Unexpected evaluation decision
If you have completed Session ID correlation and cannot locate an Events service API event or Adaptive access report detail with a corresponding Session ID
, ensure you have
- attached an Adaptive access policy.
When an Access policy is attached to your Native Web application and you receive a valid response such as allow, MFA or block, however no Adaptive access event is generated, this indicates Adaptive access was not invoked. - correct Error response handling.
If the API was not invoked correctly an error is returned from the Proxy SDK which must be handled. If the API was invoked correctly but there was insufficient data, additional collection may be required. In both cases no event is generated.
If you have located a corresponding Session ID
an Adaptive access assessment was invoked.
Change in user or device attributes
Adaptive access uses deep identity insights, through a sophisticated risk calculation engine (IBM TrusteerĀ®), to accurately match Access policies to the user profile throughout their digital interaction with the application.
During collection, detection and assessment the Session ID
may have been evaluated by the risk calculation engine differently to the expected manual testing process.
A range of indicators may alter the assessment result including
- user was not new
- user had a pending MFA from a previous session
- location, device or behavioral patterns changed significantly

Access policy logic error
Access policies combine the riskiest result from Adaptive access, reauthentication and any matching Policy rule.
If there are no Policy rules, or none are matched during evaluation, the Default rule
is used for the riskiest comparison.
Ensure you have
- configured the correct action for the expected risk level in the Adaptive access policy.
- validated the
Reauthentication
andPolicy rules
did not return a riskier result.
"rule_name"
in the Events service API JSON andRule name
in the Adaptive access report detail indicate the riskiest result for the policy evaluation.

Multiple unsuccessful access policy invocations
When an Adaptive access policy has insufficient data to complete an assessment additional collection is required.
If the Native Web application does have correct Error response handling, however the evaluation is unsuccessful multiple times, the Risk Service Unavailable is returned and the associated event is generated.
Access policy re-invocation
When an MFA challenge is returned from an Adaptive access policy evaluation and the the challenge is successfully completed, two events are generated
- the initial MFA challenge event
- an Allow event during the policy re-evaluation
When only the MFA challenge event is generated ensure you have
-
satisfied the
requires
response fromassessPolicy(context)
of the IBM Security Verify Proxy SDK with one of theallowedFactors
.{ "status": "requires", "transactionId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "allowedFactors": ["emailotp", "smsotp", "totp", "push", "fido"] }
- invoked
assessPolicy(context)
following the successful completion of the previousrequires
response.
Previous: Risk Service Unavailable