Starling Identity Analytics & Risk Intelligence Hosted

The Rules page is displayed when the Rules link is clicked in the navigation bar. The Rules page is used for managing the entitlement classification rules that Starling Identity Analytics & Risk Intelligence will use to help you identify high risk accounts.

The following options appear on this page:

New Rule

This opens the New Rule page used to add a rule from the data source. For more information see, Adding a new rule.

Hovering over this icon displays a search box used to locate specific rules within the Rules table. To use the field, start typing the name of the rule in the field and the table will automatically update to display rules that match.

For information on the table appearing at the bottom of the Rules page, see Rules table. For information on the default rules, see Available rules.

Rules table

Rules > Rules page > Rules table

The Rules table is displayed at the bottom of the Rules page. It displays information on the entitlement classification rules currently configured for Starling Identity Analytics & Risk Intelligence.

The following information and options appear listed in the table:

Name

This is the name of the entitlement rule. If the rule is only applicable to a specific type of data source module, the type of data source module will be indicated before the rule's name (for example, ActiveRoles: Configuration Modify and Safeguard: Admin or Partition Owner).

Description

This is a description of the rule.

Matched Accounts

This displays the number of matched accounts.

Status

This is the current status of the entitlement rule.

Clicking one of the rules (or the button associated with it) will open the Rule Details page where you can modify the current settings and view additional information about the rule. See Available rules for information on the default rules.

IMPORTANT: You are unable to delete a default rule, but default rules can be disabled using the Rule Details page (for more information, see Disabling a rule).

IMPORTANT: Adding a new rule will override any existing default rule of that type. The default rule will then be hidden until all customized rules for it are deleted. Once the custom rules are deleted, the default rule (including any previous edits) will reappear on the Rules table.

Available rules

Rules > Rules page > Available rules

The following table lists all of the rules that are available on the Rules page and the related permissions that impact an evaluation:

