RapidIdentity Administrators' and Users' Guide

Create a Claim Policy

The Claim Policy Manager allows administrators to define a policy allowing new users to claim an account as their own.  

Multiple claim policies can be created to serve different user groups.

Claim_Policy_Manager.png

One use case for multiple Claim policies is that users with privileged access are required to answer more specific questions (i.e. a specified Global Attribute List attribute), match a specific LDAP filter (i.e. the User Matching Filter), or be grouped according to a particular organizational unit in the directory service (i.e. the Search Base DN) to claim their account.

A claim policy consists of a list of attributes that a user must know about themselves in order to prove account ownership. For example, the attributes list could be a special code that HR emailed a user (and stored in the LDAP directory) and or a list of personal attributes such as birthdate, address information, or other specific identity values.

Creating a Claim Policy

  1. To create a claim policy, first navigate to the Configuration menu.

    Dashboard_Configuration.jpg

  2. In the Policies section, click Claim.

    Claim_Policy.jpg

  3. A new Claim Policy can be created by cloning an existing policy or clicking the plus icon. Existing Claim policies can be removed by clicking the minus icon.

    Add_Claim_Policy.jpg

    Note

    When more than one Claim Policy exists, the up and down arrows can prioritize the Claim policies.

  4. There are three tabs in this menu that need to be configured. The General Tab allows administrators to name and enable the Claim policy along with defining the user population to which the Claim policy applies. The images below will be filled out with example text and referred to for different functionality.

    Claim_Policy_-_General.jpg

    1. Enter a Name that provides a quick idea of the policy. In this example, we are making a Claim Policy for employees in the IT department.

    2. Enter a description to help identify this policy.

    3. Click the checkbox to Enable this policy. This can be done at the end after the policy configuration has been completed.

    4. The Affected Users section helps RapidIdentity determine where to search for policy rules when authenticating an account. Search Base DN restricts the scope of where RapidIdentity searches, and User Matching Filter defines which attribute to search for within that area to find the associated user.

      1. The Search Base DN field uses the Base DN's distinguishedName attribute to define where RapidIdentity should search to match the requested user account. Limiting this field for searching reduces the amount of work RapidIdentity has to do in order to identify the user. For this example, we used DC=Test,DC=local.

      2. The User Matching Filter field uses LDAP syntax. Open the LDAP Builder to choose the specific filter by which to narrow user identification during the Claim Account procedure. For this example, we are searching for user accounts associated with the IT department.

        LDAP_Builder_wExample2.jpg

    5. Populate the Message to Show on Complete field with a message to be displayed to the user upon a successful system match. You can format the message further by clicking the right arrow (Right_Arrow_for_Format.jpg) next to the field to access a rich text editor.

      Rich_Text_Editor.jpg

  5. The Questions tab allows administrators to populate a required list of attributes the user must know about their account in order to claim it.

    Claim_Policy_-_Questions.jpg

    1. Choose the Global Attribute List (GAL) item to use to match the user's claim request to an account in the System. In this example, Email is used; the user claiming an account under this policy would have to provide the email address associated with the account in order to proceed.

    2. The Display Name is what will appear above the request field to the user.

    3. An optional Description can provide more details on this request attribute for the user.

  6. Administrators can define a User Agreement to which users must agree as a condition to claim their account. This configuration agreement can be a note or require a user to check a box to affirm agreement with the text.

    User_Agreement_Tab_wExample.jpg

    1. The Enabled checkbox determines whether a user agreement will be required for this claim policy. If left unchecked, none of the below fields will appear and the user will not be required to agree in order to claim the account. With it checked, the following fields will be configurable.

    2. Give the agreement an optional Title to appear above the agreement Body. This should summarize the text that follows.

    3. This optional Body text is the main content for the agreement. It can describe legal or compliance requirements, along with any other information necessary that the user needs in order to claim the account. Click the right arrow (Right_Arrow_for_Format.jpg) to access a rich text editor for formatting.

      Message_Body.jpg

      Once the message has been formatted, click Submit.

    4. The Agreement Message is a required field if the User Agreement is enabled, and is the minimum value required for a user agreement. There is no rich text editor for this field.

    5. Click the Agreement Required to include a checkbox above the Agreement Message that the user will be required to check as part of the claim account process.

  7. Once all fields have been configured, click Save in the action bar.

    Save.jpg

  8. If you did not enable the policy in step 4, go back to the General tab and enable it now.

  9. The user should now be able to use the Claim My Account procedure within this policy.

In this section: