Running VIP Authentication Hub, confirm the behavior of the calls to the userRiskScoreEvaluator API:

1. If the application is not specified, the risk rule configuration applied corresponds to the tenant-level configuration;
2. If the application does not exist, the risk rule configuration applied is also the tenant-level configuration.
   
   Ideally, an error should be expected to be returned in these cases, or at least explain why, according to Broadcom's design, no error is triggered.
   
   There might be a coexistence or migration scenario.
   
   
3. The concepts of Known Device and Trusted Device continue to apply at the tenant level, even when risk configuration granularity is set per application.
   
   If a device is registered for application A, it is considered recognized at the tenant level and in all applications within the tenant that have the device recognition rule enabled at the application level.

VIP Authentication Hub 3.4.5 on OpenShift;

This is expected behavior for both scenarios.

• An invalid "app" will trigger an error only at 3.5;
• From 3.5, the error message will be:
  
  8800208 "invalid app details"
  
  
• As long as the app exists, the field "Application" will be populated;
• If the application is deactivated, but exists, the field "Application" will be populated;

For risk rules, it's the expected behavior of the fallback mechanism to use tenant level rules for evaluating the user profile.

A device is always at the tenant level across the VIP Authentication Hub.