Create access requests with the Access Orchestrator
This topic describes how to create access requests to require specific authentication challenges based on custom logic, designed in a visual editor. This enables you to increase compliance with your organization's Multi-Factor Authentication (MFA) policies.
Different combinations of authentication challenges produce different Authenticator Assurance level (AAL) scores. Higher scores indicate a more secure combination of challenges. The Access Orchestrator enables you to enforce combinations of challenges. This increases your ability to create complex access flows and MFA profiles with AAL scores that align with best practices recommended in NIST SP 800-63b guidelines.
Before you begin
Review Design report queries based on Authenticator Assurance Level (AAL) to learn more about AAL scoring for different combinations of authentication challenges. You can use this information to plan which authentication challenges you want to use when you create access requests.
Create a custom access flow
The following topics describe how to create and apply an access flow with the Access Orchestrator.
You can create different types of access flows that are appropriate for the resources you are trying to secure.
For example, you can create a flow where if the first challenge is a memorized secret such as a password, then the second challenge must be either a single-factor cryptographic device, an out-of-band device, or a single-factor OTP device. This results in an AAL score of AAL2.
CyberArk Identity supports the following types of access flows:
In this section: