Skip to main content
Skyhigh Security

Authorized Override with OTP and Pledge Rule Set

The Authorized Override with OTP and Pledge rule set is a library rule set for authorized overriding using one-time passwords that are provided by a Skyhigh Security Pledge device.

Library rule set – Authorized Override with OTP and Pledge

Criteria – SSL.ClientContext.IsApplied equals true OR Command.Name does not equal "CONNECT"

Cycles – Requests (and IM)

The rule criteria specified that the rule set applies when SSL-secured communication is configured or the request that is currently processed is not a CONNECT request, which is usually sent at the beginning of this communication.

The following rule sets are nested in this rule set:

  • Verify OTP
  • OTP Needed?

Verify OTP

This nested rule checks whether a user who sends a one-time password with a request for authorized overriding is successfully authenticated and performs a redirect to the requested web object if this is true.

Nested library rule set – Verify OTP

Criteria – Quota.AuthorizedOverride.IsActivationRequest.Strict<Default> equals true

Cycles – Requests (and IM)

The rule set criteria specifies that the rule set applies when a user sends a request to override the termination of a web session due to quota expiration and to continue with the session.

The rule set contains the following rules:

Verify OTP

Authentication.Authenticate<OTP> equals false –> Block<Authorized Only>

The rule uses the Authentication.Authenticated property to check whether the user who submitted a one-time password when sending an authorized overriding request has been successfully authenticated.

If this is not the case, the request is blocked and the user is informed about the blocking and the reason for it.

The Block action is executed with the specified settings.

The session is validated. Redirect to the original page

Always –> Redirect<Default>

If authentication of a user who submitted a one-time password with a request for authorized overriding did not fail, the preceding rule in this rule set does not apply and processing continues with this rule.

The rule always allows the user to continue with the current session and performs a redirect to the requested web object.

The Redirect action is executed with the specified settings.

OTP Needed?

This nested rule set provides a one-time password for a user who sends a request for authorized overriding if the requested web object is located on a host within the corporate domain of Skyhigh Security.

Nested library rule set – OTP Needed?

Criteria – URL.Host matches *mcafee.com* AND Quota.AuthorizedOverride.SessionExceeded<Default> equals true

Cycles – Requests (and IM)

The rule set criteria specifies that the rule set applies when the host of the URL sent in a request is located within the corporate domain of Skyhigh Security and the time quota for a session that can be continued after an authorized override has been exceeded.

The rule set contains the following rules:

Retrieve OTP context

Always –> Continue – Authentication.SendOTP<OTP>

The rule uses an event to send a one-time password to an authenticated user.

This way the context information is obtained that is required for authenticating a user through a one-time password that is validated on a Skyhigh Security OTP server.

Block request and offer sending OTP

Always –> Block<OTP Required with Pledge>

The rule blocks a request for web access.

The action settings specify that a message is sent to inform the user web access can be allowed after submitting a one-time password that an be obtained from a Skyhigh Security Pledge device.

  • Was this article helpful?