Create access requests with the Access Orchestrator

This topic describes how to create access requests to require specific authentication challenges based on custom logic, designed in a visual editor. This enables you to increase compliance with your organization's Multi-Factor Authentication (MFA) policies.

Different combinations of authentication challenges produce different Authenticator Assurance level (AAL) scores. Higher scores indicate a more secure combination of challenges. The Access Orchestrator enables you to enforce combinations of challenges. This increases your ability to create complex access flows and MFA profiles with AAL scores that align with best practices recommended in NIST SP 800-63b guidelines.

Our AAL related features do not guarantee compliance with NIST guidelines. Refer to for additional detail about NIST guidelines.
This is an early access feature. Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features. Contact your account representative to enable this feature.

Before you begin

Review Design report queries based on Authenticator Assurance Level (AAL) to learn more about AAL scoring for different combinations of authentication challenges. You can use this information to plan which authentication challenges you want to use when you create access requests.

Some authentication mechanisms require additional configurations before users can authenticate using those mechanisms. Make sure your users complete the configuration requirements for any mechanism you plan to use. Refer to Secure access with adaptive MFA for more detail.

Create a custom access flow

The following topics describe how to create and apply an access flow with the Access Orchestrator.

You can create different types of access flows that are appropriate for the resources you are trying to secure.

For example, you can create a flow where if the first challenge is a memorized secret such as a password, then the second challenge must be either a single-factor cryptographic device, an out-of-band device, or a single-factor OTP device. This results in an AAL score of AAL2.

CyberArk Identity supports the following types of access flows:

In this section: