non-fact comparison operator,

the target category and fact are reset to a non-fact comparison expression
target format.

Edit a Rule
You can edit a rule to change any of the details. All rule fields are available for editing.
To edit a rule with a status of or Production, you must first change the status to Work
in Progress or Suspended. For more information, see Status Change on page 50.

To edit a rule:
1. Click the Manage Rules link in the Policy Management application.
2. In the Manage Rules table, click the Rule Name of the rule that you want to edit.
The Summary page is displayed.

3. Click Edit at the top right of the section that you want to change.
4. Change the section as necessary.
Use the Next and Back buttons to navigate between sections, or click the section
links at the top of the screen (General, Conditions, Actions, and Summary).
5. Click Save & Exit to save your changes and return to the Manage Rules table.

3: Managing Policies 57
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Delete a Rule
You can delete a rule to remove the rule from the system and prevent the rule from
functioning. When you delete a rule, the rule is no longer available in the Manage
Rules table.

To delete a rule:
1. Click the Manage Rules link in the Policy Management application.
2. Select the checkbox of the rule or rules you want to delete.
3. Click Delete.

General Rule Parameters

The following table describes the general rule parameters, available on the General
page of the New Rule wizard.

Parameter Description Required

Rule Name Unique name that you assign to the rule. The rule name is unique Yes
per policy. An informative name, for example, Challenge
Forbidden IP Address, can help to quickly locate the rule and
understand the purpose of the rule.
The maximum length of rule names is 80 characters. You can use
special characters in the rule name.

Description An explanatory note describing the purpose or function of the No

rule.
The maximum length of the description is 500 characters.

Status The current status for this rule. The following options are Yes
available:
Work In Progress. The rule can be edited but is not running
on production data.
Test. The rule is running on production data, and cases can be
created, but no action takes place.
Production. The rule is running on production data, and all
actions take place.
Any rule assigned a status of Test or Production is initially saved
with a status of Work In Progress. After a user with
PolicyManager or SeniorPolicyManager permissions approve
the status change, the rule will reflect the originally assigned
status.

58 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Parameter Description Required

Comment A free-text field that can be used to explain changes or additions No

made to the rule.You can add several comments to a rule, which
are displayed one after another.
The maximum length of a comment is 500 characters.
You can view all comments associated with a rule by clicking the
View Previous Comments link in the Summary section on the
Manage Rules screen. A new window displays a list of
comments with the date and time each comment was added and
the name of the person who added each comment. The table is
sorted according to the most recently added comments. You can
edit only the current comment. Previous comments are displayed
as read-only.

Event Type The type of end-user activity that triggers a rule when all rule Yes
conditions are met.
In addition to predefined event types, custom event types appear
in this list, marked with an icon.
You can select one event type or several event types.

Order The priority assigned to a rule, indicating the order in which the Yes
rule is triggered. A lower number represents a higher priority and
a higher number represents a lower priority. When a production
rule is triggered, all rules with a lower priority will not be
triggered.
The default value for this field is one position lower than the
lowest-ordered existing rule. For example, if the lowest-ordered
existing rule is 8, the default value is 9. To add a rule as last in
line, leave the default value that is displayed in the field. If you
choose a value currently assigned to an existing rule, the existing
rule and all lower-ordered rules are moved one priority level
lower. For example, if you assign a priority of 5 to a rule, the
existing rule with a priority of 5 is assigned a lower priority of 6,
and similarly with all other rules.
The Available Range values represent the possible values that
you can assign to the rule. The highest value in the range of
values is automatically assigned as the order of the rule.
The Policy Engine receives and evaluates only rules with a status
of or Production. A rule with a status of Work in Progress is not
sent to the Policy Engine. In such a case, the Policy Engine
checks the relative order of the remaining rules. For example, if
there are three rules in the system, and the rule with an order of 2
has a status of Work in Progress, the Policy Engine receives only
the rules with orders of 1 and 3 and will assign the latter rule a
lower priority.

3: Managing Policies 59
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Request a Status Change for a Rule

You can request a status change for a rule to redefine the purpose of a rule within your
organizational policy. For example, you can change the status of a rule from
Production to Suspended if you see that the rule is not furthering the security goals of
your organization.
Depending on the status change request that you make, the new status that you choose
may initially appear as a pending status. If so, a user with sufficient permissions must
approve the status change request for the status to change from pending status to
current status. For more information, see Status Change on page 50.

To change the status of a rule:

1. Click the Manage Rules link in the Policy Management application.
2. From the Manage Rules table, select the rule for which you want to change the
status.
3. From the Status drop-down list, select Request Status Change.
4. In the Request Status Change dialog box, select a new status from the New Status
drop-down list.
5. (Optional) In the Comment field, enter a description related to the current status
change.
This comment will appear when a user with PolicyManager or
SeniorPolicyManager permissions reviews the status change. The description
should help the reviewer understand why the status was changed.
6. Click Set Status.

Cancel a Status Change Request for a Rule

You can cancel a status change request to retract a previously sent request to change
the status of a rule. When you cancel a status change request, the pending status is
removed and the status of the rule remains the current status.
You can cancel a status change request only if you are the user who made the request.
You can only cancel a status change request of a rule with a pending status.

To cancel a status change request for a rule:

1. Click the Manage Rules link in the Policy Management application.
2. From the Manage Rules table, select the rule for which you want to cancel the
status change request.
3. From the Status drop-down list, select Cancel Request.
4. Click Yes.

Note: You can cancel only one status change request at a time.

60 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Approve a Status Change Request for a Rule

You can approve a status change request for a rule to confirm a status change. You can
only approve the status of a rule with a pending status. A pending status indicates that
the status of the rule has been changed and requires approval before the new status
takes effect. You can approve the status of only one rule at a time.

Before You Begin

You must have PolicyManager or SeniorPolicyManager role permissions to approve
the status of a rule. For more information, see Role Management on page 24.

Note: A user with PolicyManager permissions can approve the status of a rule only if
the request was made by another user. A SeniorPolicyManager can approve all status
change requests.

To approve the status of a rule:

1. Click the Manage Rules link in the Policy Management application.
2. From the Manage Rules table, select the rule for which you want to approve the
status.
3. From the Status drop-down list, select Approve Status.
4. In the Approve Status dialog box, review the rule status details.
If you approve the status change, the status listed in the Pending Status field will
become the Current Status. The Pending Status field will then be empty.
5. (Optional) In the Comments field, enter a description related to the status
approval.
6. Click Approve.

Reject a Status Change Request for a Rule

You can reject the status of a rule to deny a status change and keep the rule status as is.
You can only reject the status of a rule with a pending status. A pending status
indicates that the rules status has been changed and requires review before the new
status can take effect. You can reject the status of only one rule at a time.

Before You Begin

You must have PolicyManager or SeniorPolicyManager role permissions to reject the
status of a rule. For more information, see Role Management on page 24.

Note: A user with PolicyManager permissions can reject the status of a rule only if the
request was made by another user. A SeniorPolicyManager can reject all status change
requests.

3: Managing Policies 61
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To reject the status of a rule:

1. Click the Manage Rules link in the Policy Management application.
2. From the Manage Rules table, select the rule for which you want to reject the
status.
3. From the Status drop-down list, select Reject Status.
4. In the Reject Status dialog box, review the rule status details.
If you reject the status change, the status listed in the Pending Status field will be
removed, and the Current Status will remain as it is.
5. (Optional) In the Comments field, enter a description related to the status
rejection.
6. Click Reject.

Duplicate Rules to Another Organization

You can duplicate all rules to copy all rule data from one organization to another
organization or from one organization to multiple organizations. You can then make
changes or adjustments to the new policy as necessary.
When you duplicate all rules to an organization, you replace all existing rules for that
organization. This includes all rules with a status of Work in Progress and Suspended,
in addition to those with a status of and Production. The rules are copied as is, with the
same rule details, conditions, and actions. You must be logged on to an organization to
duplicate the rules to another organization. When you duplicate rules, the last
modified date is changed for the rules in the target organization.

Important: Do not make any changes to the policy while you perform the duplicate
action.

Before You Begin

Ensure that you have PolicyManager or SeniorPolicyManager role permissions. You
must also have these permissions for the organization to which you want to duplicate
the rules. For more information, see Role Management on page 24.

To duplicate all rules to another organization:

1. Click the Manage Rules link in the Policy Management application.
2. Click New > Duplicate All Rules.
3. Select one or more target organizations.
4. Click Duplicate.

Note: After the completion of the duplicate process, a policy refresh occurs. The
duplicated rules are immediately activated in the target organization, and the rule
status of all rules remains the same. Policy data that existed before the duplicate
action is removed from the database and will not appear on a Policy Report. For
more information, see Policy Refresh on page 41.

62 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Policy Export and Import

You can export all policy management data to duplicate all organizational policies in
order to create parallel environments for both testing and production purposes.
Additionally, you can export policy data to save a backup of your policy.
When you export or import policy data, you transfer data from all organizational
policies. This data includes rules, lists and their values, custom facts and custom event
types.
The system saves the exported file on the server as an XML file. An MD5 checksum
file is also created during the export process to check for any possible corruption in the
XML file. This ensures the integrity of the exported file during the import
operation.Only users with permission to access the default organization can perform
the export and import policy actions.
When you export the policy data, the file is saved on the server and not locally. This is
done for security reasons, in order to reduce the risk of unauthorized access to the file.
You can configure the file location in the Administration Console. For more
information, see the Operations Guide.
To duplicate all policies from the source environment to the target environment, you
must perform the following actions.
1. Export policy data from the source environment.
2. Copy the exported files to the target environment.
3. Import policy data on the target environment.

Export Policy Data

You can export all policy data to duplicate all organizational policies in order to create
parallel environments for both testing and production purposes. Additionally, you can
export policy data to save a backup of your policy.
When you export all policy data, you export data from all organizational policies.
Exported data includes rules, lists and their values, custom facts, and custom event
types.

Before You Begin

You must have permission to access the default organization in order to perform the
import policy action.

3: Managing Policies 63
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To export a policy:
1. Click the Manage Rules link in the Policy Management application.
2. Click Export Policy.
The Export Policy dialog box displays the location of the export directory.
The name of the exported file is aaboPolicyExportFile_<time>.xml, where
<time> is the date and time that you performed the export.
A checksum file is also created during the export process, named
aaboPolicyExportFile_<time>.xml.md5, to ensure the integrity of the exported
file during the import operation.

Note: The values contained in any hashed lists remain hashed. Otherwise, the
exported file is a readable XML file.

3. Click Export.

Import Policy Data

You can import all policy data to duplicate all organizational policies and create
parallel environments for both testing and production purposes. After you export your
policy data to the server as an XML file and copy the exported files to the target
environment, you can import the policy data on the target environment.
When you import all policy data, you import data from all organizational policies.
Imported data includes rules, lists and their values, custom facts, and custom event
types.

Important: To access the imported data, the new environment must contain the same
organizations that existed in the original environment. If an organization does not
exist, you cannot access the policy data of that organization. When you import all
policy data, a policy refresh occurs. Policy data that existed in the new environment
before the import is removed from the database and will not appear on a Policy
Report. For more information, see Policy Refresh on page 41.

Before You Begin

Export your existing policy. This exported policy serves as a backup in the case of
any mistake or emergency. This is important, since the import action cannot be
undone.
You must have permission to access the default organization in order to perform
the import policy action.

To import a policy:
1. Click the Manage Rules link in the Policy Management application.
2. Click New > Import Policy.
3. In the Import Policy dialog box, enter the filename that you want to import.

64 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Important: When you import all policy data, you replace the existing policy data
for all organizations.

The exported filename is aaboPolicyExportFile_<time>.xml, where <time> is

the date and time that you performed the export.
You should verify that the encoding and characters of the MD5 checksum file
created during the export operation do not change when copying the file between
different platforms.
4. Click Import.

List Management
A list is a fact category that groups together facts of a specific type. You can use lists
to define which countries, IP addresses, end users, and strings are considered
malicious, safe, or suspicious. After you create lists, you can use the lists to build
conditions in the New Rule wizard. You can either use the predefined lists or create
custom lists.
When you create a new lists in the system, the list will be available to all
organizations, and not only for the organization that it was created for. If you add or
delete a list, or change values in a list, it will affect all organizations that have rules
which use that list.
All facts in a list must have the same type of value, known as a List Type. For
example, all facts in the IP on VIP List must have a List Type of IP Address. This
means that all fact values in this list must be in the form of a valid IP address.
The following List Types are available:
Country
IP Address
String
User ID
After you create and save a list, the list appears in the Manage Lists table. You can
manage lists using the Manage Lists table. For more information, see Manage Lists
Table on page 66.

3: Managing Policies 65
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Manage Lists Table

From the Manage Lists table, you can view the details of all lists in one location. After
you create and save a list, the list appears in the Manage Lists table. After you delete a
list, the list will no longer appear in the Manage Lists table.

You can use the menu items at the top of the table to perform relevant policy actions,
such as adding a list. You can also use the table to edit lists. You can perform the
following actions from the Manage Lists table:
Add a List
Edit a List
Delete a List

Sorting and Filtering Lists

When you log on, the lists in the table are automatically sorted by the Date Modified
column, but you can sort them by the List Name, List Type, and Status columns as
well. You can sort lists alphabetically in either direction.
You can filter lists by List Type or Status, using a checkbox to select the field that you
want to view. For example, you can use the filter in the List Type column to view only
those lists that have Country as the list type.
You can rearrange the columns on the Manage Lists table by dragging and dropping a
column to another location.

List Summary
When you select a list from the Manage Lists table, a detailed summary of the list
appears in the section below the Manage Lists table. The summary section contains
the list name, the creator of the list, and the date modified, along with the information
described in the following table.

66 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Note: The information you see in the summary section depends on your role
permissions. For more information, see Role Management on page 24.

Element Description

List Details Last Modified By

List Content A table that lists all the values in the list.
Value
Organization (User ID only)
Last Modified By
Date Modified

Related Rules A table that lists all the active rules that use the list in one of the
conditions.

Add a List
You add a list to categorize a group of fact values together. You can then create rules
based on these lists.

To add a new list:

1. Click the Manage Lists page in the Policy Management application.
2. From the Manage Lists table menu, click New.
3. Complete the fields on the New List page. For a description of each field, see
General List Parameters on page 71.
4. Do one of the following:
Add a Single Value to a List.
Add a Range of IP Values to a List.
Import a Set of Values to a List.
5. Click Save.

Add a Single Value to a List

You can add a single value to an existing list to define the fact values that are
categorized together in the list. The type of values that you can add depends on the list
type that you select when you create the list.

Before You Begin

Do one of the following:
Access the New List page. See Add a List on page 67.
Access the Edit List page. See Edit a List on page 70.

3: Managing Policies 67
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To add a single value to a list:

1. In the List Content section, from the Add Value drop-down list, select Add
Value Manually.
2. In the Add Value Manually dialog box, enter the value, and click Add.
If the List Type is User ID, you must also enter the organization name associated
with the end user. If the List ID Masking parameter in the Administration Console
is selected, you must first apply SHA1 hashing (to the end user name only) before
you enter the value. For more information, see Hash the Values of a User ID List
on page 71.
3. Repeat these steps for any additional values.

Note: When entering values in a list of countries, use the two-letter code specified by
the ISO 3166 standard. These values are case-sensitive, and need to be capitalized.

Add a Range of IP Values to a List

You can add a range of IP values to an existing list to define the fact values that are
categorized together in the list. You can only add a range of values if you selected IP
Address as the List Type.

Before You Begin

Do one of the following:
Access the New List page. See Add a List on page 67.
Access the Edit List page. See Edit a List on page 70.

To add a range of IP values to a list:

1. In the List Content section, from the Add Value drop-down list, select Add
Range of Values Manually.
2. In the Add Range of Values Manually dialog box, enter the IP address range, and
click Add.
You can use either IPv4 or IPv6 values, but both the From and To values must be
the same version.
3. Repeat these steps for any additional value ranges.
4. (Optional) To delete values, select the checkboxes of the values that you want to
delete, and click Delete.
5. Click Save.

68 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Import a Set of Values to a List

You can import a set of values to an existing list from a CSV file to add multiple
values to a list. The type of values that you can add depends on the List Type that you
select when you create the list.
Be aware of the following factors when you import a set of values:
Each value must be separated by a new line. All data in the same line is imported
as a single value.
For most lists, you must enter all data in the first column. All other columns are
ignored.
If the List Type is User ID, you must also enter the organization name associated
with the end user. Use the first column for the end user name, and the second
column for the organization. If the List ID Masking parameter in the
Administration Console is selected, you must first apply SHA1 hashing (to the
end user name only) before you enter the value. For more information, see Hash
the Values of a User ID List on page 71.
Any file containing non-Latin or non-numeric characters must use UTF-8
encoding.
The import action might take longer than expected if the number of values in the
file is too high. The values must match the List Type selected. For example, if the
List Type is IP Address, 171.16.0.0 is a valid value.
IP address files can contain single IPv4 or IPv6 values, IPv4 ranges, and IPv6
ranges. When importing IP address ranges, use a dash to separate values, for
example, 10.0.0.0 - 10.255.255.255.
When entering values in a list of countries, use the two-letter code specified by the
ISO 3166 standard. These values are case-sensitive, and need to be capitalized.

Before You Begin

Do one of the following:
Access the New List page. See Add a List on page 67.
Access the Edit List page. See Edit a List on page 70.

To import a set of values to a list:

1. In the List Content section, from the Add Value drop-down list, select Import
Values to List.
2. Click Browse to select the CSV file containing the values to import.

Important: You can choose to either add the imported values to the existing list
values or replace all existing content with the imported values.

3. Click Import.
4. (Optional) To delete values, select the checkboxes of the values that you want to
delete, and click Delete.
5. Click Save.

