Manage policies

As an admin, you’re constantly trying to balance protecting the organization’s resources security with a need to empower your users instead of hindering their productivity. With Akamai MFA policies, you can reconcile those conflicting objectives and flexibly apply access controls that ensure compliance with the corporate security requirements.

All Akamai MFA policies contain the following basic elements also referred to as subpolicies:
  • The New user policy. Defines the policy that you want to apply to new users attempting to access protected application. See Configure policy for a new and existing user to learn more.

  • The Existing user policy. Defines the policy that you want to apply to users who exist in the Akamai MFA service and have at least one authentication device assigned to their account. See Configure policy for a new and existing user to learn more.

  • Smart device. Lets you define conditions that devices registered in Akamai MFA must meet before they can be used for authentication purposes. See Configure your device posture policy to learn more.

  • Authentication factors. Provides you with a list of supported authentication methods that you can enable for users. See Allowed authentication methods.

  • Browser. Lets you indicate the allowed and denied browsers used to access the protected applications. See Configure your device posture policy to learn more.

  • OS. Lets you indicate allowed and denied operating systems running on devices used to access the protected applications and receive push notifications. See Configure your device posture policy to learn more.

  • Lockout. Lets you define the allowed number of failed log-in attempts. If the user exceeds this number, their account is automatically locked-out for the period of time that you specified in the Lockout Duration field. See Configure your lockout policy to learn more.

You can edit settings of the above subpolicies for the following policy types:

  • Global policy. This is a high-level policy that contains default and recommended security rules. This policy is assigned to your organization during the onboarding. It applies to all users across all integrations. You cannot delete the global policy, but you can edit its settings. You can also create a custom policy with more specific rules that override the global policy.
  • Custom policies. These are more granular, configurable access control rules that let you selectively apply criteria belonging to a given subpolicy. With custom policies, you can configure security restrictions that differ from the global policy, and apply them to a selected resource. For example, you can designate that only devices with enabled device attestation or biometric lock can access a particularly sensitive application. You can also assign less restrictive authentication requirements to a group of users working with less sensitive resources.

In Akamai MFA you can assign your custom policies to one or multiple integrations, groups, users.

When you’re configuring your policy system, remember that Akamai MFA policies are evaluated in order from most specific (i.e. the policy that refers to users) to most general (i.e. the policy that refers to the entire organization). This means that the following rules apply to the Akamai MFA policies:
  • The user policy overrides all other policies
  • The group policy overrides the integration and global policies
  • The integration policy overrides the global policy.

If two policies are equally specific, for example, both are group policies, and they comprise conflicting settings, then the most restrictive subpolicies are applied.

The Policies page lets you view all configured policies in your organization. Policies display in the table, which gives you an immediate insight into the affected resources, and applied restrictions.

With the Policies page, you can also:

  • Clone the existing policies by clicking Clone policy. See Configure custom policies.
  • Create new policies by clicking Add policy.
  • Display the policy's settings by clicking its name. See Edit the global policy.
  • Update the list of integrations, groups and users that are assigned to all configured policies by clicking the Associate (clip) icon in the Assigned to column.