Provisioning Policies

Provisioning Policies are used to define application object attributes that must be managed due to a Lifecycle Manager request. With a provisioning policy in place, when a role or entitlement is requested the user must input specified criteria into a generated form before the request can be completed. A policy can be attached to an IdentityIQ application object or role and is used as part of the provisioning process.

IdentityIQ includes the following types of provisioning policies:

  • Create

  • Update

  • Delete

  • Enable Account

  • Disable Account

  • Unlock Account

  • Change Password

  • CreateGroup - This is CreateRole for MEDITECH

  • UpdateGroup - This is UpdateRole for MEDITECH

Click an existing provisioning policy or click Add Policy to create a new one using the Provisioning Policy Editor or to reference an existing policy. Only one of each policy type is supported.

Use the Application Dependencies drop-down list to create the list of applications where this application is dependent for provisioning. If no account is detected on an application where this application is dependent, an account request is added to the provisioning plan and the provision policy for this application is processed as expected.

The Provisioning Policy Editor panel contains the following information:

The name of your provisioning policy

A brief description of your provisioning policy

The owner of the provisioning policy. This is determined by selecting from the following:

  • None — no owner is assigned to this provisioning policy.

  • Application Owner — identity assigned as owner of the application in which the provisioning policy resides.

  • Role Owner — identity assigned as owner of the role in which the provisioning policy resides.

  • Rule — use a rule to determine the owner of this provisioning policy.

  • Script — use a script to determine the owner of this provisioning policy

Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the provisioning policy:

The name of the field.

The name displayed for the field in the form generated by the provisioning policy.

The text you wish to appear when hovering the mouse over the help icon.

Select the type of field from the drop-down list. Choose from the following:

  • Boolean — true or false values field

  • Date — calendar date field

  • Integer — only numerical values field

  • Long — similar to integer but is used for large numerical values

  • Identity — specific identity in IdentityIQ field

  • Secret — hidden text field

  • String — text field

Choose this to have more than one selectable value in this field of the generated form. Click the plus sign to add another value.

Determine how the read only value is derived:

  • Value — value based on the selection from the drop-down list

  • Rule — value is based on a specified rule

  • Script — value is determined by the execution of a script

Determine how the hidden value is derived:

  • Value — value based on the selection from the drop-down list

  • Rule — value is based on a specified rule

  • Script — value is determined by the execution of a script

The owner of this provisioning policy field. This is determined by selecting from the following:

  • None — no owner is assigned to this provisioning policy.

  • Application Owner — identity assigned as owner of the application in which the provisioning policy resides.

  • Role Owner — identity assigned as owner of the role in which the provisioning policy resides.

  • Rule — use a rule to determine the owner of this provisioning policy.

  • Script — use a script to determine the owner of this provisioning policy

Choose whether or not to have the completion of this field a requirement for submitting the form.

Choose whether or not to require the person who is approving the workflow item to approve this field.

Select this option to have the form associated with this policy refresh to reflex changes to this policy.

Set this field as display only.

Boolean that specifies whether the field value should completely replace the current value rather than be merged with it; applicable only for multi-valued attributes

Determine how the value is derived. Select from the following:

  • Literal — value is based on the information you provide

  • Rule — value is based on a specified rule

  • Script — value is determined by the execution of a script

Gives the ability to specify a script or rule for validating the user's value. For example, a script that validates that a password is 8 characters or longer.