3: Managing Policies 69
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Edit a List
You can edit a list to change list details and revise or add new content. All list fields
are enabled for editing except for the List Type field. While you are editing a list, the
list is locked for editing, and no other user can edit the list.

To edit a list:
1. Click the Manage Lists page in the Policy Management application.
2. From the Manage Lists table, in the List Name column, click the list that you want
to edit.
3. In the List Details section, edit the details as necessary.
For a description of each field, see General List Parameters on page 71.
4. In the List Content section, do one of the following:
Edit a single value or range of IP values:
a. In the Value column, click the value or range of values that you want to
edit.
b. In the Edit Value dialog box, enter the new value or values, and click
Update.
If you are editing a range of IP values, you can use either IPv4 or IPv6
values. However, both the From and To values must be the same IP
version.
c. Repeat these steps for any additional values.
(Optional) Add a Single Value to a List.
(Optional) Add a Range of IP Values to a List.
(Optional) Import a Set of Values to a List.
(Optional) To delete values, select the checkboxes of the values that you want
to delete, and click Delete.
5. Click Save.

Delete a List
You can delete a list to completely remove the list from the Manage Lists table. A
deleted list is not available when you are using the New Rule wizard or editing a rule.
You cannot restore a list that is deleted from the system.
You cannot delete a list that is currently being used in a rule. You cannot delete
multiple lists if any of the lists marked for deletion are currently being used in a rule.
You must either remove those lists from any rules or delete the other lists separately.

To delete a list:
1. Click the Manage Lists page in the Policy Management application.
2. Select the checkboxes of the lists that you want to delete.
3. Click Delete.
4. When prompted to confirm the deletion, click Yes.

70 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Hash the Values of a User ID List

You can hash the values of a list with a List Type of User ID to hide the identities of
the end user names in the Policy Management Database.

To hash the values of a User ID list:

1. Configure the List ID Masking parameter in the Administration Console.

Important: You must select the checkbox for the user names to be recognized as
hashed. However, selecting the checkbox does not automatically hash the values.
If you select the checkbox, you must manually enter hashed values to the list. If
you clear the checkbox, you need to manually enter plain values to the list. You
must manually reenter the appropriate values each time you select or clear the
checkbox. For more information, see the Operations Guide.

2. Manually hash the user name values that you want to add to the User ID list using
SHA1 hexadecimal encoding.
3. For each User ID, add the hashed user name and organization name (not hashed)
to the User ID list.

Note: The hashed user names are not case sensitive. The organization names are
case sensitive.

For more information about adding values to lists, see Add a Single Value to a List
on page 67 and Import a Set of Values to a List on page 69.

General List Parameters

The following table describes the general list parameters, available on the Add New
List and Edit List pages.

List Attribute Description Required

List Name Unique name assigned to the list. Yes

The maximum length of a list name is 50 characters.
You can use special characters.

List Type The List Type designates the type of values contained Yes
in the list.

Note: You must select a List Type before you begin to

add values to the list.

The following predefined List Types are available:

IP Address (or range of IP Addresses)
User ID
Country
String

3: Managing Policies 71
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

List Attribute Description Required

Status The current status for this list. The following options Yes
are available:
Enabled (default). The list is available for use when
creating new rules, appears in the Manage Lists
table, and appears in existing rules.
Disabled. The list is not available for use when
creating new rules, but still appears in the Manage
Lists table, and still appears in existing rules.

Description An explanatory note describing the purpose or function No

of the list.
The maximum length of the description is 500
characters.

Custom Facts Management

The Adaptive Authentication system is shipped with a predefined fact list. A fact is a
core data element that the Policy Engine processes to determine if the rule is triggered.
For more information, see Facts on page 44. In addition to facts in this predefined list,
you can create custom facts.
After you create and save a custom fact, you can build rules with the fact in the
Conditions stage of the New Rule wizard. You can add up to 20 different custom facts
to the system. You can manage custom facts using the Manage Custom Facts table.
For more information, see Manage Custom Facts Table on page 72.

Manage Custom Facts Table

From the Manage Custom Facts table, you can view details of all custom facts in one
location. After you create and save a new custom fact, the fact appears in the Manage
Custom Facts table.
You can use the menu items at the top of the table to add or delete custom facts. You
can also use the fact name links in the table to edit existing facts.

Custom Fact Summary

When you select a custom fact from the Manage Custom Facts table, a detailed
summary of the custom fact appears in the section below the table. The summary
section contains information regarding the following elements.

72 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Note: The information you see in the summary section depends on your role
permissions. For more information, see Role Management on page 24.

Element Description

Custom Fact Details Additional list details.

Last Modified By
Description

Related Rules A table that lists all the active rules for the organization that use
the custom fact in one of the conditions.

Add a New Custom Fact

You can add a new custom fact to define a data element that can be used to create a
rule.

Note: You can add up to 20 different custom facts per SOAP API request. By default,
the application is configured for up to 1000 total custom facts for the Back Office
application. Contact RSA to configure the maximum number of custom facts for the
Back Office application.

To add a new custom fact:

1. Click the Manage Custom Facts page in the Policy Management application.
2. From the Manage Custom Facts table menu, click New.
3. Complete the fields on the New Fact page. For a description of each field, see
Custom Fact Parameters on page 74.

Important: The maximum length of a value for a custom fact, using the UTF-8
character set, is 90 bytes.

4. Click Save.

Edit a Custom Fact

You can edit a custom fact to change the details of the fact. The Fact Name and Fact
Type fields are not available for editing.

To edit a custom fact:

1. Click the Manage Custom Facts page in the Policy Management application.
2. From the Manage Custom Facts table, in the Custom Fact Name column, click on
the fact that you want to edit.
3. On the Edit Fact page, edit the details as necessary.
For a description of each field, see Custom Fact Parameters on page 74.
4. Click Save.

3: Managing Policies 73
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Delete a Custom Fact

You can delete a custom fact to completely remove the fact from the Manage Custom
Facts table. A deleted custom fact is not available when you are using the New Rule
wizard or editing a rule. You cannot restore a custom fact that is deleted from the
system.
You cannot delete a custom fact that is currently being used in a rule. You cannot
delete multiple custom facts if any of the custom facts marked for deletion are
currently being used in a rule. You must either remove those custom facts from any
rules or delete the other custom facts separately.

To delete a custom fact:

1. Click the Manage Custom Facts page in the Policy Management application.
2. Select the checkbox of the fact you want to delete.
3. Click Delete.
4. When prompted to confirm the deletion, click Yes.

Custom Fact Parameters

The following table describes the custom fact parameters, available on the Add
Custom Fact page.

Custom Fact
Description Required
Attribute

Category The category name is Custom Facts. N/A

This is a predefined field which is not editable.

Fact Name Unique name assigned to the Fact. Yes

The maximum length of a fact name is 50 characters.
You can use special characters.

Fact Type The fact type designates the type of value contained in Yes
the fact.
The following predefined fact types are available:
Boolean
Double
Float
Integer
IP Address
String

74 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Custom Fact
Description Required
Attribute

Status The current status for this fact. The following options Yes
are available:
Enabled (default). The fact is available for use when
creating new rules, appears in the Manage Custom
Facts table, and appears in existing rules.
Disabled. The fact is not available for use when
creating new rules, but still appears in the Manage
Custom Facts table, and still appears in existing
rules.

Description An explanatory note describing the purpose or function No

of the fact.
The maximum length of a description is 500
characters.

Custom Event Type Management

An event type is an end-user activity that triggers a rule when the conditions
associated with the rule are met. A predefined list of event types is available within the
Policy Management application. For more information, see Event Types on page 42.
You can create custom event types and then create new rules based on these event
types.

Important: To trigger rules that are based on custom event types, you must add the
appropriate custom event type to the online banking API and send the event type via
the SOAP API to the Adaptive Authentication system. For more information, see the
section that discusses Web Services API Data Elements in the Web Services API
Reference Guide.

You can create two kinds of custom event types:

A new event type that does not exist in the list of predefined event types shipped
with the Adaptive Authentication system.
A sub-event type that is linked to a predefined event type.
For example, you can create a custom event type, International, and link it to the
predefined event type, Payment. The new custom event type is named
Payment - International.
You can manage custom event types using the Manage Custom Event Types table. For
more information, see Manage Custom Event Types Table on page 76.
After you create custom event types, the event types are available in the Event Type
field in the General page of the New Rule wizard. Custom event types are marked
with an icon to distinguish them from predefined event types.

3: Managing Policies 75
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Manage Custom Event Types Table

From the Manage Custom Event Types table, you can view details of all custom event
types in one location. After you create and save a new custom event type, the custom
event type appears in the Manage Custom Event Types table.
Use the menu items at the top of the table to add or delete custom event types. Click
on the event type name links in the table to edit event types.

Custom Event Type Summary

When you select a custom event type from the Manage Custom Event Types table, a
detailed summary of the custom event type appears in the section below the table. The
summary section contains information regarding the following elements.

Note: The information you see in the summary section depends on your role
permissions. For more information, see Role Management on page 24.

Element Description

Custom Event Type Details Additional list details.

Last Modified By
Description

Related Rules A table that lists each active rule that uses the custom event
type in one of the conditions of the rule.

Add a Custom Event Type

You can add a custom event type to define a customer activity that triggers a rule when
the conditions associated with the rule are met.

To add a new custom event type:

1. From the Policy Management drop-down list, select Manage Custom Event
Types.
2. From the Manage Custom Event Types table menu, click New.
3. Complete the fields on the New Custom Event Type page. For a description of
each field, see Custom Event Type Parameters on page 77.
4. Click Save.

Edit a Custom Event Type

You can edit a custom event type to change the details. While you are editing a custom
event type, the event type is locked for editing and no other user can edit the event
type.

Note: The Custom Event Type Name and Predefined Event Type fields are not
available for editing.

76 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To edit a custom event type:

1. From the Policy Management drop-down list, select Manage Custom Event
Types.
2. From the Manage Custom Event Types table, in the Custom Event Type Name
column, click on the event type that you want to edit.
3. On the Edit Custom Event Type page, edit the details as necessary.
For a description of each field, see Custom Event Type Parameters on page 77.

Note: You can only edit the Status and Description fields.

4. Click Save.

Custom Event Type Parameters

The following table describes the custom event type parameters, available on the Add
Custom Event Type page and the Edit Custom Event Type page.

Custom Event
Description Required
Type Attribute

Custom Event Unique name assigned to the event type. This name Yes
Type Name cannot be the same as any other event type in the system.
The maximum length of an event type name is 50
characters.

Note: Special characters are not permitted in the event

type name.

Predefined Event A list of all event types that are predefined in the system. No
Type You can select an event type from the list to link a newly
created custom event type to a predefined event type.
For example, you can create a custom event type,
International, and link it to the predefined event type,
Payment. The new custom event type is named
Payment - International.

Status The current status for this event type. The following Yes
options are available:
Enabled (default). The event type is available for use
when creating new rules, is included in the Manage
Custom Event Types table, and is included in existing
rules.
Disabled. The event type is not available for use when
creating new rules, but is included in the Manage
Custom Event Types table, and is included in existing
rules.

3: Managing Policies 77
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Custom Event
Description Required
Type Attribute

Description An explanatory note describing the purpose or function No

of the event type.
The maximum length of the description is 500
characters.

Policy Report
The policy of an organization contains rules that can trigger a wide variety of actions.
To get a broad picture of the results of your organizational policy, you can generate a
Policy Report. For example, by analyzing the Policy Report, you can make more
informed decisions about whether or not to promote a test rule to production, whether
to remove a rule from production entirely, or whether to add or remove event types
from a rule. A Policy Report displays all rules that are running in a production
environment (rules with a status of or production) for a given organization.
For each rule, the Policy Report displays the following information:
Rule Order. The priority assigned to a rule, indicating the order in which the rule
is triggered. A lower number represents a higher priority and a higher number
represents a lower priority. After a production rule is triggered, all production
rules with a lower priority will not be triggered. All rules with a higher priority
than the triggered production rule are also triggered.

Note: Rules that are not running in a production environment are not displayed.
As a result, there may be gaps in the rule order.

Rule Name. The unique name that you assigned to the rule.
Associated Event Type(s). The type of end-user activity that triggers the rule
when all rule conditions are met. Multiple event types can be assigned to a single
rule. In the report, each row represents a different event type. Any rule may,
therefore, be represented by multiple rows in the report.
Status. The current status for this rule. Only rules with a status of Test or
Production are evaluated by the Policy Engine and appear in the Policy Report.
Rule Action. The predefined outcome that occurs when the condition is fulfilled
and the rule is triggered.
Number of times rule triggered. The number of times that the rule is triggered,
irrespective of whether the rule status is or Production.

78 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Allow, Challenge, Deny, and Review. These four columns list the number of
times each respective action is applied to end users when this rule is triggered.
When a rule is triggered, no action is applied to the end user, but one or more rules
can be triggered at the same time that a production rule is triggered. When this
production rule is triggered, an action is applied to the end user. These parameters,
therefore, indicate the number of times a production rule results in an action for
any given rule, whether the production rule itself or a rule that is triggered along
with the production rule. You can use this number to evaluate the potential result
of a rule if the status was changed to Production.
For more information on these parameters, see General Rule Parameters on page 58.

Note: If no production rules are triggered during a transaction, a fallback rule is

triggered. When triggered, the fallback rule appears in the Policy Report. For more
information on the fallback rule, see Introduction to Policy Management on page 39.

You can use the data provided in the Policy Report to analyze and adjust the state of
your policy. For example, you may see that your policy triggers too many instances of
step-up authentication (challenge action). In other words, your policy may be
consistently applying the challenge action to a large number of end users who pose no
threat to the system. This can potentially cause unnecessary inconvenience for the end
user and can create a preventable financial burden for your company.
Using the Policy Report as a diagnostic tool, you can fine-tune your policy to improve
the end-user experience. For example, you may have a rule that challenges any end
user with a risk score of more than 800. After viewing the Policy Report, you may
decide to raise the threshold of that rule to 850.
Additionally, you may find that your policy results in the creation of too many cases in
the Case Management application. Your organization may be unable or unwilling to
handle the quantity of cases created by your current policy. Using the Policy Report,
you can analyze the foreseeable case load and adjust your policy accordingly.

Sample Policy Report

The table below shows a sample Policy Report based on the following scenario.
Your policy contains the following three rules:
Rule A. A test rule that is triggered if the end user performs the Add_Payee
activity and receives a Risk Score of more than 800. If this condition is met, the
action is Allow.
Rule B. A test rule that is triggered if the end user performs the Add_Payee
activity and receives a Risk Score of more than 850. If this condition is met, the
action is Allow.
Rule C. A production rule that is triggered if the end user performs the
Add_Payee activity and receives a Risk Score of less than 900. The action is
Challenge.

3: Managing Policies 79
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

If the end user performed the Add_Payee transaction one time and received a risk
score of 899, the Policy Report would look as follows.

Number
Rule Rule Event Rule of times
Status Allow Challenge Deny Review
Order Name Type Action rule
triggered

1 Rule A Add_Payee Test Allow 1 1

2 Rule B Add_Payee Test Allow 1 1

3 Rule C Add_Payee Production Challenge 1 1

This Policy Report shows that each of the three rules was triggered once since the last
policy refresh. The Challenge column indicates that, for each triggered rule, the
Challenge action was applied once. You can use this information to analyze how the
rules would perform if promoted to production. In this case, both Rule A (test) and
Rule B (test) were triggered at the same time that the Challenge action was applied by
Rule C (production). If either rule had been a production rule, the rule would have
resulted in the associated rule action.

Generate a Policy Report

You can generate a Policy Report to analyze the effects of your policy on end users. A
Policy Report relates to the policy of a single organization. The Policy Report is
generated to a CSV file.
The Policy Report displays all policy information from the last policy refresh until
11:59 p.m. of the previous day. If you generate a report immediately after a policy
refresh, the report does not accurately reflect the state of your policy. A policy refresh
occurs when you create or edit a rule or when you import or export a policy. For more
information, see Policy Refresh on page 41.

Note: You may want to generate and save your report before a policy refresh. You can
then compare this data with newer data.

Before You Begin

To populate the report with rule details from the database, the Policy Report scheduled
task must be enabled. This is performed using the Scheduled Tasks function in the
Administration Console. The Policy Report scheduled task is enabled by default but
can be manually disabled. If this task is disabled, the Policy Report will not contain
rule data. The Policy Report scheduled task must be executed exactly one time each
day. For more information, see the chapter on configuring scheduled tasks in the
Operations Guide.

To generate a Policy Report:

1. Click the Manage Rules link in the Policy Management application.
2. Select the organization for which you want to create the Policy Report.
The Policy Report is specific to this individual organization.

80 3: Managing Policies
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

3. Click Policy Report.

4. Click Download Report.

3: Managing Policies 81
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

4 Managing Cases
Case Management Application Overview
Case Management Functionality
Case Assignment
Case Grouping
Lifecycle Milestones of Cases
Case Workflows
Case Management Menu
Case Status
Case Mode
Process Queue Management
View the Queue
Look Up an End User
Case Update
Manually Set a Resolution for an Activity
Operator Group Management
Operator Management
Research Activities
Snooze Mode
Top Risk Score Contributors
Custom Facts
This chapter describes how to use the Case Management application.

Case Management Application Overview

The Case Management application enables organizations to track and investigate
end-user activity. Activities are end-user actions that are logged in the system.
The application provides an environment for the research and analysis of activities,
trends, and patterns and for case management, in order to identify suspected or
confirmed fraud. The application provides feedback to the RSA Risk Engine. With
the Case Management application, an organization can take action to help prevent
fraud and make informed decisions regarding the fraudulent activities.

4: Managing Cases 83
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The Case Management application reflects a multi-organizational structure. A user

can select which organizations data to view in the application. For more information,
see Organization Management on page 33.

