Qodex.ai

Create a Risk Policy Set

Number of APIs: 2

This activity shows you how to create a new risk policy. This scenario illustrates the following common operations supported by the PingOne APIs:

  • Get the environment ID
  • Create a risk policy set by defining one or more risk policies

Prerequisites

Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.

Workflow order of operations

To create the new risk policy set, the following tasks must be completed successfully:

  1. Make a GET request to the /environments endpoint to get the environment resource ID.

  2. Make a POST request to /environments/{{envID}}/riskPolicies to create a new risk policy set resource.

Policy set logic

A risk policy set must have at least one defined risk policy, which includes the following components:

  • Condition. The policy logic to define when the policy is evaluated to true and when it is evaluated to false.

  • Result. The policy logic to define what should be returned in case the condition is evaluated to true.

  • Priority. (Optional) A priority ranking to define the execution order of the different risk policies contained in the policy set.

For this use case, you will define a simple risk policy set that includes two risk policies: A whitelist that evaluates risk based on the user's IP address, and an anonymous network detection check.

The following JSON shows the elements defined in the whitelist risk policy. The condition.contains expression uses the ${transaction.ip} condition variable to get the user's IP address and compare it to a range of IP addresses that are considered safe. If the user's IP address is within the range set in condition.ipRange, the condition evaluates to true, and the result.level is set to LOW, indicating low risk for this policy condition. 

    "riskPolicies": [
        {
            "name": "WHITELIST",
            "priority": 1,
            "result": {
                "level": "LOW"
            },
            "condition": {
                "contains": "${transaction.ip}",
                "ipRange": [
                    "1.1.1.1/16",
                    "2.2.2.2/24"
                ]
            }
        }
    ]

The following JSON shows the elements defined in the anonymous network detection risk policy. The condition.contains expression uses the ${details.anonymousNetworkDetected} condition variable to to determine whether the user is attempting to authenticate from an anonymous network. If the condition.value evaluates to true, then the result.level is set to HIGH, indicating that this is a high-risk transaction.

     ...
            "name": "ANONYMOUS_NETWORK_DETECTION",
            "priority": 2,
            "result": {
                "level": "HIGH",
                "type": "VALUE"
            },
            "condition": {
                "equals": true,
                "value": "${details.anonymousNetworkDetected}"
            },

For more information about risk policies, see Risk Policies.

  1. Step 2: Create a risk policy set POST {{apiPath}}/environments/{{envID}}/riskPolicySets

  2. Step 1: Get the environment ID GET {{apiPath}}/environments?limit=1