Skip to content

Defining Policies

Policies are composed of general information about the purpose, ownership, and general behavior of the policy, and rules that are define how the policy works. Policies monitor for identities that are in violation of the rules defined in the policy. For example, a separation of duties policy can disallow one identity from requesting and approving purchase orders. An activity policy can disallow an identity with the Human Resource role from updating the payroll application even though the identity has view access to that application.

Note

Access to the Policies page requires IdentityIQ administrative capabilities.

Policies Page

Click Setup > Policies to open the Policies page. This page lists any existing policies that are have been defined in your system, and includes a New Policy button for creating new policies. Options on this page to Filter by Policy Name and perform an Advanced Search help you quickly find existing policies.

  • To edit a policy, click the policy to open it.

  • To delete a policy, right-click on the policy and choose delete.

  • To create a new policy, click New Policy and choose a policy type. See Types of Policies for more information.

The Policies page shows this information for all your existing policies.

Column Name Description
Name The name of the policy.
Type The type of policy.
SOD – separation of duties policies ensure that identities are not assigned conflicting roles.
Entitlement SOD – separation of duties policies ensure that identities are not assigned conflicting entitlements.
EffectiveEntitlementSOD – ensure that identities are not assigned conflicting entitlements indirectly, through other objects.
Activity – ensure that users are not accessing sensitive application if they should not or when they should not.
Account – ensure that an identity does not have multiple accounts on an application.
Risk – ensure that users are not exceeding the maximum risk threshold set for your enterprise.
Advanced – custom policies created using match lists, filters, scripts, rules, or populations.
Description A brief description of the policy as entered when it was defined.
State Select the state (Active or Inactive), indicating whether the policy should be evaluated or not during policy checks.

Active – the policy is currently being used.
Inactive – the policy is not being used.

Editing Policies

The Edit Policy page is where you create new policies, and edit existing policies.

In the Edit Policy page you can define the following information for your policy. You can also run a Policy Simulation (link) from this page, and view, add, or open Policy Rules (link).

Field Name Description
Name A descriptive name of this policy. This is the name that displays on the Policies page.
Owner The owner of the policy. The policy owner serves as the "fallback" owner if a Policy Violation Owner (that is, the person responsible for taking action on the policy violations arising from this policy) is not specified.

If the notification option is enabled as part of the policy, the policy owner receives an email notification for each violation of the policy, by default.

Entering the first letter, or letters, of a name or workgroup displays a selection list of valid users and workgroups with names containing that letter string.
Policy Violation Owner The person responsible for taking action on the violations of this policy. This can be a specific identity, the manager of the user in violation of the policy, or someone selected according to a rule.

You can also assign owners to each individual rule that makes up the policy. If you assign an owner at the rule level, it overrides the policy-level violation owner.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

If the notification option is enabled, only the owner receives a work item; the observers only receive email notifications.
Scope If scoping is enabled in your system, you can set a scope for this policy. If scoping is not enabled, you will not see this option.

If a scope is assigned, only the owner of the policy and users who control the designated scope can see this policy on the Policies page. The scope assigned to the policy does not impact the way violations are displayed, reported, or monitored.

Depending on configuration settings, objects with no scope assigned might be visible to all users with the correct capabilities.
Description A brief description of the policy and its use in your organization.

To enter descriptions in multiple languages, use the language selector. The dropdown list displays any languages supported in your instance of IdentityIQ. The description displayed throughout the product is dependent on the language associated with the user's browser. If only one description is entered, that is the description used by default.

You must Save each description before changing languages to enter another description.
Violation formatting rule A violation formatting rule adds extra information to a policy violation, like an extra description, or the relevant applications that contain attributes that contributed to the violation. This can be especially relevant for advanced policies, for which IdentityIQ cannot always collect all information that may be relevant to the person who has to review the violation.

If you want to use a rule to control violation formatting, select a violation rule from the dropdown list. Violation formatting rules are defined when your system is configured.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.
Violation business process Business processes can be used to define how violation work items are assigned, or how to handle the violation based on decision made on the work item. If you want to use a business process for the violation, select the business process from the dropdown list.

A business process specified here for the entire policy will be overwritten by any business process that is specified as part of a policy rule on the Edit Rule pages.
State Select the state (Active or Inactive), indicating whether the policy should be evaluated or not during policy checks.