Case Management Functionality

A case includes all of the activities of a specific end user within the time frame of the
case. End user information, case information, and case history are available in a case.
Cases are created automatically by the system or manually by the operator, depending
on the following:
If the rule that is triggered is configured to create a case, a case is created
automatically.
If an operator manually flags a suspicious activity for an end user with no flagged
activity, a case is created.
A new case is not created if an end user already has a case.
On the Research Activities page, you can choose several suspicious activities
associated with different end users and create cases for the end users. For each
selected activity, if the end user does not have an active case, a case is created. If
the end user has an active case, the event is flagged.
The Event Puller component of the Scheduler web application creates cases in the
RSA Adaptive Authentication (On-Premise) system based on the policy of an
organization. The Event Puller periodically checks the Event Notification table and
retrieves the relevant entries from the Event Log table. If the end user already has an
open case, the event is added to the case. Otherwise, a case is opened for the end user.
If the Scheduler becomes unavailable, cases are not created automatically and do not
appear in the Case Management application. For more information, see the Operations
Guide.

Flagged Activities
Flagging of activities is done based on the following:
An activity flag is triggered automatically by the system in the following
situations:
An end user is asked for additional authentication and fails to pass the
challenge.
A triggered policy rule results in a system flag if the Create Case option is
selected in the Policy Management application. For information about policy
rules, see Chapter 3, Managing Policies.
System flags are read-only. The following system flags are used.
System Flag Icon
Flagged by production rule

84 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

System Flag Icon

Flagged by test rule

Flagged by both production

and test rules

Not flagged

Note: There is no feedback sent to the Risk Engine for cases that are only
flagged by test rules and do not have any event resolution.

If the system flags an activity for an end user who already has an open case, the
newly flagged activity is added to the existing case for that end user.
Each end user with one or more flagged activities has only one case.
An operator can manually set a resolution for an activity in the Recent Activities
section of Research Activities or in Case Management > Lookup User. This
resolution overrides any flagging performed automatically by the system for case
resolution and Risk Engine purposes only.
For more information, see Manually Set a Resolution for an Activity on page 109.

Pending Activities and Cases

If an activity requires additional authentication and the user did not choose to create a
case upon successful authentication in the Policy Management application, the
activity does not create a case until the results of the authentication are received.
If the session time-out has passed without successful authentication, the activity is no
longer pending and the activity either triggers the creation of a new case, is added to
an existing case, or is added as a new activity. If the authentication is successful, the
case creation request is deleted.

Closed and Expired Cases

Note the following about closed and expired cases:
A flagged activity cannot be added to an expired case.
A flagged activity will reopen a closed case but not an expired case. An operator
can reopen a closed case and change the status.

Note: A case expires after the logical end time of the case has passed. This parameter
is defined by the date of the event that created the case + Y days forward. The default
is 10 days. You can configure this, using the Case Management Logical End Time
Offset parameter in the Back Office Applications section in the Administration
Console.

4: Managing Cases 85
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Actions Resulting from Triggered Rules

When a rule is triggered, a case enters the Case Management system if the case
creation checkbox in the Actions stage of the Add New Rule wizard is selected.
For some actions, such as Challenge, the case enters Case Management after a
configurable time period. This time period is configurable by changing the Queue
Visibility Time Offset parameter in the Case Management section of the
Administration Console. For more information on how to configure this parameter,
see the Operations Guide.
When a user creates a rule using the Add New Rule wizard in the Policy Management
application, the option to create or not to create a case is available in the Policy
Management application.
If the user selects the Challenge action, an option to create a case based on
authentication success or failure is also available.

Terminating Open Authentication Sessions

To facilitate optimal online performance, you can manage abandoned open
authentication sessions, by terminating all open authentication sessions for a specific
user, as needed.
The notification type Session Reset is provided in the Case Management application.
If the authentication method component parameter Open Case for Events on Session
Termination in the Administration Console is set to True, a case is opened by the
Event Puller for the following scenarios:
The Adaptive Authentication Administration ResetOpenSessions API method is
called. For more information, see the Web Services API Reference Guide.
A customer service representative initiates the termination of all open
authentication sessions for a user. For more information, see Chapter 5, Managing
End-User Accounts.
For more information about Administration Console parameters, see the Operations
Guide.

Challenge Scenarios
This topic describes various scenarios related to the Action type of Challenge and
explains how and when a case enters Case Management for each scenario.
In these scenarios, the Policy Management user selects the Create Case (when
authentication fails) checkbox, and the end user then performs an activity that triggers
a rule with an action of Challenge.
The end user is allowed a certain amount of time to successfully complete
authentication, during which the case has a status of Pending and is only visible on the
Research Activities page. This time period is configurable by changing the Queue
Visibility Time Offset parameter in the Case Management section of the Back Office
Applications component of the Administration Console. For more information, see the
Operations Guide.

86 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

End User Skips Authentication

If the end user skips authentication, by closing the browser or performing no activity,
the case enters Case Management at the end of the allowed time period.

End User Fails Authentication

Irrespective of the exact time of the authentication failure, the case enters Case
Management at the end of the allowed time period.

End User Fails and Then Completes Authentication within Allowed Time
If the end user fails authentication within the allowed time period but then retries and
completes authentication successfully within the same allowed time period, no case is
created at the end of this time period.
The workflow, assuming a default time period of 30 minutes, is as follows:
1. Authentication (challenge) leads to a 30-minute window.
2. End user fails authentication.
3. End user reauthenticates and succeeds within the 30-minute time frame.
4. No case is created for the end user activities.
The following figure describes this scenario.

Note: In cases where both a production rule and a test rule are triggered for the same
transaction, the production rule has a higher priority. For example, if a Challenge
production rule is fired together with a Decline test rule for a transaction and the end
user passes authentication, no case is created in the Case Management application.

End User Fails and Then Completes Authentication After Allowed Time
If the end user does not complete authentication successfully, opens a new browser or
tries to perform the same activity, and passes authentication, a case still enters the
Case Management application. The case includes the activity for which the end user
failed authentication, even though the end user successfully passed authentication
later for that same activity. A row listing the activity and the successful authentication
result is displayed on the Case Details page, enabling the operator to see that the end
user passed authentication for an activity after initial failure.

4: Managing Cases 87
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Case Assignment
A case is assigned to an operator in an organization. If each organization has an
operator, all cases are eventually assigned. Cases are assigned based on the following
criteria:
The system first attempts to assign a case to an operator according to a group
filter. The default group filter is used if:
The case does not match any of the group filters.
The case matches one of the group filters but there are no operators associated
with that group.
A case that matches a non-default group filter is assigned to any operator
associated with that group filter if the operator has access to the user organization
for the group.
A case that does not match any of the non-default filters is assigned to an operator
from the default group if the operator has access to the user organization.
An unassigned case is assigned to an operator from the organization of the case. If
there is no operator for the organization, the case is assigned to an operator from
the default organization.
A case that is manually created from events can be automatically assigned from
either the Lookup User page or from the Research Activities page.

Assign Manually Created Cases from the Lookup User Page

You can create a case manually and then assign it to a Case Management user to
review the case. You can assign these cases either to the user who created the case or
to the next available Case Management user.

To assign a manually created case from the Lookup User page:

1. From the Case Management menu, select Lookup User.
2. Do one of the following:
To assign the case to the Case Management user who created the case, at the
bottom of the page, click Me.

Note: RSA recommends that you use this option if you want a case to be
handled promptly.

To create a case and add the case to the queue for assignment to an available
Case Management user, click Queue.

The new case is automatically added to the queue.

88 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Assign Manually Created Cases from the Research Activities Page

You can create a case manually and then assign it to a Case Management user to
review the case. You can assign these cases either to the user who created the case or
to the next available Case Management user.

To assign a manually created case from the Research Activities page:

1. From the Case Management menu, select Research Activities.
2. Do one of the following:
To assign the case to the Case Management user who created the case, at the
bottom of the page, click Me.
To create a case and add the case to the queue for assignment to an available
Case Management user, click Queue.
The queue refreshes automatically and includes the newly opened case.

Case Grouping
Each case is assigned to a group for case management purposes.

Default Group
A case is assigned to the default group (DEFAULT_GROUP) if there are no other
groups or if the case does not match the parameters specified for the existing group.
The default group includes cases that do not fit into any other operator-created groups.
The initial default group is system generated, but you can designate a new group as the
default group. You must assign at least one operator to the default group. If you are
working in a multi-organization environment, RSA recommends that at least one
operator from each sub-organization is associated with the default group.

Operator Group
Cases can be grouped according to case properties. You can filter the queue for cases
with specific parameters. For more information, see Operator Group Management on
page 111.
RSA recommends that you create several operator groups with filters.

4: Managing Cases 89
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Lifecycle Milestones of Cases

Cases within the Case Management application can reach different states or
milestones. The following table describes the lifecycle milestones for cases in the
Adaptive Authentication system.

Case Milestone Case Milestone Possible Case Milestone

Case Milestone
Definition Properties Combinations

Open Case has no Can add new events Open and Active. A case that has no
resolution. to the case (for resolution and has not expired.
active cases only). Open and Expired. A case with no
resolution that has expired.

Expired Logical end time for a Cannot add new Open and Expired. A case with no
case has passed. events to the case. resolution that has expired.
Need to create a Closed and Expired. A closed case
new case, and add that has expired.
the events to the
new case.

Closed Case has a resolution, Can reopen a case to Closed and Active. A closed case that
either fraud or add events to it (for has not expired.
genuine. active cases only). Closed and Expired. A closed case
that has expired.

Case Workflows
There are system workflows in place that are related to case creation and to case
handling.

Case Creation Workflow

When new activities are flagged, the case creation workflow determines if a new case
should be created or if the flagged activity can be added to an existing case. The
process determines whether there is an existing case for the end user and, if there is,
the status of that case (open, closed, or expired). If there is no active case (open or
closed), a new case is created through this workflow.

Case Handling Workflow

Cases are handled in the following order:
1. A new flagged activity causes a new case to be created. The status of the activity
in Case Management is New. Before case investigation starts or during the case
investigation process, more flagged activities can be added to the case.
2. An operator assigned to the case begins to investigate the case on the Process
Queue page or Lookup User page. In the course of the investigation, the operator
can perform any of the following tasks:

90 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Choose resolutions for one or more of the events in the case.

Reassign the case to another operator or operator group.
Resolve the case and change the case status to Closed.
Mark the case for follow-up and set the status to Could not Contact User, and
try to contact the end user later.
Try to contact the end user and set the status to In Progress. When the end user
responds, the operator reviews the case on the Lookup User page.

Case Management Menu

In the Case Management application, you can access pages of the application using
the Case Management menu. The Case Management menu includes the following
items. The permissions that you have determine which menu items are available to
you.

The following table describes the Case Management menu and submenu items and
the type of activities that you can perform in that area of the application.

Menu Item Submenu Item Activities

Process Queue Review cases in the queue, investigate cases, and update cases in
the system
Add reported fraudulent events to an existing case

Lookup User Find cases and end user data for a specific end user
Create a new case
Add reported fraudulent events to an existing case

View the Queue View cases in the queue

Search for specific cases within the queue based on search
parameters

4: Managing Cases 91
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Menu Item Submenu Item Activities

Manage Operator Groups Create a new group

Choose and update a specific group

Operators Add users as operators

Assign operators to a group
View the list of available operators and the associated groups

Research Activities Search for activities using filters for case attributes
Create a new case
Add reported fraudulent events to an existing case

92 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The Recent Account Activity section displays all end user activities that exist within
the time range of the case. The time range of the case is defined by logical start time
and logical end time. These times are defined when the case is created based on the
date of the event that created the case. The following figure shows the Recent
Account Activity section and the Detailed Activity Information section that appear
on the Lookup User, Process Queue, and Research Activities pages.

4: Managing Cases 93
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Recent Account Activity Fields

The following table describes the fields in the Recent Account Activity section.

Field Description

View details Displays detailed account information.

Date/Time The date or time that the event occurred.

Activity type The event type.

Client-defined activity type The client-defined activity type if provided.

Event Description The event description if provided.

System Flag An icon indicating what type of rule triggered the creation of
a case or the marking of an event as suspicious.

Resolution An icon indicating the Case Management resolution chosen

by the user.

Risk Score The risk score that this event received from the Risk Engine.

IP Address The IP address from which this event was sent.

IP Country The country connected to the IP address from which this

event was sent.

Rule ID The name of the rule that was triggered.

Policy Action The action that the event received.

ATM Account The account number of the card used during the ATM
transaction.

Challenge Successful If the policy action was Challenge, this field displays N if the
challenge was not successful or Y if the challenge was
successful. If the policy action was not Challenge, the field
displays N/A.

Accumulated User-Payee This field is mapped to the WSDL data element in event
Payments in USD details that represent the accumulation of payments in USD
made to the payee account.

IP Region This field is mapped to the GeoIP Region Code of the

original IP address.

94 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Detailed Activity Information Fields

The following table describes the fields in the Detailed Activity Information section.

Section Field Description

Risk Score Contributors Contributor Name The top four factors that contributed to
the risk score.

Contribution Impact of the contributor that can raise

or lower the risk score.

Account Details Login ID The end users logon name.

User Account Number The end users account number.

Account Open Date The date that the last account was
opened.
This field is mapped to the WSDL data
element user Data/last Account Open
Date.

Online Enrollment Date The date that the end user enrolled in the
service. Potential fraud predictor: cross
channel fraud, new account fraud.
This field is mapped to the WSDL data
element user Data/online Service
Enroll Date.

Address Change Date The date that the end users address
record was last changed or created.

Password Change Date The date the end users password record
was last changed or created. Potential
fraud predictor: cross channel fraud,
account takeover fraud.

Account Number The end users account number in

standard format.

Note: This field is only displayed if the

Channel Indicator is ATM.

Card Age (days) The age, in days, of the end users debit
or credit card.

Note: This field is only displayed if the

Channel Indicator is ATM.

4: Managing Cases 95
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Section Field Description

Card PIN Change Date The date when the card PIN was last
changed.

Note: This field is only displayed if the

Channel Indicator is ATM.

Activity Details Client Transaction ID The clients transaction ID value.

Original Transaction The amount of the transaction in cents.

Amount (The Currency is specified)

Transaction Schedule How soon or how often the payee will

receive payment. Possible values are:
IMMEDIATEFor immediate
execution
SCHEDULEDScheduled for a
future date
RECURRINGA recurring transfer

Transaction Due Date The scheduled date for a transaction.

Transaction Speed This sets how soon the transaction needs

to take place. Possible values are:
SEVERAL_DAYS
OVER_NIGHT
FEW_HOURS
REAL_TIME

Withdraw Amount The amount withdrawn in a withdraw

transaction or the amount transferred in
a money transfer.

Note: This field is only displayed if the

Channel Indicator is ATM.

Payee Account Number The account number of the party that

(IBAN) will receive a certain amount of money
through a payment or transfer.

Note: This field is only displayed if the

Channel Indicator is ATM.

Payee/Other Account External Account The routing code of the payee or other
Routing Code account.

External Account The payee or other accounts account

Number number.

96 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Section Field Description

External Account Type The payee or other account's type.

Possible values are:
BROKERAGEThe account is a
brokerage account.
CDThe account is a certificate of
deposit account (CD).
CHECKINGThe account is a
checking account.
CHECKING_WITH_OVERDRAFT
The account is a checking account
with overdraft protection.
CREDIT_CARDThe account is for
a credit card.
DEBIT_CARDThe account is for a
debit card.
LINE_OF_CREDITThe account is
for a line of credit.
MORTGAGEThe account is for a
mortgage.
RETIREMENTThe account is a
retirement account.
SAVINGSThe account is a savings
account.
USER_DEFINEDThe account has
been specifically defined by your
company.

External Account The account name of the payee or other

Owner Name account.

Location Details IP City The city of the IP address from the end
users device.

IP Owner The owner of the IP address from where

the activity was made.

IP Connection Type The connection type of the request.

Could be cable, DSL, or TDM
(Received from MaxMind).

IP ISP The ISP ID from which the request

came.

ATM ID The unique identifier of the ATM.

Note: This field is only displayed if the

Channel Indicator is ATM.

4: Managing Cases 97
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Section Field Description

ATM Owner This specifies if the owner of the ATM

device is an RSA customer who is
implementing the Adaptive
Authentication ATM Protection
Module.
The two values for this field are:
FI - the financial institution that owns
the ATM device and is implementing
the Adaptive Authentication ATM
Protection Module.
Other - the financial institution that
owns the ATM device and is not
implementing the Adaptive
Authentication ATM Protection
Module

Note: This field is only displayed if the

Channel Indicator is ATM.

Country The country where the ATM is located.

The value is a country code of up to
three letters, depending on the value you
send.

Note: This field is only displayed if the

Channel Indicator is ATM.

State The state where the ATM is located.

Note: This field is only displayed if the

Channel Indicator is ATM.

City The city where the ATM is located.

Note: This field is only displayed if the

Channel Indicator is ATM.

Zip Code The ZIP code where the ATM is located.

Note: This field is only displayed if the

Channel Indicator is ATM.

98 4: Managing Cases
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Section Field Description

Location Type The type of location where the ATM is

deployed. Some location types are more
or less risky than others. Possible values
are:
BRANCH
PETROL_STATION
PUBLIC_TRANSPORT
STREET
CONVENIENCE_STORE
SUPERMARKET
LEISURE_FACILITY
DRIVE_THRU
ENTERTAINMENT VENUE
TRANSPORT TERMINAL
POST OFFICE
RETAIL OUTLET
CASINO
GOVERNMENT OFFICE
OTHER (specified in free text)

Note: This field is only displayed if the

Channel Indicator is ATM.

Device Details Channel Indicator Indication of the device type.

Case Status
When a case is closed and assigned a resolution status, the information is updated to
the Adaptive Authentication system using a web service call. The RSA Risk Engine is
updated with case resolution information about closed cases. The following table
describes the status of a case and its life cycle.

Status Description

Open Case
New
When: Default, after creating, before processing.
Next step: Start processing.