Table 5: List of available rules
Rule name	Data source(s)	Permissions
Account Best Practices - Computers	Active Roles, Active Directory	For more information, see Account Best Practices rules.
Account Best Practices - Users	Active Roles, Active Directory, Azure Active Directory	For more information, see Account Best Practices rules.
ActiveRoles: Configuration Full Control	Active Roles	Detected permissions: Create Child AND Delete Child AND List Children AND Self AND Read Property AND Write Property AND List Object AND Extended Rights AND Delete AND Read Control AND Write DACL AND Write Owner AND Delete Tree AND Copy Object
ActiveRoles: Configuration Modify	Active Roles	Detected permissions: Create Child Delete Child Write Property Extended Rights Delete Write DACL Write Owner Delete Tree Copy Object Ignored permissions: Write Property: EDSVA-Client-Version on EDS-Client-Session AND Write Property: EDSA-LDAP-Server on Domain AND Extended Right: Access Personal Settings on EDS-WI-Interface
Change Group Type and Scope	Active Roles	Detected permissions: Write Property: Group Type of Groups
Change Group Type and Scope	Active Directory	Detected permissions: Write Property: Group Type of Groups
Create Groups	Active Roles	Detected permissions: Create Child: Groups
Create Groups	Active Directory	Detected permissions: Create Child: Groups
Create Organizational Units	Active Roles	Detected permissions: Create Child: Organizational Unit
Create Organizational Units	Active Directory	Detected permissions: Create Child: Organizational Unit
Create Users	Active Roles	Detected permissions: Create Child: Users
Create Users	Active Directory	Detected permissions: Create Child: Users
Delete Groups	Active Roles	Detected permissions: Delete Child: Groups Delete: Groups List Objects In: Domain AND Delete Tree Containing: Groups List Objects In: Managed Unit AND Delete Tree Containing: Groups List Objects In: Built In Domain AND Delete Tree Containing: Groups List Objects In: Container AND Delete Tree Containing: Groups List Objects In: Organizational Unit AND Delete Tree Containing: Groups
Delete Groups	Active Directory	Detected permissions: Delete Child: Groups Delete: Groups
Delete Organizational Units	Active Roles	Detected permissions: Delete Child: Organizational Unit Delete: Organizational Unit List Objects In: Domain AND Delete Tree Containing: Organizational Units List Objects In: Managed Unit AND Delete Tree Containing: Organizational Units List Objects In: Organizational Unit AND Delete Tree Containing: Organizational Units
Delete Organizational Units	Active Directory	Detected permissions: Delete Child: Organizational Unit Delete: Organizational Unit
Delete Users	Active Roles	Detected permissions: Delete Child: Users Delete: Users List Objects In: Domain AND Delete Tree Containing: Users List Objects In: Managed Unit AND Delete Tree Containing: Users List Objects In: Container AND Delete Tree Containing: Users List Objects In: Organizational Unit AND Delete Tree Containing: Users
Delete Users	Active Directory	Detected permissions: Delete Child: Users Delete: Users
Enable/Disable Users	Active Roles	Detected permissions: Write Property: User Account Control of Users Write Property: EDSA-Account-Is-Disabled of Users
Enable/Disable Users	Active Directory	Detected permissions: Write Property: User Account Control of Users
Highly Privileged Group Members	Active Roles, Active Directory, Safeguard, Azure Active Directory	For more information, see Highly Privileged Group Members rule.
Highly Privileged Role Members	Azure Active Directory	For more information, see Highly Privileged Role Members rule.
Modify Group Members	Active Roles	Detected permissions: Write Property: Member of Groups
Modify Group Members	Active Directory	Detected permissions: Write Property: Member of Groups
Reset User Passwords	Active Roles	Detected permissions: Read Property: Object Class of Users AND Extended Right: Reset Password on Users Write Property: EDSA-Password of Users
Reset User Passwords	Active Directory	Detected permissions: Read Property: Object Class of Users AND Extended Right: Reset Password on Users
Safeguard: Access Request by Local User	Safeguard	Detected permissions: Local User AND Password Access Request Local User AND Session Access Request Account Scope Local User AND Session Access Request Asset Scope Local User AND Session Access Request Linked Account
Safeguard: Access Request via Emergency Access	Safeguard	Detected permissions: Emergency Access AND Password Access Request Emergency Access AND Session Access Request Account Scope Emergency Access AND Session Access Request Asset Scope Emergency Access AND Session Access Request Linked Account
Safeguard: Access Request without 2FA	Safeguard	Detected permissions: User does not require 2FA or certificate/smart card authentication AND Password Access Request User does not require 2FA or certificate/smart card authentication AND Session Access Request Account Scope User does not require 2FA or certificate/smart card authentication AND Session Access Request Asset Scope User does not require 2FA or certificate/smart card authentication AND Session Access Request Linked Account
Safeguard: Admin or Partition Owner	Safeguard	Detected permissions: Any user that has been granted one or more of the following permissions in Safeguard: Authorizer, User, Help Desk, Appliance, Operations, Asset, Directory, Security Policy. Any user that is a Delegated Owner of a Partition.
Safeguard: Session and Password Access Request to Same Account	Safeguard	Detected permissions: Password Access Request AND Session Access Request Account Scope Password Access Request AND Session Access Request Asset Scope Password Access Request AND Session Access Request Linked Account
Unlock Users	Active Roles	Detected permissions: Write Property: Lockout Time of Users Write Property: EDSA-Account-Locked-Out of Users
Unlock Users	Active Directory	Detected permissions: Write Property: Lockout Time of Users

Adding a new rule

Rules > Adding a new rule

From the Rules page, you can add new rules for the configured data sources.

NOTE: Adding a new rule will override any existing default rule of that type. The default rule will then be hidden until the overriding custom rule is deleted. Once the custom rule is deleted, the default rule (including any previous edits) will reappear on the Rules table.

Adding a new rule

From the Rules page, click New Rule to open the New Rule page.

Use the configuration options to identify and add a new rule. The new rule must have a unique name, a description, and at least one data source must be selected.

NOTE: To edit the name or description of a rule, click the button to the right of the field. Once you finish editing the rule name or description, you must click the button to save your edits. This will only save the changes made in that field. To remove any edits made in those fields, use the button.

NOTE: There are specific configuration options for the Account Best Practices, Highly Privileged Group Members, and Highly Privileged Role Members rules. For more information, see Account Best Practices rules Highly Privileged Group Members rule and Highly Privileged Role Members rule.

NOTE: Once you have finished configuring the rule, clicking Preview shows what happens if the new rule is applied.

Click Save to add the rule. The rule will now be available for use.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Starling Identity Analytics & Risk Intelligence Hosted - User Guide

Rules page

New Rule

Rules table

Name

Description

Matched Accounts

Status

Available rules

Adding a new rule