Active – use the policy to monitor roles or activity.
Inactive – do not use the policy to monitor role or activity at this time.
Send Alerts Select this option to display the Alert Properties section. You can set alerts to be sent by email and a work item opened each time a violation is detected. See Notifications, Reminders, and Escalations for Policies for more information.
Alert Properties: Not all of the alert property options are visible initially. This section expands as options are activated.
Initial Notification Email The email template used for the initial notification of the policy violation and work item assignment.
Escalation Specify a level of escalation for this policy.
None – after the initial alert no further messages are sent and the work item is never escalated.
Send Reminders – email reminders are sent periodically until the work item is complete.
Reminders then Escalation – email reminders are sent periodically until the work item is complete or, if the work item is not completed in a timely manner, the work item is escalated.
Escalation Only – the work item is escalated after a specified time period with no notifications or warning being sent.
Open Work Item Select to automatically generate a work item for this violation.
Days Before First Reminder The number of days after which the first email reminder is sent.
Reminder Frequency The number of days, or interval, between email reminders being sent.
Reminder Email Template Template used to format the reminder email. If none is selected, a system default is used.
Reminders Before Escalation Maximum number of reminders to send before escalation begins. If this field is set to zero, no reminders are sent and escalation begins immediately.
Escalation Owner Rule The rule used to determine the new owner of the escalated work item.
Escalation Email Template used to format the escalation email.
Observers Identities to whom the email notifications and work items are sent.
Enter the first letter, or letters, of an identity name to display the suggest list or click the arrow to the right of the field to display all identities and select from the list.
Select as many observers as required.
Rule Table A list of the rules contained in this policy and a description of each. Click on a rule to access the edit rule pages.
Account and Risk policies do not have a separate rule page.

Working with Policies

To create a new policy, use the New Policy dropdown menu. Select a type from the dropdown menu to display the Edit Policy page. To work with an existing policy, click on that policy row in the table or right-click on the policy and select Edit from the dropdown menu.

To remove a policy, right-click on the policy and select Delete from the dropdown menu.

How to Create or Edit a Risk Policy

Use the SailPoint-provided risk policy to set a maximum risk threshold for identities before they are considered in violation of your compliance standards. From the Policies page, click the risk policy in the Policies table to display the Edit Policy page and enter the Composite score threshold.

See Policies Page and Editing Policies

You can create multiple risk policies, but only one can be operational within IdentityIQ at any time.

How to Create or Edit an Account Policy

Use the SailPoint provided account policy to ensure that no identities have multiple accounts on any of the applications within your enterprise. Use the Edit Policy page to activate the account policy and add information such as a name and owner.

See Policies Page and Editing Policies

How to Create or Edit a Separation of Duty Policy

Separation of Duties (SOD) policies are created using the Edit Policy and Edit SOD Rule pages. Use this procedure to create new policies or edit existing ones.

  1. Click Setup > Policies.

  2. Optional: If you are editing an existing policy, you can use the search options to search by policy name and policy type.

  3. Select Role SOD, Entitlement SOD, or Effective Entitlement SOD from the New Policy dropdown list, or click on an existing policy to display the Edit Policy page.

  4. Enter the general policy information. See Editing Policies

  5. Right-click on a rule or select Create New Rule to display the Edit SOD Rule page.

  6. Enter the SOD Rule information in the top portion of the page. See Edit SOD Rule Page (Link) for detailed descriptions of those fields.

  7. To create a rule based on roles:

    1. Select a role from the Add Role dropdown list below the Any of these roles table.

    2. Select a role from the Add Role dropdown list below the conflict with any of these roles table.

    The dropdown list contains all of the roles defined for your organization. You can enter as many roles as are needed to build this rule.

  8. To create a rule based on attributes:

    1. Select an application and use the Add Attribute or Add Permission buttons to build the First Entitlement Set.

    2. Select an application and use the Add Attribute or Add Permission buttons to build the Second Entitlement Set.

    3. For attributes, select an attribute from the dropdown list and enter a value.

    4. For permissions, enter the name (target) and value (right).

    5. Enter as many attributes and permissions as needed to build this rule.

  9. Click Done to return to the Edit Policy page.

  10. Repeat steps 5 through 9 until all of the rules needed for this policy have been added or modified.

  11. Click Save to save the policy and return to the Policies page.

How to Create or Edit an Activity Policy

Advanced policies are created using the Edit Policy and Edit Activity Policy Rule pages. Use this procedure to create new policies or edit existing ones.

  1. Click Setup > Policies.

  2. Optional: If you are editing an existing policy, you can use the search options to search by policy name and policy type.

  3. Select Activity Policy from the New Policy dropdown list, or click on an existing policy to display the Edit Policy page.