Couldnt contact user When: After processing started, tried to reach end user
with no success.
Next step: Contact again later (end user might call back).

4: Managing Cases 99
 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Status Description

In Progress When: Case is being investigated but cannot be closed yet.

Reasons case cannot be closed could include waiting
internally to research, waiting for an answer, or other
activity.

Closed When: A user closes a case after resolving it. The case
resolution is automatically chosen, and the event and case
resolution are sent to the Risk Engine.
Next step: One of the following actions occurs:
The operator manually selects an event resolution from
the drop-down list.
The case is automatically closed because the case was
open for a number of days beyond that allowed for the
maximum case duration. If the case is automatically
closed, the default event resolution is Suspected
Fraudulent. For more information, see Case Resolution
on page 110.

Note: You configure the maximum case duration in the

Administration Console. For more information, see the
Operations Guide.

Expired When: The logical end time of the case has expired.

Note: This parameter is defined by the date of the event

that created the case plus a specified number of days
forward. The default is 10 days. You can configure this
period using the Case Management Logical End Time
Offset parameter in the Back Office Applications section in
the Administration Console. For more information, see the
Operations Guide.

Case Mode
The mode identifies the status of the triggered rule from the Policy Management
application that created the case in the Case Management application. A case can have
a mode of either Test or Production. For more information, see Rule Status on
page 49.
You should be aware of the following issues regarding case modes:
There is no feedback sent to the Risk Engine for cases that are only flagged by test
rules and do not have any event resolution.
A mode can automatically change from Test to Production if the same event that
originally triggered the case for a particular end user is triggered again by a
production rule or if you manually change the event resolution for the case.

100 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

If a Test case becomes a Production case, there is no automatic reassignment of

the case to a different operator group. You must manually reassign the case to a
different operator group.
It may be beneficial to use operator groups to assign cases with a mode of either
Test or Production to specific operators. For more information, see Operator
Group Management on page 111.
Cases with a mode of Test are prioritized below cases with a mode of Production.
As a result, the highest priority Test case is listed below the lowest priority
Production case.

Process Queue Management

In the Process Queue tab, you can view and update all cases in the system. Cases are
automatically filtered and prioritized in the Process Queue.
When you log on, the cases that are assigned to you appear in the Process Queue.
When a case is in snooze mode, the case does not appear in the queue until the snooze
duration has passed. You can configure the snooze period in the Administration
Console.
When a case is assigned to an operator, the system first attempts to use the group
filters. If none of the filters match, the default group is used.
If you have no cases assigned to you in the Process Queue, the page refreshes
automatically until a case is assigned to you. You can manually refresh the queue to
check for new cases.

Case Priority
In the View the Queue and Process Queue pages, the list of cases is organized by the
time that the case must be reviewed, not by the risk associated with the case. This
order is determined by an algorithm that analyzes the proximity of the case to the
following two times:
Review Deadline. Parameter that is defined for a case when the case is created.
This value is taken from the parameter defined in the Administration Console. For
more information, see the chapter Administration Console in the Operations
Guide.
Next Contact. Parameter chosen if an operator updates the case status to Could
not contact user.
In general, the closer a case is to the times defined in these two parameters, the higher
it will appear on the queue menu. Closed cases are not returned to either queue.

Note: Cases with a mode of Test are prioritized below cases with a mode of
Production. As a result, the highest priority Test case is listed below the lowest priority
Production case.

4: Managing Cases 101

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Access the Process Queue Page

You access the Process Queue page to view and update cases in the system.

To access the Process Queue page:

From the Case Management menu, select Process Queue.
Cases assigned to you are displayed.

Stop Automatic Refresh of the Process Queue

In the Refresh Progress section of the page, a progress bar indicates the refresh rate
for the display of cases assigned to you. You can stop the refresh of the Process Queue
page so that the queue does not refresh automatically.

To stop automatic refresh of the Process Queue:

Click Stop automatic refresh.

Restart Automatic Refresh of the Process Queue

In the Refresh Progress section of the page, a progress bar indicates the refresh rate
for the display of cases assigned to you. You can restart the refresh of the Process
Queue so that the queue refreshes automatically.

To restart automatic refresh of the Process Queue:

Click Refresh queue now.

Case Listing in the Process Queue

The Process Queue processes cases that are not in snooze mode and are unlocked.
When you finish with a case and go to the next case in the list, the queue skips any
locked or in-progress cases and continues to the next available case.
If the queue is empty, the application displays a message indicating that there are no
cases currently in the queue, with instructions to refresh the Process Queue for any
new cases.
To prevent a situation in which a case remains at the top of the list, RSA provides a
snooze mechanism. After a case is processed, regardless of whether the case was
updated or not, the case is removed from the queue for 30 minutes. For more
information, see Display a Case on page 118.

Case Locking and Unlocking

The case locking mechanism does the following:
Prevents a case from being locked for an overly long period of time.
If an operator starts to update a case, the case is locked for update to other
operators. If the same operator logs off and logs back on, that operator is not
locked out of the case.

102 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Case Locking During Case Update

While a case is being updated, the following occurs:
The case is locked and cannot be updated by any other operator.
The case does not appear in the Process Queue of any other fraud analyst or case
operator. The case appears as read-only to anyone who tries to access the case.

On the View the Queue page, a lock icon and the operator ID of the assigned
operator is displayed.

Case Unlocking During Case Update

In the following situations, a case is unlocked:
Case is locked for more than two hours. Cases are locked for a period of two
hours by default, after which time the lock expires and the case is released. You
can configure this period using the Lock Case Expiration parameter in the Back
Office Applications section in the Administration Console.
An Operator saves changes made during the Case Update procedure. For
more information about updating a case, see Update a Case Using Lookup User on
page 108.

View the Queue

Cases that can be viewed in the queue are dependent on the applied filter criteria.
Columns are available in the View the Queue table, depending on filtering.
When you filter, you are filtering by the current status of a case in the system during a
specified time period. On the Filter tab, you can filter which cases you see in the
queue by case status (Status) and by the last updated time of the case (Period). For
additional filters, you can use the Advanced tab.

Access the View the Queue Page

You can view the queue to review and filter cases.

To access the View the Queue page:

1. From the Case Management menu, select View the Queue.
2. (Optional) At the top right corner of the View Queue page, from the Show per
page list, select the number of cases that you want displayed per page. The
options are 5, 10, 15, 25, 50, 75, 100, 250, and 500 cases per page.
You can scroll down the page of displayed cases.

Filter the Queue Using the Filter Tab

You can use the Filter tab on the View the Queue page to filter the queue by Status
and by Period. The Filter tab only displays cases that have a Mode of Production. To
search for cases which have a Mode of Test, you must use the Advanced tab.

4: Managing Cases 103

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To use the Filter tab to filter the queue:

1. From the Case Management menu, select View The Queue.
2. On the Filter tab, from the Status list, select the case status that you want to use to
filter your queue. This is a required selection. The list includes:
All open cases
New
Could not contact user
In progress
Closed
3. In the Period section, select a From date (the start date) and a To date (the end
date) for the cases that you want to include. This period refers to the case creation
date. This is a required selection.
4. Click Filter.
All of the cases matching the search criteria are returned as results in the View the
Queue table.

Filter the Queue Using the Advanced Tab

You can use the Advanced tab on the View the Queue page to perform advanced
filtering functions.

To use the Advanced tab to filter the queue:

1. From the Case Management menu, select View The Queue.
2. Complete the fields on the Advanced tab. For a description of each field, see
Advanced Tab Fields on page 105.

Note: The Advanced tab does not include an organization filter. The organization
that you select from the Organization drop-down list during logon is used for the
filter.

3. Click Filter.
All cases matching the search criteria are returned as results in the View the
Queue table.

104 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Advanced Tab Fields

The following table describes the fields available in the Advanced tab.
To configure these parameters, see Filter the Queue Using the Advanced Tab on
page 104.

Field Description Required

Status Select from the following list of statuses: Yes

All open cases
New
Could not contact user
In progress
Closed

Period Date range. Yes

From and To fields.

Resolution Select from the following list of resolutions: No

Any (Any of the resolutions in the list)
Confirmed fraudulent
Suspected fraudulent
Unknown
Assumed genuine
Confirmed genuine

User ID Select a User ID associated with the cases that you No

want to view.

Operator Select an operator from the list of operators in the No

system.

Activity Type Select from the list of activity types. For more No
information, see Appendix C, List of Event Types.

Note: The Activity Type filter does not support

Custom Event Types.

Risk Score In the From field, enter the minimum risk score for No
the filter. In the To field, enter the maximum risk
score for the filter.

Production Rule ID Select a Rule ID associated with the cases you want No
to view.

4: Managing Cases 105

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Field Description Required

Action Select from the following list of action types: No

Any
ALLOW
CHALLENGE
DENY
REVIEW

IP Address Enter an IP address associated with cases that you No

want to view.

IP Country Enter the IP country code associated with cases that No

you want to view.

Mode Select from the following list of modes: No

Any
Test
Production

Account ID Enter the account ID associated with cases you want No

to view.

Look Up an End User

Depending on your permissions, you can use the Lookup User page to perform the
following actions:
Search for end users
View and update cases
Flag events manually for suspicious activities
Create a case if an end user does not already have a case and assign the case to
yourself or to the queue.
The Lookup Users page displays either of the following:
Case. If the end user has a case.
Activities only. End user activities are displayed if there is no case associated with
the end user.

Before You Begin

Make sure that you are viewing the correct organization level in which the user is
associated. This association is specified in the Organization drop-down list, in
Logged on as. You can change the Organization level view in this list.

106 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To look up an end user:

1. From the Case Management menu, select Lookup User.
The Lookup User page displays the User ID filter and shows the current Case
Management users organization view.
2. Enter the User ID.
3. Click Search.
The View Case page displays the most recent activities or case for this end user,
and includes the following fields:
User Details. User ID, Organization, User Status, User Type, and ATM
Account.

Note: The User Status field can have one of the following pre-defined values:
DELETE, LOCKOUT, NOTENROLLED, UNLOCKED, UNVERIFIED, or
VERIFIED.
The User Type field can have one of the following pre-defined values:
PERSISTENT, NONPERSISTENT, BAIT, or N/A.

Case Details. Date, Mode (Test or Production), Status, Must be reviewed

before (date), Risk Score, Assigned to (user). Only displayed if a case exists
for the end user.

Note: The Must be reviewed before field represents the time remaining for
this case to be considered as high priority. If the case is not assigned before
the time specified in this field, the case is displayed lower in the queue.

Case History. Displays historical case data. Only displayed if a case exists for
the end user.
Recent Account Activity. Displays recent events including: date, activity,
flagged by the system, Event Resolution, risk score, IP Address, IP Country,
Rule ID, Policy Action, ATM Account.
Detailed Activity Information. Displays account details, activity details,
payee/other account, location details, and device details.

Note: The default number of view details per page view is set to five. If you want to
change the default number of view detail lines on display, configure the Case
Activities Per Page parameter in the Back Office Applications component of the
Administration Console. For more information, see the Operations Guide.

If an end user is found but does not have an associated case, the Case Management
application displays all recent activities for that end user.

Note: As is true for the overall system behavior, events that are presented and can be
flagged are limited in number and by date range.

4: Managing Cases 107

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Case Update
There are two ways to update a case:
Using Lookup User. For more information, see Update a Case Using Lookup
User on page 108.
Using the Process Queue. For more information, see Update a Case in the
Process Queue on page 108.

Update a Case Using Lookup User

Use Lookup User to locate the case associated with that end user. For more
information, see Look Up an End User on page 106.

To update a case using Lookup User:

1. On the View Case page, click Update.
2. On the Update Case page, modify the case status, reassign to another group or
operator, enter notes about the case update, update the event resolution, and
manually flag suspicious activities as needed.

Note: If a Test case becomes a Production case, the case is not automatically
reassigned to a different operator group. You must manually reassign the case to a
different operator group.

For information about manual flagging, see Manually Set a Resolution for an
Activity on page 109.
3. Click Save Changes to update the case and save Case Details and Recent Account
Activity.

Note: If you click Go in the Recent Account Activities section, you save the changes
made in the Event Resolution drop-down list and refresh the entire Update Case page.
This resets any unsaved changes that you made in the Update Case page. If you click
Cancel, you cancel changes made in the Case Details section only.

Update a Case in the Process Queue

You can update a case in the Process Queue by modifying the case details.

To update a case in the Process Queue:

1. From the Case Management menu, select Process Queue.
2. Do one of the following:
In the Case Details section, modify the following details:
Status. Select from: New, Could not contact user, In progress, or
Closed

108 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Re-assign to. A case can be re-assigned to an operator or operator group

that is part of the organization associated with the case. The list includes
only the options permitted for the user. Select from: Operator Group,
Operator, or Do not reassign.
Notes. Enter notes about the case.
Modify the event resolution.
Manually set a resolution for suspicious activities. For information, see
Manually Set a Resolution for an Activity on page 109.
Click Skip to not handle this case and move to the next case.
3. Click Update and Move to Next to update the case.
In the Case History section, the Update Time column displays the time at which
you updated the case.

Update Case Example

If you specify the status Could not contact user, the following options are displayed in
the Next Contact drop-down menu on the View Case page, in the Updated Case
section:
In 2 hours
In the evening
Tomorrow morning
At any time
At a specific time
These options are derived from the casemanagement-config.xml configuration file in
the next-contact-times section of the case-attributes element.
If you specify any of these values, update the case, and skip the case (put the case in
snooze mode). When you return to the case, the Next contact field includes the
default setting At a specific time that corresponds to the original date and time that
you specified when you updated the case. For more information on the snooze mode,
see Snooze Mode on page 119.

Manually Set a Resolution for an Activity

A Case Management operator can manually set a resolution for an activity. This is
commonly done after the operator contacts an end user to verify whether or not that
end user performed a certain activity and the operator assesses other parameters
related to the activity.

To set a resolution for an activity:

1. From the Case Management menu, select Lookup User.
2. On the Search tab, provide the User ID and Organization.
All cases or activities of the end user are displayed. For more information, see
Look Up an End User on page 106.

4: Managing Cases 109

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

3. In the Recent Account Activity section, choose an event by selecting the

appropriate event details row.
4. Click Create Case from Events.
5. If a case exists, select the event resolution from the drop-down list, and click Set
Event Resolution.

Case Resolution
Case resolution defines the final conclusion regarding the case as reached by an
operator. Case resolution can also refer to the case findings as confirmed or reported
by the user. When an operator closes a case, the case resolution is automatically
selected based on the event resolutions of the case. Only an operator can close a case
and only if there is at least one event in the case that is flagged (system flagged or
custom marked). The Event Resolution options are listed in the following table along
with the icons that represent each option in the user interface.
Event Resolution Icon
Confirmed Fraudulent

Suspected Fraudulent

Unknown

Assumed Genuine

Confirmed Genuine

An event that is flagged by the system based on rules from the Policy Management
application is a system-flagged event. A system-flagged event is one where the case
resolution is set to Suspected Fraudulent unless the operator manually sets the
resolution to Confirmed Genuine or Unknown.

110 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

An event for which an operator manually sets the resolution is considered a

custom-marked event.This means that a case resolution will be automatically set as
Unknown if it includes only Unknown custom-marked events and does not have
system or custom-marked events that are Confirmed Genuine or Confirmed Fraud.
The resolution of a case is automatically set as Confirmed Fraudulent or Suspected
Fraudulent, if there is at least one event in the case that is marked as Confirmed or
Suspected Fraudulent. In this case, the operator is notified that all activities in such a
case may be considered as Suspected Fraudulent by the Risk Engine.

Operator Group Management

You use the Manage Operator Group page to define and edit operator groups. The
Manage Operator Group page includes the following functionality:
Add Operator Group
Save Operator Group
Delete Operator Group
Set default Operator Group

Access the Manage Operator Group Page

You can use the Manage Operator Group page to define the following items:
Group Detail. Select a group and edit the group description.
Group Filter. Filter for various parameters

To access the Manage Operator Group page:

From the Case Management menu, select Manage Operator Group.

Operator Group Definition

To organize cases and define the cases as groups, you specify filter parameters to be
used as criteria to select the cases for inclusion in a group. You cannot create a group
without a filter because the organization is selected based on the organization that you
selected during logon.

Note: The list of available organizations can only be changed in the Access
Management application. For more information, see Chapter 2, Managing Access to
the Back Office Applications.

Defining operator group filters does the following:

Determines which types of new cases will be assigned to that group.
Defines at least one filtering criteria. Each group has one set of criteria with one or
more criteria in that set. The set is defined based on its criteria.
Uses the same controls as custom filtering.

4: Managing Cases 111

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Note: Filtering of a case by activity-level attributes is performed based on the

activity in the case with the highest risk score and within the events that are
flagged by the system or marked by the user as fraud.

Filters for Defining Operator Groups

You can filter cases to be assigned to operator groups based on the following
parameters:
Organization. To change organizations, use the Organization drop-down menu.
The filter first checks the organization of the case. Each organization must have at
least one group and one operator.
Additional filter. Select one or more of the following for additional filters that
you want to use:
User Activity
Action
Risk Score
User ID
Production Rule ID
IP Address
IP Country
System Flagging

Note: If you use default filtering of the queue, custom filtering fields also use the
default mode. If current settings are different from the default, they are reflected in the
filtering field options.

Add an Operator Group

You add an operator group to assign specific types of new cases to a particular group.

To add an Operator Group:

1. From the Case Management menu, select Manage > Operator Group.
2. Click Add New Operator Group.
3. In the Operator Group Name field, enter a unique name for the operator group.
4. In the Group Description field, enter a description for the group.
5. Select the filters with which you want to filter.
6. Click Save Operator Group.
The operator group is displayed on the Manage Group page and the Manage
Operator page, in the Choose New Group and Select Group drop-down lists.

