Risk-Based Access

Imprivata Enterprise Access Management (EAM) Risk-Based Access (RBA) allows authentication requirements to change dynamically based on the risk level of an authentication. Risk evaluation is performed by EAM's integration with Imprivata Identity Threat Detection and Response (ITDR).

ITDR determines the risk level of an authentication by evaluating it against rule sets. Based on the results of the evaluation, the user:

  • is challenged to complete low, medium, or high security authentication; or

  • is denied access.

Existing authentication methods remain available as a fallback if RBA cannot determine a valid method. Risk-Based Access is available for the following workflows:

  • Desktop access — For full details of configuring Desktop Access, see Configuring Authentication Methods in User Policies

  • Remote Access Cloud integrations — available for Learning Mode only for this release. In Learning Mode, all authentications for Remote Access Cloud integrations are sent to Imprivata ITDR for evaluation, but not enforced. ITDR Learning Mode provides the opportunity to assess the outcomes of rule sets, and revise as needed, before enabling them in a future release.

  • Web SSO OpenID Connect and WS Federation integrations — available for Learning Mode only for this release. In Learning Mode, all authentications for Open ID Connect and WS Federation Web SSO integrations are sent to Imprivata ITDR for evaluation, but not enforced. ITDR Learning Mode provides the opportunity to assess the outcomes of rule sets, and revise as needed, before enabling them in a future release.

  • Self-service workflows — The user interface for Risk-Based Access is present in the Imprivata Admin Console, but the feature is not enabled for this release.

Licensing and Provisioning

This integration with ITDR for RBA is available with the Enterprise Access Management Advanced Passwordless Access license.

  1. To enable this feature, upgrade to Imprivata Enterprise Access Management 26.1, then install the special IPM available for download from Imprivata. File name: rba-feature-2026-1-0.ipm

  2. Imprivata provisions an ITDR tenant for your enterprise.

    This provisioning enables the links to your ITDR tenant in the Imprivata Admin Console.

  3. Imprivata sends an email to the user(s) on the purchase contract, granting access to your ITDR tenant.

  4. Click on the link in the invitation email to create an administrator account for your ITDR tenant.

    This administrator has the ability to create other ITDR administrators.

Configure RBA for Desktop Access

  1. In the Imprivata Admin Console, go to UsersUser Policies and select a user policy.

  2. Go to AuthenticationDesktop Access authentication.

Enable RBA

  1. Select Risk-based access.

  2. Select a Rule Set — Rules determine the level of risk in the authentication. The default Rule set includes:

    • Permissive

    • Moderate (default)

    • Strict

    You can also customize your own rule sets at the ITDR console. See Rule Sets.

  3. Select an Authentication Strength Map. The Strength Map determines which authentication methods will be available to the user after the level of risk is determined.

    Imprivata provides Strength Maps designed for specific workflows. These maps are system-defined and read-only. They are applied automatically when Risk-Based Access is enabled for desktop access.

  4. Review the map you've selected, and confirm your users have enrolled authentication methods required by the strength map.

  5. Select fallback authentication methods, when RBA is not able to determine risk.

  6. Configure other authentication options as needed.

  7. Click Save.

Best Practice — Pilot Roll Out

When the Advanced Passwordless Access license is in place, but Risk-Based Access is not enabled, all authentications for Desktop, Remote access, Web SSO, and Self-service are still sent to ITDR for evaluation, but not enforced. ITDR Learning Mode provides the opportunity to assess the outcomes of rule sets, and revise as needed, before enabling them.

Based on your assessment in Learning Mode, roll out RBA with a pilot group of users (either users in a preexisting User Policy, or create a User Policy expressly for this purpose). Full details on configuring Risk-Based Access is available at the ITDR Help.

Authentication Options

Desktop Authentication includes options that may or may not be enforced when RBA is enabled. For example, Computer Policy Overrides are applied whether or not RBA is enabled.

When RBA is Not Applied

When RBA is unable to determine risk, or when the Imprivata agent is offline:

  • Fallback authentication methods are enabled.

  • If selected, Allow users to skip second factor is enabled.

  • If selected, Offline Authentication is enabled.

  • If selected, Grace periods are enabled.

Auditing

When RBA is enabled, Imprivata EAM audits authentications as usual. All details regarding the level of risk determined during the RBA process, and the Authentication Strength Map selected, are available in the Event Explorer and Reports pages in the ITDR console.