Airlock Gateway maintains the list of roles granted for each user session. It uses this information to determine if a specific user is authorized to access a particular backend.
Role removal may be initiated by both internal features of the gateway (e.g. Client Fingerprinting, Anomaly Shield) and external systems. Independent of the source of the role removal the intended result is to de-authorize the user and prevent access to certain backends.
Airlock IAM must ensure that re-acquiring these roles require the user to pass selected authentication flow steps. To achieve this goal, Airlock IAM provides a feature that removes a list of tags from the session, if the Gateway reports certain roles removed on the Gateway session. With the tags removed from the user session, skip conditions in authentication flows will fail and the selected authentication steps need to be passed by the user.