Edit Operator Group Criteria

You can edit an operator group to change the criteria by which cases are selected for a
group.

112 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To edit operator group criteria:

1. From the Case Management menu, select Manage > Operator Group.
2. From the Select Operator Group drop-down list, select the name of the group
that you want to edit.
3. In the Operator Group Description field, enter a new description for the group.
4. Update the selection of relevant filters.
5. Click Save Operator Group.
The group is modified in the Select Operator Group drop-down list.

Delete an Operator Group

To delete an operator group:
1. From the Case Management menu, select Manage > Operator Group.
2. From the Select Operator Group drop-down list, select the name of the group
you want to delete.
3. Click Delete Operator Group.

Note: You cannot delete a group that contains an operator. If an operator exists
within a group that you try to delete, an error message is displayed requesting that
you remove the operator from the group.

Operator and Operator Group Filters

Note the following regarding the Operator and Operator Group filters:
You can define a group for one organization only.
You can select an organization from the drop-down menu of the organization.
When a user is logged on, the user can view operators who have access to the
current organization, and operator groups within a matching organization.
When you add a new operator group, the organization is automatically added as
part of the group filter.
On the Manage Operators page, in the Operators list, you can view operators
who have access to the current organization.
On the Manage Operators page, in the Select Operator Group drop-down list,
you can view the groups belonging to the organization that is defined within the
group filter. The current organization is displayed in the drop-down list.
If there are operators in the Operators list that have access to more then one
organization, you only see the operator group belonging to the current
organization. If the group to which the operator belongs is from another
organization, Group from another organization is displayed beside the operator
name as the entry in the Operator Group column of the Edit Operator table.

4: Managing Cases 113

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Set a Default Operator Group

When installing the system, the default operator group is DEFAULT_GROUP. If you
are logged on to the default organization, this operator group name is displayed on the
Set Default Operator Group tab.
If the default operator group is from another organization, the following message is
displayed on the Set Default Operator Group page:
Current default operator group is from another organization.

Note: Only operator groups belonging to the current organization appear in the Select
Operator Group drop-down list.

After editing the operator group, you can set the filter settings as the default operator
group.

To set the filter settings as the default operator group:

1. From the Case Management menu, select Manage > Operator Group.
2. From the Select Operator Group drop-down list, select the name of the group
that you want to edit.
3. In the Group Description field, enter a new description for the group.
4. Update the selection of relevant filters.
5. Click Save Operator Group.
6. Click Set Default Operator Group.
7. Click Save Default Operator Group.

Operator Groups for a New Organization

If you do not define an operator group for the currently selected organization, a user
with admin or operatormanager role permissions cannot add an operator because an
operator must belong to an operator group.
If the administrator or operator manager tries to add an operator, the following
message is displayed on the Manage Operator page:
There are no operator groups defined for this organization.
If the administrator or operator manager tries to add an operator group, and there is no
operator group for the organization, from the Manage Operator Group page, the Add
New Operator Group opens automatically and the following message is displayed:
Cannot find groups for the current organization. Add a new
operator group.

114 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Operator Management
A user with admin or operatormanager permissions can manage the user activities of
operator users in the system. Before you can assign an operator a case, you must
assign the operator to an operator group. An operator must have the operator role
assigned within the operators user profile. Role assignment is performed in the
Access Management application. For more information, see Chapter 2, Managing
Access to the Back Office Applications.
The Manage Operators page includes the following functionality:
Add an Operator to an Operator Group
Change the Operator Group of an Operator

Access the Manage Operators Page

You use the Manage Operators page to manage user activities of operators in the
system.

To access the Manage Operators page:

From the Case Management menu, select Manage > Operator.

Add an Operator to an Operator Group

You add an operator to a group in order to associate an operator with a particular set of
incoming cases. Before you can assign an operator to a case, you must add the
operator to an operator group. Every group must have an operator.

To add an operator to a group:

1. From the Case Management menu, select Manage > Operator.
2. On the Manage Operator page, in the Add Operator section, enter the name of
the operator that you want to add in the Operator Name field. This is a required
field.
3. From the Select Operator Group drop-down list, select the name of a group for
the operator.
4. Click Add Operator.

Change the Operator Group of an Operator

You can change the operator group to which an operator is assigned. This limits the
cases that an operator receives in his or her queue, based on the case parameters set up
in the Operator Group description. For more information about adding case selection
criteria in an Operator Group, see Add an Operator Group on page 112.

4: Managing Cases 115

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To change the operator group of an operator:

1. From the Case Management menu, select Manage > Operator.
2. On the Manage Operator page, in the Edit Operator table, from the Change
Operator Group drop-down menu, select the group with which to associate the
operator.
3. In the Edit Operator table, click the Update link in the Actions column for the
operator.

Research Activities
The Research Activities page allows research of end user activities and cases. You can
define fraud policies that allow you to investigate and identify fraud patterns, so an
organization can take action such as setting a new policy or rule.
Research activities are performed at the activity level, not at the case level. All
activities can be researched, not only flagged activities.
The Research Activities page is used for fraud policy-making and allows you to
investigate and identify fraud patterns, so an institution can take action such as setting
a new policy or rule.

Access the Research Activities Page

You use the Research Activities page to research end user activities and cases.

To access the Research Activities page:

From the Case Management menu, select Research Activities.

Research Activities Filters

The following research activity filters are available for use on the Research Activities
page.
Status:
Open Cases (New & Couldnt contact user)
All (With/Without Case)
All With Case
Not Part of a Case
Closed Case
Resolution (Required filter)
Period:
All dates.
Last 24 hours.
Last 7 days.

116 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Last 30 days.
Last 90 days.
Specific From and To dates selected using the calendar icons to define a date
range in the format. From MM/DD/YYYY To MM/DD/YYYY.
Additional filters:

Note: Select any relevant filter to enable that activitys drop-down menu or text
box. The checkboxes are unavailable by default.

User Activity. A complete list of end user activities.

Custom User Activity. A list of end-user activity types that are defined by the
customer in the Policy Management application, not provided by RSA. For
more information, see Chapter 3, Managing Policies.
Policy Action. Allow, Challenge, Deny, Review.
Risk Score. From Score and To Score fields for specifying a risk score range
Event Resolution. Any, Confirmed Fraud, Suspected Fraud, Confirmed
Genuine, Assumed Genuine, Unknown.
User ID. Text field.
Production Rule ID. Text field.
IP Address. Text field.
IP Country. Text field.
System Flagging. Any, All flagged activities, Flagged by production rule,
Flagged by test rule, Flagged only by test rule, Not flagged.
Account ID. Text field.
The Case Management application limits the number of results that can be displayed
by each filter to 1,000. If the results are greater than 1000, you can add several filters
to refine the search. For more information see Search for Cases Using Research
Activities Filters on page 117. For information about customizing the user interface
configuration, see the Installation and Upgrade Guide.

Search for Cases Using Research Activities Filters

You can research case activities using one or more basic case information filters and
additional filters on the Research Activities page. When you select a checkbox, the
filter field or list becomes active. If a checkbox is cleared, the relevant filter field or
list is unavailable. RSA recommends that you use several filters to limit the number of
activities returned because no more than 1,000 results can be displayed.

4: Managing Cases 117

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To search for cases using research activities filters:

1. On the Research Activities page, select the filters with which you want to search
by selecting filter options.
2. (Optional) In the Additional filters section, define any additional filters:
a. To select the type of additional filter, select the corresponding checkbox.
The field or list becomes available.
b. Enter a value in the field or select a value from the list.
For example, select the Policy Action checkbox, and, from the drop-down
list, select CHALLENGE.
3. Click Run Filter.
The total number of activities found is displayed above the Activities list. There is
a limit to how many activities records can be displayed in the list. RSA
recommends that you use several filters to limit the number of activities returned
with a Research Activities search. For more information, see Research Activities
Filters on page 116.
4. Click Display Case to view the details of a specific case.
Twenty records are displayed on each page. If the activities list has more than one
page, Next or Prev links are displayed on top of the activities list table on each
page. For more information, see the Operations Guide.
5. Click Display Details to view the details of a specific event.
The Detailed Activity Information page displays the following information:
Risk Score Contributors. Contributor Name, Contribution.
Account Details. User Account Number, Account Open Date, Online
Enrollment Date, Address Change Date, Password Change Date, Account
Number, Card Age (days), and Card PIN Change Date.
Activity Details. Client Transaction ID, Transaction Amount, Transaction
Schedule, Transaction Due date, Transaction Speed, Withdraw Amount, and
Payee Account Number (IBAN).
Payee/Other Account. External Account Routing Code, External Account
Number, and External Account Owner Name.
Location Details. IP City, IP Owner, IP Connection Type, IP ISP, ATM ID,
ATM Owner, Country, State, City, Zip Code, and Location Type.
Device Details. Channel Indicator, Cookie.
Custom Facts. Fact Name, Value.

Display a Case
You display a case to read and analyze case details.

To display a case:
On the Research Activities page, click Display Case.
The View Case page opens. The View Case page is a read-only view of case
information. The edit fields and drop-down menus are disabled, and checkboxes are
not displayed.

118 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Edit a Case
Before You Begin
Make sure that you have the required permissions to update a case.

To edit a case:
On the View Case page, click Update to edit the case.

Update a Case Buttons

Depending on which workflow you are using, the buttons that are enabled on the
Update Case page vary. The following changes may appear in the buttons in the
interface on this page:
Update and move to next case or Update
Skip to next case or Cancel

Snooze Mode
Snooze mode allows you to skip a case in the queue and return to the case at a later
time. When you skip a case, the case is put into snooze mode for a set period of time.
The default time period is 30 minutes. This period can be configured in the Case
Management section of the Back Office Applications component within the
Administration Console.

The Snooze icon appears next to the case on the View the Queue page. To see the
start time of the snooze period, move your cursor over the Snooze icon. The time that
is displayed is 24-hour time. A case in snooze mode will be moved to next in line for
processing after the snooze time has ended, based on the case priority.

Apply Snooze Mode to a Case

You can put a case in the queue into snooze mode if you want to return to the case at a
later time.

To put a case into snooze mode:

Do one of the following:
On the Process Queue page, select the case, and click Skip.
The current case is not handled, and the next case appears.
On the Process Queue page, select the case, and click Update and Move to Next.
Any changes made to the case are updated, and the next case appears. For more
information, see Update a Case in the Process Queue on page 108.

4: Managing Cases 119

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Top Risk Score Contributors

When viewing activity information on the Research Activities page, you can view the
top contributors to the risk score in the Detailed Activity Information section.
The factors that have the strongest effect on the risk score of the activity are listed
under the contributor name in descending order of impact. An up arrow indicates a
contributor that raised the risk score, and a down arrow indicates a contributor that
lowered the risk score.

Note: The list of risk score contributors was updated in version 7.0.

Custom Facts
You can define custom facts in the Policy Management application. A fact is a core
data element which the Policy Engine processes to determine if the rule is triggered.
Once you create and save a custom fact successfully, you can build rules with the fact.
You can add up to 20 different custom facts to the system. Defining these facts adds
new fact names and the associated values to the Detailed Activity Information
section. For more information, see the topic about custom facts in Chapter 3,
Managing Policies.

120 4: Managing Cases

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

5 Managing End-User Accounts

Customer Service Application Overview
Find an End User
End Users Account History
Account Locking
Terminate an End Users Authentication Sessions
Reset an End Users Account
Account Unenrollment
Watch an End Users Progress
This chapter describes how to manage end-user accounts using the Customer Service
application, a component of the RSA Adaptive Authentication (On-Premise) Back
Office Application Suite.

Customer Service Application Overview

The Customer Service application enables customer service representatives to help
end users who are having trouble with their secure logon settings.
Using the Customer Service application, you can:
Search for an end user
View an end users account history
This includes watching an end users progress in the Adaptive Authentication
system (the logged results of end user actions, not real time).
Lock an end users account
Unlock an end users account
Reset an end users account
Unenroll an end user
Terminate an end users authentication sessions

5: Managing End-User Accounts 121

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Find an End User

You can search for an end users account to help resolve problems with logon settings.

Before You Begin

You need to know the following information:
The organization to which the end user belongs
The end users user name
The following figure shows the Customer Service application home page.

To find an end user:

1. Use the Organization drop-down menu in the upper right corner of the page to
select the end users organization.
2. In the Username field, enter the user name.
3. Click Search.

Note: The Customer Service application logs you off after a set period of inactivity.
Keep this in mind while viewing an end users information. For more information, see
Log Off from a Back Office Application on page 15.

122 5: Managing End-User Accounts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

End Users Account History

After the end user is found, the following information about the end users account is
displayed:
The end users user name
The end users organization
The current status of the end users account
The account history, sorted by the date that the activity occurred
The following figure shows an end users details and account history information.

End User Account History Information

The end users account status can only be one of the following values:
VERIFIED
UNVERIFIED (either started enrollment but did not finish, or was unlocked and
reset by a Customer Service Representative)
LOCKOUT
UNLOCKED
DELETED

Note: Changes to an end users account status may occur due to activities performed
in Case Management and may not be reflected in the Customer Service application.
For example, if a case is changed to Genuine Confirmed in Case Management,
authentication is unlocked.

Depending on the current status of the account, different buttons are available above
the activity table. The availability of the following buttons is dependent on the account
status type for which they are needed:
Unenroll. Available in all end user account states except Deleted.
Terminate authentication sessions. Available in all end user account states
except Deleted.

5: Managing End-User Accounts 123

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Lock. Available in Verified and Unlocked states only.

Unlock. Available in Lockout state only.
Unlock and Reset. Available in Unlocked and Lockout states only.

Note: The Refresh and Search buttons are always active.

Activities within the Account History Information

There are multiple types of activities that can be listed within the end users account
history information. Normal transactions, such as deposits and withdrawals are not
listed. You can see only security-related activities. Activities, which are identified by a
letter and a description, include:
A. End user modified one or more challenge answers.
B. End users locale has changed.
C. End user's account was created.
D. End user's account was deleted.
F. End user preference was modified.
G. End user modified the group membership.
L. End user's account was locked.
M. One or more of the end user's settings was modified.
N. End user has not completed enrollment successfully (the account is unverified).
Q. End user modified one or more challenge questions.
R. End user's account was unlocked or reset.
T. End user contact was modified.
U. End user changed the user name.
V. End user completed enrollment successfully (the account was verified).
These letters can be combined to indicate several activities, for example:
CV. The end user's account was created and verified.
MIQA. The end user modified the questions and answers.
All actions, taken by either you or the end user, create a new entry in the activity table.
When you perform an action on the account, such as unlocking the account, the
Account History page automatically refreshes and displays the new action in the table.
You can click Refresh if you need to refresh faster.

124 5: Managing End-User Accounts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Account Locking
You can lock end user accounts if any of the following occur:
An end user fails authentication.
An end user calls and wants to lock the account because the account information
was stolen or there was unauthorized access to the account.
An end user is delinquent in payments and the account needs to be locked.
An end user is no longer a member of the organization and the account needs to be
deleted. You can lock the account before deleting it.
An end users account can also be locked if the end user incorrectly answered the
challenge questions too many times. The Adaptive Authentication system
automatically locks an account in that case.

Lock an End Users Account

You can lock an end users account so that the end user can no longer access the
account online.
Your company policies may define other reasons to lock an end user's account. Refer
to the policies of your company for a full list of reasons to lock an end users account.

To lock an end users account:

1. Find an End User.
The account information is displayed.
2. Click Lock.

Unlock an End Users Account

You can unlock an end users account that is locked. For information on why an end
users account might be locked, see Account Locking on page 125.
Use the following procedure if the end user locks his or her account, but believes that
he or she knows the correct answer to the challenge questions.

Before You Begin

Verify the end users identity before unlocking the end users account.

To unlock an end users account:

1. Find an End User.
The account information is displayed on screen.
2. Click Unlock.
The end users account information is refreshed and the last activity is now listed as
Unlocked.

5: Managing End-User Accounts 125

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Terminate an End Users Authentication Sessions

You can use the Terminate Authentication Sessions button in the User Details
window to terminate all open authentication sessions for an end user.
When you press this button, the application terminates all open authentication sessions
for the end user specified in the User Details window. The application calls the API
method ResetOpenSessions to perform this task. For more information about this API
method, see the Web Services API Reference Guide.

Before You Begin

Verify the end users identity before resetting the end users account.

To terminate authentication sessions for an end users account:

1. Find an End User.
The account information is displayed.
2. Click Terminate Authentication Sessions.

Reset an End Users Account

This option allows you to unlock and reset an end users account so that, the next time
the end user logs on, the end user must choose new challenge questions. This leaves
the end users account in an unverified state.
Use the following procedure if the end user has locked the account and does not know
the answers to the challenge questions.

Before You Begin

Verify the end users identity before resetting the end users account.

To reset an end users account:

1. Find an End User.
The account information is displayed.
2. Click Reset.
The end users account information is refreshed and the last activity is now listed
as Reset.
3. Inform the end user that he or she can log on to the account, but must choose new
challenge questions and provide the necessary answers.

126 5: Managing End-User Accounts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Account Unenrollment
When you unenroll an end user, the end users account information is made
inaccessible but it is not removed from the database. Although the account
information is flagged for deletion, the actual information is never removed from the
Adaptive Authentication system. If the end user tries to log on to an account that is
unenrolled, the end user cannot access the account information.
Deleted accounts are removed from the system if the scheduled task DeleteUsers is
configured to run after the billing period is over. If the end user is in the DELETED
status, you must use the createUser or analyze AutoCreate request to re-create the
deleted end user.

Unenroll an End User

Use the following procedure if the end user is no longer a member of the organization
and the account needs to be deleted or if there are other conditions requiring that the
end user be unenrolled.

Important: Unenrolling an end user is not reversible by a customer service

representative.

To unenroll an end user:

1. Find an End User.
The account information is displayed.
2. Click Unenroll.
The end users account information is deleted.

