Provisioning Policies
Provisioning policies in an application configuration define the set of attributes which are needed to complete a provisioning request, whether that request is to create an account, modify an account, add a role to an identity, etc. In some cases, values for the attributes can be auto-calculated based on the field's definition in the provisioning policy; in other cases, the fields are presented to a user who can provide their values. When auto-calculation is possible, it is encouraged as a best practice, because it is typically more efficient and less error-prone than user-provided values.
Provisioning policies are implemented as forms that specify which attributes to include in provisioning requests, and how the values of those attributes are provided – manually by an IdentityIQ user, or in an automated manner, either through a static value, or a value that IdentityIQ calculates using a script or rule.
For example, if you are provisioning a new account on an LDAP application, the provisioning policy should provide the minimum required attributes (such as user name and email) to successfully create a new account on the LDAP application.
In addition, optional attributes can be included in the provisioning policy to set additional values as needed.
Provisioning policies can be configured so that all values are provided automatically by IdentityIQ. Alternatively, attributes can be specified without a value but marked as required, so that IdentityIQ will prompt a user to provide the data manually.
In this example, the values for First, Last, and Login are auto-calculated based on identity attributes; values for Status and Locked are specified as static values.
| Attribute | Value |
|---|---|
| First | return identity.firstname |
| Last | return identity.lastname |
| Login | return identity.name |
| Status | A |
| Locked | N |
Based on this policy, IdentityIQ can automatically build a provisioning plan to pass the required values to the connector to create a new account on the target system.
For some connector types, the provisioning policy for creating accounts is pre-defined; however, predefined policies can be modified as needed, according to your business needs.
When a user submits a Lifecycle Manager request, such requesting a business role or unlocking an account on a target system, IdentityIQ pulls the list of required attributes from the provisioning policy, and includes those attributes and their values in the provisioning plan.