--- title: Creating iovation Device Risk authorization rules description: Create a rule to share device information with iovation Device Risk and allow or deny access based on the response. component: pingaccess version: 9.0 page_id: pingaccess:agents_and_integrations:pa_creating_iovation_device_risk_authorization_rules canonical_url: https://docs.pingidentity.com/pingaccess/9.0/agents_and_integrations/pa_creating_iovation_device_risk_authorization_rules.html revdate: August 8, 2025 section_ids: about-this-task: About this task steps: Steps --- # Creating iovation Device Risk authorization rules Create a rule to share device information with iovation Device Risk and allow or deny access based on the response. ## About this task When this rule runs, the iovation response is stored in the `com.pingidentity.pa.iovation.kit:policy.decision.outcome` property. Possible values are `allow`, `deny`, and `review`. | | | | - | ------------------------------------------------------------ | | | This property can be used by Groovy rules or custom plugins. | ## Steps 1. In the PingAccess admin console, click **Access**, then go to **Rules > Rules**. 2. Click **[icon: plus, set=fa]Add Rule**. 3. In the **Name** field, enter a unique name for the rule. The name can be up to 64 characters long and can include special characters and spaces. 4. In the **Type** list, select **Iovation Device Risk authorization**. 5. In the **iovation Service** list, select a third-party service to use for outbound fraud checks to iovation. 6. In the **Blackbox Cookie Name Prefix** field, enter the prefix of the cookies containing the iovation blackbox captured previously by the iovation Device Risk Device Profiling rule. The default value is `iovation_bb`. 7. In the **Subscriber ID** field, enter the subscriber ID that iovation gave you. 8. In the **Subscriber Account** field, enter the subscriber account name that iovation gave you. 9. In the **Subscriber Passcode** field, enter the passcode that authorizes your ID and account with iovation. 10. In the **iovation Integration Point** field, enter the integration point associated with the rule set you want to use. 11. (Optional) In the **Account Code Attribute** field, enter the name of an attribute containing a unique identifier for each end user to send to iovation as the account code. 12. (Optional) In the **Transaction Insight Parameter Mappings** section, configure one or more mappings from identity attributes in PingAccess to iovation Transaction Insight Parameters. The attributes are provided to iovation in the specified parameters. 1. In the **Attribute Name** field, enter the attribute to use as a source. 2. In the **Transaction Insight Parameter** field, enter the iovation Transaction Insight Parameter to use for the specified attribute. 3. (Optional) Click **Add Row** to add one or more additional mappings. 13. If additional options need to be configured, click **Show Advanced**. > **Collapse: Advanced Settings** > > | Advanced Option | Description | > | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | **Fraud Check Frequency (ms)** | The number of milliseconds between iovation fraud checks.The default value is `20000`. | > | **iovation Fraud Check API Endpoint** | The application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)* endpoint *(tooltip: \
\

One end in a communication channel, typically a URI.\

\
)* where iovation fraud check requests are directed.If not specified, a value of `/fraud/v1/subs/subscriberId/checks` is used, where *subscriberId* is the value in the **Subscriber ID** field. | > | **iovation Failure Mode** | Specifies whether PingAccess should allow or deny access if the communication with iovation isn't completed successfully.The default value is **Deny**. | > | **Invalid Blackbox Failure Mode** | Specifies whether PingAccess should allow or deny access if the blackbox device profile isn't in a usable state. This situation can occur when the blackbox hasn't already been collected from a previous exchange processed by this rule or when the collected blackbox has reached the end of its lifetime.The default value is **Deny**, which denies access. A value of **Continue** performs a risk assessment with no blackbox profile, while a value of **Allow** allows access. | > | **iovation Protocol Error Handling** | This section specifies the error parameters to use on a failure if there's a failure to communicate with iovation for the fraud check API request.To configure the **iovation Protocol Error Handling** section:1) In the **Error Response Code** field, enter the HTTP response code for the error response. > > 2) (Optional) In the **Error Response Template File** field, you can enter the name of a custom error page template if you don't want to use the default error page. > > Templates are stored in the `/conf/template/` directory. > > 3) In the **Error Response Content Type** field, specify the content type of the custom error response template file if you configured a value in the previous field. | > | **Review Fallback Type** | Specifies whether PingAccess should allow or deny access if iovation returns a review result from the risk assessment.The default value is **Deny**. | > | **Review Deny Handling** | This section specifies the error parameters to use on a failure if the **Review Fallback Type** is set to **Deny**.To configure the **Review Deny Handling** section:1) In the **Error Response Code** field, enter the HTTP response code for the error response. > > 2) (Optional) In the **Error Response Template File** field, you can enter the name of a custom error page template if you don't want to use the default error page. > > Templates are stored in the `/conf/template/` directory. > > 3) In the **Error Response Content Type** field, specify the content type of the custom error response template file if you configured a value in the previous field. | > | **Deny Handling** | This section specifies the error parameters to use on a failure if either:- iovation returns a Deny (D) result > > - The blackbox isn't set and the **Invalid Blackbox Failure Mode** is set to Deny.To configure the **Deny Handling** section:1) In the **Error Response Code** field, enter the HTTP response code for the error response. > > 2) (Optional) In the **Error Response Template File** field, you can enter the name of a custom error page template if you don't want to use the default error page. > > Templates are stored in the `/conf/template/` directory. > > 3) In the **Error Response Content Type** field, specify the content type of the custom error response template file if you configured a value in the previous field. | 14. Click **Save**.