Watch an End Users Progress

You can watch an end users progress in near real time to help an end user with any
problems that arise during enrollment or while accessing the security settings.

To watch an end users progress:

1. Find an End User.
The account information is displayed.
2. Click Refresh.
The account information updates and any new information displays automatically.
You can verify for the end user that questions are updated and recognized by the
system.

5: Managing End-User Accounts 127

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

6 Viewing and Analyzing Reports

Report Viewer Application Overview
View and Download Reports
Report Characteristics
Report Types
Report Format
Report Content
RSA provides reports, which consist of basic, unfiltered data, to help you evaluate
RSA Adaptive Authentication (On-Premise) system performance and end-user
behavior.
RSA uses the log files sent by your organization to create different report types. The
Adaptive Authentication version that you use and the type of information you send to
the logs impact the types of information and data that the reports contain.
This chapter describes the Report Viewer application.

Report Viewer Application Overview

The Report Viewer allows you to select and view reports that summarize system user
data, such as the number of end users per month or the number of end users challenged
in a week. The Report Viewer accesses the reports, displays the reports, and presents
the reports in downloadable formats. The Report Viewer does not generate the reports.
The Report Viewer enables you to:
View a list of reports filtered by organization and month
View a list of data ranges for report types based on report naming conventions
(daily, weekly, monthly, or all)
Filter a list of reports based on the your access
The Report Viewer displays reports and provides the necessary access control for
those reports. The reports, in either PDF or comma-separated value (CSV) format, are
put into a specified directory. These reports are retrieved from the file system after you
have extracted and synchronized the report directory structure. For more information,
see the chapter on logs and reports setup in the Operations Guide.

6: Viewing and Analyzing Reports 129

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Reports Directory Structure for the Report Viewer

For proper operation of the report viewer, a directory structure must be created in the
reports directory that you configure for the Report Viewer. The following figure
shows a typical directory structure.

For more information, see the chapter on logs and reports setup in the Operations
Guide.

View and Download Reports

You can view and download a report to see a summary of system user data. The
Report Viewer retrieves information about each organization to which a user has
access, and it presents an organization summary with report type listings for each
organization.

Note: If you do not see a particular organization or its reports, contact the
appropriate party within your company for access to view the reports.

130 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

To view and download a report:

1. On the Reports page, select the organization for which you want to view a report.

2. Select a report type from the following available report types:

Monthly
Weekly
Daily
All
3. Select a report name or ALL to view a list of names.
4. Select the From and To dates to define the range of the reports
5. Click Search.
The system retrieves and presents the reports that meet your conditions. You can
sort the retrieved reports according to the following fields:
Report Type (default)
Report Name
Generated
Date From
Date To
Format
6. Choose the format (PDF or CSV) for the selected report.
Organization names appear as designated in the database. In some cases, for example,
this is a number.

6: Viewing and Analyzing Reports 131

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Report Characteristics

Note: Reports are generated for each organization.

Reports are generated from processed activity logs. Each report covers the end-user
sessions for a specific range of time. Typically, the time range is daily, weekly, or
monthly, except for system trends, which are weekly and monthly.

Note: In a report that covers multiple days, some rules do not fire every day. The
report designates no firing of a rule on a day by a zero (0), which appears periodically
throughout the report.

Time ranges are not configurable. Set up the reporting schedule and time period by
working with RSA Customer Support. If you are viewing the reports with the Report
Viewer, make sure to maintain the directory structure provided by RSA Central. For
more information, see the chapter on logs and reports setup in the Operations Guide.

Important: In general, these logs do not contain sensitive customer data. Data is only
used to examine aggregate behavior and User IDs can be obscured through a hashing
algorithm. To hash User IDs, you must configure the ID Masking parameter in the
Administration Console. Consequently, individual users cannot be identified by User
IDs. For more information about the ID Masking parameter, see the chapter
Administration Console in the Operations Guide.

Note: If dates in a week straddle two months, reports from that one week period are
grouped inside the directory of the first of the two months. For example, if March 31
is a Wednesday and April 1 is a Thursday, a report that focuses on activities during this
time period are grouped inside the March directory.

Report Types
The following report types are available:
Billing Report. Includes statistics used for billing purposes. A roll-up version of
the report contains data from several customers. Customers with multiple
organizations or service providers may find the roll-up version useful for billing
each organization.
Authentication Plug-In Billing Report. Statistics used for billing of the
Authentication Plug-In service. There is a roll-up version of this report.
Blocked Users Report. A detailed report that shows the hashed User IDs for end
users who were denied access to your online application, the rule that caused each
end user to be blocked, and the date and time that each end user was blocked.
Case Management Report. Statistics on case activity and fraudulent transactions
as represented by the Case Log and Events Marking Log from the Case
Management application.

132 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Case Trends Report. A summary of the Case Management Report over a period
of time. This report is generated for weeks and months, instead of days.
eFraudNetwork Report. Counts attempts to access the online system by people
from IP addresses identified in the RSA eFraudNetworkTM service as high risk and
records the result of the attempt.
Forensics Summary Report. Statistics on Risk Analysis parameters, such as
usage by geographical location.
Policy Summary Report. A count of the recommended policy actions and
reasons for each recommendation. The report includes the rules that fired a given
recommended action.
Policy Trends Report. A summary of the Policy Summary Report over a period
of time. This report is generated for weeks and months, instead of days.
Risk Factor Report. Includes the total count of the risk factors that are fired
regarding a transaction, not only the ones that result in recommended actions.
Risk Factor Trends Report. A summary of the Risk Factor Report over a period
of time. This report is generated for weeks and months, instead of days.
System Usage Report. A summary of the business events, such as total logon
attempts, challenges, and lockouts.
System Trends Report. A subset of the System Usage Report, which provides a
breakdown of the events in the System Usage Report by day.

Report Format
RSA provides access to reports every day. To access reports, you must send the log
files to RSA and then download the reports. Reports are available as PDF or CSV
files.

Note: The Blocked Users Report is available only in CSV format.

A report consists of a data table that provides the bulk of the report information.
The report structure is:
Header
One section for each different transaction type
An overall section for all transaction types
Footer

Example of Elements Common to All Reports

Name of Report
==================================
Report Version 6.0
Reporting Period Start Date 7/15/2012 12:00 AM
Reporting Period End Date 8/1/2012 12:00 AM
Timezone PST

6: Viewing and Analyzing Reports 133

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Report Creation Date 8/11/2012

Customer Large Bank
Organization LargeBank

Start Report:
==============================
Transaction Type: X
(report content with potentially multiple sections)
==============================
End of Report

CSV Files
CSV format is recognizable by many analysis software packages, so the data from the
reports can be easily be exported to such a tool for further analysis. RSA consistently
maintains the structure of each report and notifies customers in advance if there are
unavoidable changes to the structure.

CSV File Example (Microsoft Excel)

You can use the Excel grid line identifiers as reference points when exporting to other
programs.

134 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The following figure is an example of a CSV in Excel.

Standard Header and Footer

Header Description
All reports start with a standard header that identifies the report and any pertinent
information about the report. The header contains the following:
Report Name. Identifies the report.
Report Version. Each report has a version number that signifies the Adaptive
Authentication version used to generate this report.

6: Viewing and Analyzing Reports 135

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Reporting Period Date and Time. Each report shows activity for a specific time
range. The values show the date and time zone:
Daily reports list two dates, which indicate a 24-hour period starting on the
first date. For example, December 30 to December 31 is equivalent to a one
day period.
Weekly reports start with Sunday and end the following Sunday. The report
covers a 7-day calendar week that includes Sunday through to and including
the following Saturday. For example, June 18 (Sunday) to June 25 (Sunday)
covers one calendar week which includes June 18, 19, 20, 21, 22, 23, and 24.
Monthly reports list two months. The report covers a period of a full month.
The period begins from the beginning of the first month and continues
through to the start of the first day of the next month. For example, January 1
to February 1 is listed as the report period for the month of January.
Report Creation Date. The date on which the report was generated.
Customer Name. Your name.
Organization. If your organization includes multiple layers of organizations,
Organization is the specific institution to which the report applies. Otherwise,
Organization is the same as the Customer Name.

Header Format
The following is the report header format:
Report Name
Version #
Start Date Month Day, Year
End Date Month Day, Year
Timezone XXX
Creation Date Month Day, Year
Customer Name
Organization Name

Report Header Example

The following figure shows an example of a PDF report header.

Footer Description
All reports end with an end tag line so that you are assured that you received the entire
report.

136 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Report Naming Convention

The report naming convention is:
[<DatesInReport>]_<CustomerName.OrganizationName>_<ReportNam
e>_<ReportPeriod>_<DateTimeGenerated>.<ReportFormat>

Note: If the report is an aggregative report for all organizations under the default
organization, the OrganizationName parameter does not appear in the report name.

The following table describes the naming convention parameters.

Parameter Description

<DatesInReport> The range of dates covered by the report.

The parameter has two formats:
YYYYMMDDThis format only applies to Daily and Custom Report types.
For example, the date April 16 2012 is shown as 20120416 and represents a
report generated for data on April 16, 2012.
YYYYMMDD-YYYYMMDDThis format has a start date and an end date.
This format applies to Weekly, Monthly, and Custom Report types. The range is
assumed to be inclusive of the start date and end date.

<CustomerName> The name of the customer.

<OrganizationName> The name of the organization for which the report was run. The report contains
data on the parent organization all its suborganizations.
This parameter does not appear in an aggregated report, which contains data for all
customer organizations.

<ReportName> The name of the report.

<ReportType> The report type:

Daily
Weekly
Monthly

<DateTimeGenerated> The date and time that the report was run.
The parameter is a single unit representing date and time in
YYYYMMDDHHMMSS format.
A report run at 1:01 p.m. on April 16, 2012 is shown as 20120416130100. If two
reports exist with the same name, view the one with the latest DateTimeGenerated
stamp for the most up-to-date report.

<ReportFormat> The report format:

CSV
PDFAn Adobe Acrobat formatted document, which can be viewed using
Adobe Reader. To download the free application, go to http://www.adobe.com.

6: Viewing and Analyzing Reports 137

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The following table lists examples of valid report types and the naming conventions
that the reports use.

Note: If the report is an aggregative report for all organizations under the default
organization, the OrganizationName parameter does not appear in the report name.

Report Type Report Name

Billing 20120331_BillingReport_DAILY_20120403041822.pdf

Authentication Plug-In 20120301-20060331_AcspBillingReport_MONTHLY_20120403041822.pdf

Billing

Blocked Users 20120920_BlockedUsersReport_DAILY_20120927114219.csv

Case Management 20120411_CaseSummary_DAILY_20120422131617.csv

Case Management Trends 20120701-20120707_CaseManagementTrends_WEEKLY_20120815131254.pdf

eFraudNetwork 20120521_EFNSummary_DAILY_20120612141617.csv

Forensic Summary 20120416_ForensicSummary_DAILY_20120418131554.pdf

Policy Summary 20120409-20120415_PolicySummary_WEEKLY_20120416231809.pdf

Policy Trends 20111224-20111230_PolicyTrends_WEEKLY_20120223051419.pdf

Risk Factor 20120409-20120421_RiskFactor_WEEKLY_20120422231809.csv

Risk Factor Trends 20111224-20111230_RiskFactorTrends_WEEKLY_20120223051425.csv

System Usage 20120416_SystemUsageReport_DAILY_20120417131554.pdf

System Trends 20111224-20111230_SystemTrendsReport_WEEKLY_20120117131554.csv

Report Content
Billing Report
Authentication Plug-In Billing Report
Blocked Users Report
Case Management and Case Management Trends Reports
eFraudNetwork Report
Forensic Summary Report
Policy Summary and Policy Summary Trends Reports
Risk Factor Report and Risk Factor Trends Reports
System Usage and System Trends Reports

138 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

This topic describes the content of the reports and provides report examples.

Billing Report
RSA generates a Billing Report for your institution based on the Billing Logs sent by
your company. RSA uses the data from these daily reports to create the billing
invoices that are sent to your company.
Billing report information can vary due to:
The number of end users enrolled in the Adaptive Authentication system
The number of active end users during a given billing period
RSA consolidates billing information based on different parameters, such as:
All the data for a given customer
All the data centers for a particular institution

Note: If no recent billing data is available, RSA uses the most recent data but notifies
you in the report that the most recent logs for that period were not received.

The following figure shows an example of a Billing Report.

Authentication Plug-In Billing Report

RSA generates daily Authentication Plug-In Billing reports for your institution based
on the Authentication Plug-In Billing Logs sent by your company. From these reports,
RSA validates billing information sent by the Authentication Plug-In and creates
billing invoices that are sent to your company.
Authentication Plug-In Billing Report information includes the following information:
Total number of successful calls made to the Authentication Plug-In for your
company
Total number of failed calls made to the Authentication Plug-In for your company

6: Viewing and Analyzing Reports 139

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Total number of calls made to the Authentication Plug-In for your company

Note: Calls that the Authentication Plug-In triggers are billed regardless of the result.
Possible results include successful authentication, failed authentication, unreachable
numbers, busy lines, and rejected calls.

The following figure shows an example of an Authentication Plug-In Billing Report.

Blocked Users Report

The Blocked Users Report is only available in CSV format. The report contains a
section for each transaction type that includes the following:
Hashed UserID. The hashed User IDs of end users blocked from accessing your
online system.

Note: The User ID will only be hashed if the ID Masking parameter is selected in
the Administration Console. For more information, see the Operations Guide.

Rule. The rule that caused the end user to be blocked

Date. The date and time of day that the end user was blocked

Note: The Blocked Users Report gives you a complete date and time stamp. Make
sure that your CSV reader, for example, Microsoft Excel, can import this complete
date and time stamp without any modification.

140 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The following figure shows an example of a Blocked Users Report.

Case Management and Case Management Trends Reports

The Case Management Report uses Case Logs and Event Marking Logs to create the
report. The Case Management Report relates to the total number of cases:
Opened in this period that originated from the Risk Engine
Opened in this period by fraud analysts
Closed in this period that originated with the Risk Engine
Closed in this period that originated with a fraud analyst
Closed as fraud in this period that originated with the Risk Engine
Closed as fraud in this period that originated with a fraud analyst
Open at the beginning of the report period that originated with the Risk Engine
Open at the beginning of the report period that originated with a fraud analyst
The Case Management Report also displays the following information related to
fraudulent transactions:
Fraudulent Transactions
Suspected Fraudulent Transactions
Genuine Transactions
Assumed Genuine Transactions

6: Viewing and Analyzing Reports 141

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Unknown
Total

Note: The Events Marking Log contains a list of all cases closed on the day the log
was run. For events that were manually flagged, the specific resolution is listed. For
all other events, the resolution is listed as Unknown.

The following figure shows an example of a Case Management Report.

The Case Management Trends Report is a subset of the Case Management Report and
provides a breakdown by day within the reporting period. These reports break down
the Case Management activities into statistics that you can use to track the number of
cases being created and closed while also tracking the instances of fraud.

142 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The following figure shows an example of a Case Management Trends Report.

eFraudNetwork Report
The eFraudNetwork (EFN) Report uses the Audit Logs and identifies the IP addresses
listed in the eFraudNetwork service that pose a potential risk. Based on this
information, this report provides risk analytic information on the following:
The number of logons that correspond to IP addresses listed in the eFraudNetwork
service.
The logons not challenged that correspond to those potentially high-risk IP
addresses listed in the eFraudNetwork service.
The report consists of a table that shows the range of risk scores relative to the number
of times the following elements occurred:
Logon. The number of end users logging on to your online system that have a
high eFraudNetwork score.
Unchallenged. The number of instances in which end users log on without being
challenged, despite using IP addresses listed in the eFraudNetwork service.

Important: End users from high-risk IP addresses listed in the eFraudNetwork

service who enter your online system unchallenged can cause security
concerns for your company. It is important to track the number of
unchallenged end users with a high eFraudNetwork score.

If the Unchallenged element of the report is empty, this indicates that no end users
from high-risk IP addresses accessed your online system during the reporting
period listed on the report.
Denied. The number of instances in which end users do not gain access to your
online system, based on the documented IP addresses listed in the eFraudNetwork
service.
Challenge Failed. The number of instances in which end users are challenged
during logon and fail the challenge.
Challenge Succeeded. The number of instances in which end users are
challenged during logon and successfully meet the challenge requirements.

6: Viewing and Analyzing Reports 143

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

You can use this report to assess the effectiveness of your company policies and
procedures in preventing access by end users with high-risk IPs.
The following figure shows an example of an eFraudNetwork Report.

Forensic Summary Report

This high-level report provides a summary of the forensic information for a reporting
period. The report breaks down the locations from where the main end user population
is accessing the online system. The information in the Forensic Summary Report is
based on the Forensic Logs. Forensic information is taken from the MaxMind data
processed in RSA Central. This information is updated monthly by the customer. For
more information on the Forensic Logs, see the Operations Guide.
The elements of this report are:
IP geographical location distribution:
Number of unique regionsthe total number of regions (states, provinces,
and counties) from which end users are accessing the system
Number of unique countriesthe total number of countries from which end
users are accessing the system
Number of unique citiesthe total number of cities from which end users are
accessing the system
Top 40 IP addresses, listed in descending order, used to log on to your online
system, including:
Number of times the specific IP address was used to log on to your system
Number of end users who logged on from each IP address
Date end users logged on to your system with a particular IP address

Note: An Internet Protocol Version 6 (IPv6) address that can be represented as

an IPv4 address is transformed to the IPv4 format. The address is counted
only once.

Top 10 unique ISPs that logged on to your system and the total number of times
for each ISP, listed in descending order.
Top 10 unique regions (states, provinces, and counties) that accessed your system
and the total number of times for each region, listed in descending order.

144 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

All countries that accessed your system and the total number of times for each
country, listed in descending order.
Each country is identified by its two-digit Alpha-2 ISO 3166-1 country code.

