RbaDataCollector

Risk based data collector configuration allows to configure the contents of the internal representation of authenticated subjects for purposes of risk-based authentication. Risk based data collector provides configuration controls for the data that will be recorded and collected from subject’s activity (typically HTTP requests). Data such as IP addresses from which the subject logged in or time stamps of the last successful authentication are stored in the persistence in specified quantities. The authentication process handles this data and runs a statistical analysis on top of them which enables DirX Access to follow the behavioral patterns of each authenticated subject. The RBA data collector gathers all the necessary information and is coupled with RBA data conditions which then operate on the data and produce logical inputs for authentication policies. However, data collection takes place even when there is no condition using the data.

  • For example RBA Data collector can be configured like Request Header collector that processes values of the 'User-Agent' property from the HTTP header and stores the browser type and version into the Application Repository in the range of maximum 15 distinct values. The Sampling rate value -1 indicates that collecting occurs on initial authentication only and the Max value weight of 30 halves values' weights when they reach this weight.

  • For more information on how the RBA data collectors work, see the 'Risk-based Authentication' section in the 'Advanced Topics' appendix.

Description

Description of the configuration object

Type (required)

The type of RBA data collector determining the kind of data that will be collected. Recognised types are:

  • AccessTime - The Access time RBA data collector gathers user access time stamps.

  • ClientAddressIPv4 - The Client’s IPv4 address RBA data collector gathers client IPv4 addresses.

  • ClientAddressIPv6 - The Client’s IPv6 address RBA data collector gathers client IPv6 addresses.

  • DeviceId - The Device ID RBA data collector gathers the identifier of a client’s device.

  • Geolocation - The Geolocation RBA data collector gathers geographical coordinates of client’s location.

  • RequestHeader - The Request Header RBA data collector gathers data from the request protocol header.

  • RbaDataCallout - The RBA data callout collector gathers data supplied by the custom callout handler of RbaDataEvents type.

  • Allowed Values:

    • AccessTime

    • ClientAddressIPv4

    • ClientAddressIPv6

    • DeviceId

    • Geolocation

    • RequestHeader

    • RbaDataCallout

Maximal number of collected values per period

The number of last values of a specific type that will be stored in the persistence. For example, the last 10 login dates. If set to zero, an infinite number of values will be stored.

Max value weight

The maximum amount of equal collected values. For example, if it is set to 20, the collector can assign a maximum weight (importance) of 20 to a single RBA data attribute. When set to 0, maximum weight is set to 'infinity' (maximum value of Java integer).

Sampling rate

The time at which a new sample is saved to the subject’s profile. There are three options for this control:

  • -1 = on initial authentication only.

  • 0 = on each request.

  • n>0 = on each request after n seconds.

Sampling period length

The number of days during which data will be collected.

Number of periods

The count of sampling periods that will be used for approximation.

Regular expression pattern

The field that allows you to set up a Java regular expression pattern containing capturing groups as described in the Oracle Java documentation. The output attribute value is built from these groups according to the 'Regular expression groups' field value. If empty, the attribute value is not affected. In case of multiple matches, every matching value will be returned and separated by the semicolon ; character. The control has sense for the RBA Data Callout and Request Header RBA Data Collector. Given example shows simple e-mail format.

Regular expression groups

The output attribute value is formed in an arbitrary string, where (n) stands for a placeholder that will be replaced by the nth capturing group according to the pattern from the 'Regular expression pattern' field (starting from 1). The given placeholder can be used multiple times. If empty, the capturing groups will be concatenated and output. The control has sense for the RBA Data Callout and Request Header RBA Data Collector.

Keyword

The unique identifier of the protocol header property. The control has sense for the Request Header RBA Data Collector.

Callout handler identifier

The unique identifier of the callout handler of type 'RbaDataEvents' that can be specified. The control has sense for the RBA Data Callout RBA Data Collector.

Cookie name

The name of the long-term cookie that holds the device identifier (more precisely, client-side application identifier). The control has sense for the Device ID RBA Data Collector.

To delete

Decision whether the data of the RBA data collector are already deleted.