Note: Non-standard country codes do not appear in reports. The following

codes are used for non-standard country codes:
--: Private and experimental reserved addresses
A1: Anonymous proxy
A2: Satellite provider
O1: Other
These statistics are not included in the Summary Statistics Count section.

Top 10 unique cities that accessed your system and the total number of times for
each city, listed in descending order.

Note: The top number counts are based on the assumption that Forensic Logs contain
forensic information for a minimum of 10 cities, 10 regions, 10 ISPs, and 40 IP
addresses. A report may contain less than these minimum values if your Forensic Logs
did not receive the preset minimum values.

The following figure shows an example of a Forensic Summary Report.

6: Viewing and Analyzing Reports 145

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Policy Summary and Policy Summary Trends Reports

The Policy Summary Report provides a summary of logon transactions that resulted in
recommended actions. The report also provides the reasons for each recommendation.
The Policy Summary Trends Report is a summary of the Policy Summary Report over
a period of time and provides a breakdown by day within the reporting period. The
information in the Policy Summary Report and the Policy Summary Trends Report is
based on the Forensic Logs.
Your policies are the main contribution to the Policy Summary and the Policy
Summary Trends Reports. If you have a simple set of policies, you will see a simple
report. These reports show which rule, based on your policies, resulted in an action
that allowed, challenged, strongly challenged, or denied end users access to your
online system.
The reports display a table containing the following components:
Actionthe four types of actions that can occur when rules fire depending on
which rules brought up these actions:
Allowrules that fired and allowed end users to log on successfully
Challengerules that caused some end users to be challenged
Strong Challengerules that caused some end users to be strongly
challenged, which takes the challenge further when needed
Denyrules that prevent some end users from being allowed to log on
Rulethe rule that fired to allow the action to occur
Countnumber of times that a particular rule fired that resulted in an action
occurring
Percentagebreakdown of the count (not part of the Policy Summary Trends
Report)
Grand Totaltwo totals are provided (not part of the Policy Summary Trends
Report):
Total Counttotal number of rules that fired
Total Percentagetotal percentage for each rule that fired
The following figure shows an example of a Policy Summary Report.

146 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The following figure shows an example of a Policy Summary Trends Report.

Risk Factor Report and Risk Factor Trends Reports

The Risk Factor Report provides a summary of all of the risk rules that fired against
all logon transactions (not just ones that resulted in recommended actions). The Risk
Factor Trends Report is a summary of the Risk Factor Report over a period of time
and provides a breakdown by day within the reporting period. The information in the
Risk Factor Report and the Risk Factor Trends Report is based on the Forensic Logs.
Unlike the Policy Summary Report, which focuses only on the first rule that fired and
had a resulting action, the Risk Factor and Risk Factor Trends Reports focus on all the
rules that fired in the chain of rules that allowed or prevented end users from logging
on, along with analyzing the risk values of the rules.
The Risk Factor Report provides risk factor information for:
The total of all transaction types
Each individual transaction type
Each section contains the following elements:
Bar Graph or Table (not part of the Risk Factor Trends Report)
Compares the risk scores to all of the transactions or to a particular transaction to
show the Forensic Score Distribution.
The risk score is a quantifiable number that weighs all the rules that fired and the
risk values to a transaction. The graph presents the distribution of risk scores of
risk factors in a specific transaction. The manner in which you rank the risk
factors when setting up your policies can impact the risk scores.
Includes all the transactions that are evaluated by the Forensic Log.
All the rules do not necessarily corollate to spikes in the bar graph or high
numbers in the table.
Summary Table:
Total Forensics Evaluationsthe transactions that occurred.

6: Viewing and Analyzing Reports 147

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Countthe number of transactions that took place in this reporting period.

Risk Factor Table:
Risk Factora list of all of the rules that fired (not necessarily acted upon).
Counthow many times each particular rule fired but was not necessarily
acted upon.
Percentageeach risk factor count is measured individually to determine the
percentage that caused a particular rule to be counted, not necessarily acted
upon (not part of the Risk Factor Trends Report).

Important: Percentages refer to the percentage of times a risk factor occurs out of all
potential risk factors for a specific transaction type. Because the percentage relates to
one transaction type, the total of percentages for all transaction types is not 100
percent and has no significance.

The following figure shows an example of a Risk Factor Report.

148 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

The following figure shows an example of a Risk Factor Trends Report.

System Usage and System Trends Reports

The System Usage Report gives an overall summary for each activity for the reporting
period. The report relies on the corresponding business events being logged to the
Audit Logs at your site. The System Trends Report is a subset of the System Usage
Report, which provides a breakdown of the events in the System Usage Report by day.
System Usage reports provide the percentage of daily alternative authentications. This
is determined by dividing the number of challenges by the number of end user logons.
The report contains these main parts:
Logon Frequency Graphcounts the number of times end users logged on for the
given period of time that the report covers (not in CSV format or the System
Trends Report)
Generated amounts or percentages for certain business events (not part of the
System Trends Report):
Total User Logonsthe number of successful logons

Note: For Web Services customers, the appearance of a zero (0) in the Total
User Logons count is normal, because RSA does not receive a successful end
user logon reported in the logs. See USER_SIGNIN in the events table for a
count of the number of end users logging onto your system. This count is a
close approximation to Total User Logons.

New User Enrollments (Estimated)the approximate number of new end

users that enrolled in the Adaptive Authentication system
Users Who Changed Their Challenge Questions
Users Denied Access Due to RSA AdaptiveAuth Lock Out
Percentage of daily alternative authenticationdetermined by number of
challenges divided by number of end user logons

6: Viewing and Analyzing Reports 149

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Percentage of daily failed logonsdetermined by number of lock outs

divided by number of end user logons
Event table:
Eventthe activity that occurred. Not all event types are available in all
instances of the application.
Total Usersthe number of times a particular event occurred across all end
users.
Unique Usersthe number of individual end users that came across a
particular event.

Note: Unique Users are counted differently than Total Users. The Unique
Users element counts only those end users who are unique.
For example, if User XYZ logs on five times in one day, Unique User only
counts User XYZ once, but Total User counts User XYZ five times.

Descriptionexplains the meaning of each event.

Events by Process Type

The following is a list describing some of the events of this report by process type:
Logons:
Count of total logon attempts
Count of unique end users who attempted to log on
Count of logons challenged
Count of end users locked out because of failed challenge
Count of logon attempts by end users already locked out
Count of logon attempts by end users not enrolled in the Adaptive
Authentication database
Count of end users declining to be bound to their device
Enrollment:
Count of new end user enrollment attempts
Count of enrollments cancelled
Count of enrollments completed
Count of reenrollments after a customer reset
Maintenance:
Count of completed Challenge Question Maintenance attempts
Count of cancelled Challenge Question Maintenance attempts
Devices:
Total devices used
Total new devices registered

150 6: Viewing and Analyzing Reports

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

A List of Facts
The following table shows the fact categories, the name for each fact, the name of the
fact in previous versions, the fact type, and a description of the fact. For more
information, see Facts on page 44.

Category Fact Name Previous Fact Name Type Description

Account Details # of Days Since First DaysSinceFirstHit Integer The number of days that
Logon passed since the first time the
end user was detected.

# of Days Since Last DaysSinceAddressChan Integer The number of days that

Address Change ge passed since the end user
changed the address.

# of Days Since Last DaysSinceEmailChange Integer The number of days that

E-mail Change passed since the end user
changed the email address.

Note: This fact is applicable

only to the event types
CHANGE_EMAIL,
USER_DETAILS, and
UPDATE_USER.

# of Days Since Last DaysSincePasswordCha Integer The number of days that

Password Change nge passed since the end user
changed the password.

# of Days Since Last DaysSincePhoneChange Integer The number of days that

Phone Number passed since the end user
Change changed the phone number.

# of Challenge challengeTryCount Integer The accumulative number of

Questions Failed failed challenge questions in
all sessions.

# of Hours Since N/A Integer The number of hours since

User ACCT was the user account was opened,
Opened using the on-line application
of their financial institution.

# of Hours Since N/A Integer The number of hours since

User Enrollment the user enrolled in the
on-line application, which is
integrated with Adaptive
Authentication.

A: List of Facts 151

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Account Type N/A List The type of user account from

which funds are transferred.
This fact has a pre-defined
list of account classifications
such as Credit card, Debit
card, and Checking.

Client-Defined User N/A String Account classifications for a

Account Type user account defined by your
organization.

Group Name N/A String Identifies which specific

group an end user belongs to
in a given organization, such
as Small Business, High
Worth, or Retail. Groups do
not define unique end users,
as end users can be moved
from one group to another.

User Account N/A String The end users account

Number (IBAN) number in IBAN format.

User ID N/A User ID The ID of the end user, as sent

in the SOAP request.

User Status N/A List The status of a user from a

pre-defined list that includes
the following values:
DELETE
LOCKOUT
NOTENROLLED
UNLOCKED
UNVERIFIED
VERIFIED

User Type N/A List The classification of users

from a pre-defined list of
values such as:
PERSISTENT
NONPERSISTENT
BAIT

Persistent User userPersistent Boolean Specifies whether the end

user is a registered user of the
system according to the API
request.

152 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Application Browser Cookie clientGenCookie String The client's cookie, which is

Details received using the API.

Browser Language is BrowserLanguageSettin Boolean Specifies whether the browser

Diff from Usual gsDifferentNorm language is different from the
most commonly used browser
language.

Browser Language is BrowserLanguageSettin Boolean Specifies whether the browser

Diff from Previous gsDifferentPrevious language is different from the
browser language in the
previous session.

Browser Time Zone browserTimeZoneDiffer Boolean Specifies whether the current

is Diff from Usual entNorm time zone is different from
the most commonly used time
zone for the end user.

Browser Time Zone browserTimeZoneDiffer Boolean Specifies whether there is a

is Diff from Previous entPrevious difference between the time
zone in the event and the time
zone that appeared in the
previous session.

Difference (hrs) from BrowserTimeZoneDiffer Double The difference in hours

Usual Time Zone enceNorm between the time zone in the
event and the most commonly
used time zone.

Difference (hrs) from BrowserTimeZoneDiffer Double The difference in hours

Previous Time Zone encePrevious between the time zone in the
event and the time zone that
appeared in the previous
session.

User Agent String is userAgentStringDifferen Boolean Specifies whether the current

Diff from Usual tFromNorm user agent is different from
the end user's most common
user agent.

User Agent String is UASNotPrevious Boolean Specifies whether the current

Diff from Previous user agent is different from
the user agent of the previous
session.

ATM Details # of Days Since Card N/A Integer The number of days that
Issued passed since the end users
card was issued.

A: List of Facts 153

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

# of Days Since First N/A Integer The number of days that

ATM Location Use passed since the first time the
end user made an ATM
transaction at a specific
location. The location is
defined by ZIP code, city,
state, and country.

# of Days Since First N/A Integer The number of days that

ATM Use passed since the first time the
end user made a transaction at
a specific ATM. The ATM is
identified by ATM ID.

ATM City N/A String The city in which the ATM is

located.

ATM Country N/A String The country in which the

ATM is located. The value is
a three-letter country code.

ATM ID N/A String The globally unique

identification of the ATM
device.

ATM Owner N/A Boolean Specifies whether the owner

of the ATM device is an RSA
customer who is
implementing the RSA
Adaptive Authentication
(On-Premise) ATM
Protection Module or not.

ATM State N/A String The state in which the ATM is

located.

154 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

ATM Location Type N/A Location The type of location where

Type the ATM device resides. The
possible values are:
BANK BRANCH
PETROL STATION
PUBLIC TRANSPORT
STREET
CONVENIENCE STORE
SUPERMARKET
LEISURE FACILITY
DRIVE THRU
ENTERTAINMENT
VENUE
TRANSPORT
TERMINAL
POST OFFICE
RETAIL OUTLET
CASINO
GOVERNMENT OFFICE
OTHER

Withdrawal Amount N/A Long The amount of cash

withdrawn in the ATM
transaction. The amount is in
the lowest denomination of
the local currency.

Withdrawal Amount N/A Long The amount of cash

in USD withdrawn in the ATM
transaction, in US dollars.

ATM ZIP Code N/A String The 10-digit code for the
neighborhood in which the
ATM is located.

Payee Account N/A String The payees account number

Number (IBAN) in IBAN format.

A: List of Facts 155

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Channel Activity Channel ChannelIndicatorType String The channel from which the
Indicator Indicator event is coming.
The possible values are:
ATM
BRANCH
CALL_CENTER
IVR
MOBILE
OTHER
WEB

Note: Although BRANCH,

CALL_CENTER, IVR, and
OTHER are available as
values in the Policy
Management application, they
are not fully supported by the
Adaptive Authentication
system. You can use these
values in rules, but the Risk
Engine cannot produce an
accurate score based on these
specific channels.

Device Details Cookie Less than 5 cookieLT5DaysOld Boolean Specifies whether the cookie
Days Old is less than 5 days old.

Cookies Disabled in cookiesNotEnabled Boolean Specifies whether the cookies

User Browser in the end user's browser are
disabled according to the
device print attributes.

Device Bound to a newCookieForUser Boolean Specifies whether the device

User is bound to an end user.

Device Recovery deviceRecoveryRisk Double The confidence level with

Confidence Level which the device has been
recovered. Possible values are
between 0 and 1.

Event Comes from AggregatorDevice Boolean Specifies whether the event is

Aggregator Device coming from an aggregator
device.

Java Not Enabled javaNotEnabled Boolean Specifies whether Java is not

enabled according to the
device print attributes.

156 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

JavaScript Not javascriptNotEnabled Boolean Specifies whether JavaScript

Enabled is not enabled according to
the device print attributes.

New and Past Device devicePrintMisMatch Double Specifies whether there is a

Print Mismatch mismatch between the new
device print and the device
print known from the past.
Possible values are between 0
(match) and 1 (mismatch).

# of Bound Devices numDevicesBoundUser Integer Specifies the number of

for User Account bound devices the end user
has (taken from the users
table).

# of Bound Users for numUserAccountsBoun Integer Specifies the number of

Device dDevice bound end users the device
has.

Screen Setting is Diff screenSettingsDifferentF Boolean Specifies whether the current

from Usual romNorm screen setting from the device
print is different from the
most commonly used screen
setting.

Screen Setting is Diff screenSettingsDifferFro Boolean Specifies whether the current

from Previous mPrevSession screen setting from the device
print is different from the
previous screen setting.

User's Device Not userDeviceNotBound Boolean Specifies whether the end

Bound user's device is not bound.

eFraudNetwork Device Fingerprint N/A Integer The risk score of a device

Risk Score fingerprint detected as
fraudulent, as received from
the eFraudNetwork service.
The possible values are: 800,
900, 920, 950, 970 and 1000

IP Risk Score efraudNetworkScore Integer The risk score of an IP

address detected as
fraudulent, as received from
the eFraudNetwork service.
The possible values are: 800,
900, 920, 950, 970 and 1000

A: List of Facts 157

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Payee Risk Score N/A Integer The risk score of a payee

detected as fraudulent, as
received from the
eFraudNetwork service. The
possible values are: 800, 900,
920, 950, 970, and 1000

IP Details IP Location is Diff cookieIPGeoDifferentFr Boolean Specifies whether the

from Usual omNorm geographic location of the
incoming IP address is
different from the geographic
location of the IP address that
the end user most commonly
uses. A match is made if the
city and country names are
the same, and the latitudinal
and longitudinal differences
are less than 0.1 degrees.

# Miles Between cookieIPGeoDistanceFr Double The distance between the

Device IP and First omFirst location of the IP address of
User IP the device from the first
session (represented by this
cookie) and the location of
the IP address in the event.

# Miles Between cookieIPGeoDistanceFr Double The distance between the

Device IP and Usual omNorm most commonly used location
User IP of the IP address of the device
(represented by this cookie)
and the location of the IP
address in the event.

# Miles Between cookieIPGeoDistanceFr Double The distance between the

Device IP and Prev omPrevious location of the IP address of
User IP the device from the previous
session (represented by this
cookie) and the location of
the IP address in the event.

Bank IP and User IP foreignIP Boolean Specifies whether the IP

in Diff Countries address of the bank and IP
address of the end user are in
different countries.

Class A IP Addresses classA String The first segments of the IP

address.

158 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Class B IP Addresses classB String The first two segments of the

IP address.

Class C IP Addresses classC String The first three segments of

the IP address.

Device IP ip String The IP address from which

the device is coming.

Device IP is Diff sourceIPNotCookieIP Boolean Specifies whether the IP

from Event IP address of the device
(represented by this cookie) is
different from the IP address
of the event.

Device IP is Diff cookieIPDifferentFromP Boolean Specifies whether the IP

from Previous IP revious address of the device from the
previous session (represented
by this cookie) is different
from the IP address in the
event.

Device IP Not Found userIPNotLocated Boolean Specifies whether the device

in GeoIP File is coming from an IP address
that is not found in the GeoIP
file, for example, internal IP
addresses.

# Miles Between sourceIPDistanceFromA Double The distance in miles

Input Device IP and verage between the current
Average User IP coordinate and the average of
all past coordinates.

# Miles Between sourceIPDistanceFromPr Double The distance in miles

Input Device IP and evious between the current
Prev User IP coordinate and the previous
coordinate.

# Miles Between sourceIPDistanceFromFi Double The distance in miles

Input Device IP and rst between the location of the IP
First User IP address of the device from the
first session (represented by
the cookie) or by device
recovery and the location of
the IP address in the event.

A: List of Facts 159

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

# Miles Between sourceIPDistanceFromN Double The distance between the

Input Device IP and orm most commonly used location
Usual User IP of the IP address of the device
(represented by this cookie)
and the location of the IP
address in the event.

# Miles Between geoDistanceFromSource Double The distance in miles

Input Device IP and IPToCookieIP between the location of the IP
First Device IP of the device from the
previous session (represented
by the cookie) and the
location of the IP address in
the event.

IP Comes from IPAnonymizer Boolean Specifies whether the IP

Anonymizer address is coming from an
anonymizer.

Moved to New IP sourceIPMovedTooFast Boolean An internal calculation that

Too Fast assesses whether moving to
the new IP address from the
previous IP address happened
too fast.

Location City Name from ipCityCode String The city name taken from the
Details GeoIP GeoIP.
Refer to MaxMind
documentation for supported
values.

Country Code from IPCountryCode String The country code taken from
GeoIP the GeoIP.
Refer to MaxMind
documentation for supported
values.

Country Code from N/A String The country code taken from
Geolocation File the geolocation file.
(Mobile)

ISP from GeoIP ipIsp String The Internet service provider

taken from the GeoIP.
Refer to MaxMind
documentation for supported
values.

160 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

ISP not in ISPGeoNotFoundForDe Boolean Specifies whether the Internet

Geolocation File for vice Service Provider is not found
Device in the geolocation file for the
historical IP addresses of the
specified device.

ISP not in ISPGeoNotFoundForUs Boolean Specifies whether the Internet

Geolocation File for er service provider is not found
User in the geolocation file for the
historical IP addresses of the
specified end user.

Region Code from IPAddress String The region code of the

GeoIP location from which the user
issued their request, as
defined by GeoIP.
Refer to Max Mind
documentation for supported
region code values.

Region Code from IpRegion String The region code taken from
GeoIP GeoIP.
Refer to MaxMind
documentation for supported
values.

Payee Details # of Days Payee is payeeProfileAge Integer The number of days that the
Associated with User payee is associated with the
end user.

# of Hours Since N/A Integer The number of hours since

Payee ACCT was the payee account was
Opened opened, using the on-line
application of their financial
institution.

Client-Defined Payee N/A String The classification of a payee

Account Type account, defined by your
organization, to which the
user directs funds.

A: List of Facts 161

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Level of Auth payeeAuthStatus String Specifies the relationship

Method Passed or between the authentication
Failed method requested and the
level of the authentication
method passed or failed by a
payee account to which funds
are transferred. The possible
values are:
NA. Authentication not
requested
FL. Failed authentication
FL_PWD. Failed low-level
authentication
PS. Passed authentication
COL. Passed medium-level
authentication
GEN. Passed maximum
level authentication
H_FL. Failed mobile
authentication.

Payee Account PayeeOwnershipType String The owner of the other

Owner account to which the end user
is sending funds.
Possible values are:
ME_TO_ME
ME_TO_YOU

Payee Account Type PayeeType String The type of payee account to

which the end user directs
funds.
Possible values are:
BILLER. Used for bill
payment.
PERSONAL_ACCOUNT.
Used for transfer to a
different personal account.

162 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Payee Bank Type PayeeBank String The type of bank account to

which funds are transferred or
deposited.
Possible values are:
OTHER_BANK. The
payee's account is with
another bank.
SAME_BANK. The
payee's account is with the
same bank.

Total Amount of N/A Double Accumulated payment

Transfer or Payment amounts are transferred or
in USD deposited into the payee
account, in values of USD
and USD cents, using specific
SOAP calls. These values are
accumulated by Adaptive
Authentication over an
unlimited amount of time.

Total Amount of N/A Long Accumulated payment

Transfer or Payment amounts are transferred or
in Whole USD deposited into the payee
account, in whole USD
values, using specific SOAP
calls. These values are
accumulated by Adaptive
Authentication over an
unlimited amount of time.

Risk Score Risk Score score Number The risk score received from
the RSA Risk Engine.
Possible values are between 0
and 1,000.

A: List of Facts 163

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Transaction Day of the Week CurrentDayOfWeek String The day of the week of the
Details transaction.
Possible values are the
numbers 1-7, corresponding
to the days of the week:
1. Sunday
2. Monday
3. Tuesday
4. Wednesday
5.Thursday
6. Friday
7. Saturday

# of Payments payeeAccumulated3Day Double The number of payments

During Last 3 Days sAmount made by the end user through
the account during the last
three days.

# of Payments Made payeeNumberOfPaymen Integer The number of payments

by User ts made by the end user through
the account.

Transaction Amount transactionAmount Long The amount of the

transaction, in local currency,
as received using the API.

Transaction Amount transactionAmountInUS Long The amount of the transaction

in USD D in US dollars.

Transaction Schedule TransactionSchedule String Defines how soon and how

often the payee receives
payment. The possible values
are:
IMMEDIATE. For
immediate execution.
SCHEDULED. Scheduled
for a future date.
RECURRING. A recurring
transfer.

164 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Transaction Speed ExecutionSpeed String Determines how fast a

transaction takes place. The
possible values are:
FEW_HOURS. Execution
of the action takes place
within a few hours.
OVER_NIGHT. Execution
of the action takes place
overnight.
REAL_TIME. Execution
of the action takes place in
real time.
SEVERAL_DAYS.
Execution of the action
takes place within several
days.

Transaction Type transactionMedium String The type of transaction made.

The possible values are:
BILLPAY_MAIL
BILLPAY_ELEC
WIRE
ACH
INTERNAL
BALANCE_TRANSFER
INTL_WIRE
CHECK

TRANS AMT in N/A Double The amount of the

Local CURR transaction, in decimal-based
Decimal format values of the local currency,
as received using the API.

TRANS AMT in N/A Double The amount of the

USD Decimal format transaction, in decimal-based
values in US cents, as
received using the API.

TRANS AMT in N/A Long The amount of the

Whole Local transaction, in whole values
Currency of the local currency, as
received using the API.

TRANS AMT in N/A Long The amount of the

Whole USD transaction, in whole USD
values, as received using the
API.

A: List of Facts 165

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Category Fact Name Previous Fact Name Type Description

Trojan Activity # of Days Since N/A Integer The number of days that have
Trojan Infection passed since the time that a
Trojan infection was detected
on the end users computer.

Trojan Attack N/A Boolean Specifies whether a Trojan

Occurred attack was detected on the
end users computer.

166 A: List of Facts

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

B Rules in the Reference Policy

The following table shows the names and details of the rules in the reference policy.
For more information, see Reference Policy on page 40.

Order Rule Name Event Types Condition Expression Action

1 Very High All Logon event Condition 1 Category: Risk Score Action: Deny
Risk types Fact Name: Risk Score Create a Case: Yes
Activities All Transaction
Operator: Greater Than
event types
Value: 990

2 Enrollment Create User Condition 1 Category: Risk Score Action: Deny

and Profile Enroll Fact Name: Risk Score Create a Case: Yes
Update Update Use Operator: Greater Than
Protection
Value: 900

3 Gold List All Logon event Condition 1 Expression 1 Action: Allow

types Expression Operator: OR Create a Case: No
All Transaction Category: IP Details
event types
Fact Name: Device IP
Operator: Within
Value: IP on Gold List
Custom List: IP on Gold List

Condition 1 Expression 2
Expression Operator: OR
Category: Account Details
Fact Name: User ID
Operator: Within
Value: User on Gold List

B: Rules in the Reference Policy 167

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Order Rule Name Event Types Condition Expression Action

4 Black List All Logon event Condition 1 Expression 1 Action: Deny

types Expression Operator: AND Create a Case: Yes
All Transaction Category: IP Details
event types
Fact Name: Device IP
Session Sign-in
Create User Operator: Within
Enroll Value: IP on Black List
Update User Custom List: IP on Black List

Condition 1 Expression 2
Expression Operator: AND
Category: Device Details
Fact Name: User Device Not
Bound
Operator: Equals
Value: TRUE

Condition 2 Expression 1
Expression Operator: AND
Category: Location Details
Fact Name: Country Code
from GeoIP
Operator: Within
Value: Country on Black List
Custom List: Country on
Black List

Condition 2 Expression 2
Expression Operator: AND
Category: Device Details
Fact Name: User Device Not
Bound
Operator: Equals
Value: TRUE

168 B: Rules in the Reference Policy

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Order Rule Name Event Types Condition Expression Action

5 Watch List All Logon event Condition 1 Expression 1 Action: Challenge

types Expression Operator: AND Create a Case: Yes
All Transaction Category: IP Details (When
event types Authentication
Fact Name: Device IP
Session Sign-in Fails)
Operator: Within
Value: IP on Watch List
Custom List: IP on Watch
List

Condition 1 Expression 2
Expression Operator: AND
Category: Device Details
Fact Name: User Device Not
Bound
Operator: Equals
Value: TRUE

Condition 2 Expression 1
Expression Operator: AND
Category: Location Details
Fact Name: Country Code
from GeoIP
Operator: Within
Value: Country on Watch List
Custom List: Country on
Watch List

Condition 2 Expression 2
Expression Operator: AND
Category: Device Details
Fact Name: User Device Not
Bound
Operator: Equals
Value: TRUE

6 User Not Session Sign-in Condition 1 Category: Account Details Action: Review
Persistent Fact Name: Registered User Create a Case: Yes
of the System
Operator: Equals
Value: FALSE

B: Rules in the Reference Policy 169

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Order Rule Name Event Types Condition Expression Action

7 Logon Session Sign-in Condition 1 Category: Device Details Action: Allow

Protection - Fact Name: Event Comes Create a Case: No
Aggregator from Aggregator Device
Device
Operator: Equals
Value: TRUE

8 Logon Session Sign-in Condition 1 Expression 1 Action: Challenge

Protection - Expression Operator: AND Create a Case: Yes
IP in eFN (When
Category: eFraudNetwork
and Device Authentication
Not Bound Fact Name: eFraudNetwork
Fails)
Risk Score
Operator: Greater Than
Value: 900

Condition 1 Expression 2 Action: Challenge

Expression Operator: AND Create a Case: Yes
Category: Device Details (When
Authentication
Fact Name: User Device Not
Fails)
Bound
Operator: Equals
Value: TRUE

9 Logon Session Sign-in Condition 1 Category: Risk Score Action: Challenge

Protection Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 900

10 Logon Session Sign-in Condition 1 Category: Device Details Action: Challenge

Protection - Fact Name: User Device Not Create a Case: Yes
Device Not Bound (When
Bound Authentication
Operator: Equals
Fails)
Value: TRUE

170 B: Rules in the Reference Policy

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Order Rule Name Event Types Condition Expression Action

11 Logon Session Sign-in Condition 1 Expression 1 Action: Challenge

Protection - Expression Operator: AND Create a Case: Yes
Device (When
Category: Location Details
Fingerprint Authentication
Mismatch Fact Name: ISP not in
Fails)
Geolocation File for User
Operator: Equals
Value: TRUE

Condition 1 Expression 2 Action: Challenge

Expression Operator: AND Create a Case: Yes
Category: Device Details (When
Authentication
Fact Name: Mismatch
Fails)
between New and Past
Device Print
Operator: Greater Than
Value: 0.75

12 Logon Session Sign-in Condition 1 Category: Risk Score Action: Review

Protection - Fact Name: Risk Score Create a Case: Yes
Medium
Operator: Greater Than
Risk
Value: 699

13 Logon Session Sign-in Condition 1 Category: Device Details Action: Allow

Protection - Fact Name: User Device Not Create a Case: No
Bound Bound
Device
Operator: Equals
Value: FALSE

14 New Payee Payment Condition 1 Expression 1 Action: Review

Payment Expression Operator: AND Create a Case: Yes
Protection
Category: Risk Score
Fact Name: Risk Score
Operator: Greater Than
Value: 600

Condition 1 Expression 2 Action: Review

Expression Operator: AND Create a Case: Yes
Category: Payee Details
Fact Name: Days That Payee
is Associated with User
Operator: Equals
Value: 0

B: Rules in the Reference Policy 171

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Order Rule Name Event Types Condition Expression Action

15 Mail Bill Payment Condition 1 Expression 1 Action: Review

Payment Expression Operator: AND Create a Case: Yes
Protection
Category: Risk Score
Fact Name: Risk Score
Operator: Greater Than
Value: 799

Condition 1 Expression 2 Action: Review

Expression Operator: AND Create a Case: Yes
Category: Transaction
Details
Fact Name: Transaction Type
Operator: Equals
Value: BILLPAY_MAIL

16 Electronic Payment Condition 1 Expression 1 Action: Review

Bill Expression Operator: AND Create a Case: Yes
Payment
Category: Risk Score
Protection
Fact Name: Risk Score
Operator: Greater Than
Value: 799

Condition 1 Expression 2 Action: Review

Expression Operator: AND Create a Case: Yes
Category: Transaction
Details
Fact Name: Transaction Type
Operator: Equals
Value: BILLPAY_ELEC

172 B: Rules in the Reference Policy

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Order Rule Name Event Types Condition Expression Action

17 Wire Payment Condition 1 Expression 1 Action: Review

Payment Expression Operator: AND Create a Case: Yes
Protection
Category: Risk Score
Fact Name: Risk Score
Operator: Greater Than
Value: 599

Condition 1 Expression 2 Action: Review

Expression Operator: AND Create a Case: Yes
Category: Transaction
Details
Fact Name: Transaction Type
Operator: Equals
Value: WIRE

18 ACH Payment Condition 1 Expression 1 Action: Review

Payment Expression Operator: AND Create a Case: Yes
Protection
Category: Risk Score
Fact Name: Risk Score
Operator: Greater Than
Value: 599

Condition 1 Expression 2 Action: Review

Expression Operator: AND Create a Case: Yes
Category: Transaction
Details
Fact Name: Transaction Type
Operator: Equals
Value: ACH

20 Change Change_Email Condition 1 Category: Risk Score Action: Review

Email Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 699

21 Change Change_Phone Condition 1 Category: Risk Score Action: Review

Phone Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 599

B: Rules in the Reference Policy 173

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Order Rule Name Event Types Condition Expression Action

22 Change Change_Address Condition 1 Category: Risk Score Action: Review

Address Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 599

23 Change Change_Password Condition 1 Category: Risk Score Action: Challenge

Password Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 899

24 Edit Payee Edit_Payee Condition 1 Category: Risk Score Action: Review

Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 599

25 Add Payee Add_Payee Condition 1 Category: Risk Score Action: Review

Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 599

26 Request Condition 1 Category: Risk Score Action: Review

New PIN Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 599

27 Request Condition 1 Category: Risk Score Action: Review

Credit Fact Name: Risk Score Create a Case: Yes
Operator: Greater Than
Value: 900

174 B: Rules in the Reference Policy

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

C List of Event Types

The following table lists the event types supported by the RSA Adaptive
Authentication (On-Premise) system. For more information, see Event Types on
page 42.

Event Type Description

ACTIVATE_CARD The user attempts to activate a card (for example, debit, credit)

ADD_PAYEE The user attempts to add a new payee to their list of payees

CARD_PIN_CHANGE The user attempts to change the PIN of a credit or debit card.

CHANGE_ADDRESS The user attempts to change their standard mailing address

CHANGE_ALERT_SETTINGS The user attempts to change their settings for receiving alerts (for
example, an alert when a change is made to their account)

CHANGE_AUTH_DATA The user attempts to change their authentication data (for example,
phone number, challenge questions)

CHANGE_EMAIL The user attempts to change their contact email address

CHANGE_LIFE_QUESTIONS The user attempts to change the questions/answers they want to see if
they are challenged by this form of additional authentication

CHANGE_LOGIN_ID The user attempts to change their login ID

CHANGE_PASSWORD The user attempts to change the password they use to access the
organizations online system

CHANGE_PHONE The user attempts to change their contact phone number

CHANGE_STATEMENT_SETTINGS The user attempts to change their settings for statement display or
receipt

CLIENT_DEFINED The organization attempts to define their own event type to use
instead of or in addition to the RSA default event types. The RSA
Risk Model is run on the event type combination.

CREATE_USER The organization attempts to add an online user

DEPOSIT The user attempts to initiate a deposit

EDIT_PAYEE The user attempts to edit a payee in their list of payees

ENROLL The user attempts to enroll into the organizations online system

C: List of Event Types 175

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Event Type Description

EXTRA_AUTH The organization notifies the Adaptive Authentication system of the

result of external authentication. The system is informed if the
authentication is successful and if the user's profile is updated to
determine whether the transaction is genuine or fraudulent.

FAILED_CHANGE_PASSWORD_ The user's attempt to change the password fails.

ATTEMPT

FAILED_LOGIN_ATTEMPT The user's attempt to be authenticated when logging into the

organizations online system is unsuccessful.

FAILED_OLB_ENROLLED_ The user's attempt to enroll online is unsuccessful.

ATTEMPT

NULL NA

OLB_ENROLL The user attempts to enroll online.

OLB_PASSWORD_CHANGE The user attempts to change the on-line banking password.

OPEN_NEW_ACCOUNT The user attempts to open a new account.

OPTIONS_TRADE The user attempts to initiate a stock options trade.

PAYMENT The user attempts to initiate a payment to a payee.

READ_SECURE_MESSAGE The user attempts to read secure messages.

REQUEST_CHECK_COPY The user requests a copy of their checks.

REQUEST_CHECKS The user requests to order checks.

REQUEST_CREDIT The user requests credit.

REQUEST_NEW_CARD The user requests a new card (for example, debit, credit).

REQUEST_NEW_PIN The user requests a new PIN.

REQUEST_STATEMENT_COPY The user request for a copy of the statement.

SEND_SECURE_MESSAGE The user attempts to send a secure message.

SESSION_SIGNIN The user attempts to sign into an online session.

STOCK_TRADE The user attempts to initiate a stock trade.

UPDATE_USER The user attempts to update user information.

USER_DETAILS The user attempts to view user details.

VIEW_CHECK The user attempts to view a check.

176 C: List of Event Types

 RSA Adaptive Authentication (On-Premise) 7.1 Back Office Users Guide

Event Type Description

VIEW_STATEMENT The user attempts to view account statement.

WITHDRAW The user attempts to initiate a withdrawal from the users account.

C: List of Event Types 177