  4. Enter the general policy information. See Editing Policies.

  5. Click on a rule or Create New Rule to display the Edit Activity Policy Rule page.

  6. Enter the Activity Policy Rule information in the top portion of the page. See Edit Activity Rule (link) Page for detailed descriptions of those fields.

  7. Create the filters necessary to identify the identity and activity types that should be considered when performing the policy scans for this violation.

Use the Identity Filters and Activity Filters panels to add and combine filters for use in the policy. Apply qualifiers to filters to limit the values returned and then use grouping, AND / OR operations, and time periods to create the rules that make up the policy.

To add a filter:

Create the filters that make up the rules.

Field
Select an attribute value from the dropdown list.

Search Type
The qualifier to associate with the value, such as equals or like.

Value
The value of the field selected.

Ignore Case
Specifies whether case should be factored into the query.

Filter(s)
The Operations dropdown list lets you specify AND / OR relationships between the filters in the list. Select multiple filters and group them to create sub-filters and use multiple layers of filter grouping to create complex rules.

Click view / edit filter source to display an editable text version of the filter.

See the online help for details on using the advanced filtering functions.

Click Done to save the new policy and return to the Edit Policies page.

How to Create or Edit an Advanced Policy

Policies are created using the Edit Policy and Edit Activity Policy Rule pages. Use this procedure to create new policies.

  1. Click or mouse over the Define tab and select Policies.

  2. Optional: Use the filtering options to limit the number of policies displayed in the table. You can filter by both policy name and policy type.

  3. Select Advanced Policy from the Create new policy dropdown list or click on an existing policy to display the Edit Policy page.

  4. Enter the general policy information. See Editing Policies.

  5. Click Create New Rule or right-click on an existing rule to display the Edit Advanced Rule page.

  6. Enter the Advanced Rule information in the top portion of the page. See Edit Advanced Policy Rule (link) Page for detailed descriptions of those fields.

  7. Select a method by which to generate this rule. In other words, any condition you define here is considered a violation of this policy:

Match List
Define a list of entitlements to determine the rule. For attributes, select an attribute from the dropdown list and type a value. For permissions, type the name (target) and value (right).

Filter
Enter a custom XML database query to define identities for this rule.

Script
Enter a custom script to define the rule. Scripts are similar to rules, but the source is stored with the policy and can be edited from this page.

Rule
Select an existing rule from the dropdown list.

Population
Select a population from the list. Any identity that matches the criteria defined for the population displayed is in violation of this policy.

For more information and examples for using Match Lists, Filters, Scripts, Rules, and Populations, see the IdentitySelectors in the IdentityIQ User Interface technical white paper on Compass.

Click Done to save the new policy and return to the Edit Policies page.

Policy Simulation

Policy simulation runs a background task that iterates over all identities to determine if a policy violation occurs for the rule or policy. This process can be time-consuming and resource-intensive, depending on the complexity of the policy definition and the number of identities and accounts.

Before you make a policy active in your production environment, you can run a simulation for:

  • All enabled rules in policy – click Run Simulation next to the Cancel button. To view the number of violations, click View Simulation.

  • A single rule in a policy with multiple rules – click the Run Simulation link next to the rule. To view the number of violations, click the View Simulation link.

When you run a simulation on a policy, the policy is saved and the test is run for all the enabled rules. The rule or rules are disabled and the status of the policy is changed to Inactive. To activate the policy, you must edit the policy, change the state to Active and save the changes to the policy.

Before testing the rule, make sure the names of rules are unique in a policy. When you run a simulation for a single rule, only the rule is disabled. The state of the policy is NOT changed. When you run a simulation for all the enabled rules in a policy, the state of the policy is changed to inactive. To activate the policy, you must change the state to Active and save the changes to the policy.

For information on working with the rules for each policy type, see Policy Rules (link).

Policy Rules

Rules are used to enforce policies. Violations on each rule in a policy, when detected, are stored in the Identity Cube. These violations also appear on identity score cards and enable you to identify high-risk employees and respond. You can configure policy violations to trigger a business process that immediately sends email notifications and generates work items when a violation is detected. Policy violations can be managed through certifications or through the policy violations page.

You can use the simulation option to simulate the policy rule before you make it active in your production environment. See Policy Simulation.

For an overview of developing and using rules in IdentityIQ, see Rules and Scripts in IdentityIQ (link).

Edit SOD Rule Page

Use the Edit SOD Rule page to define new rules for separation of duty polices or edit existing rules. Rules are used to monitor roles or entitlements for conflicts of interest. This enables you to identify high-risk employees and take the appropriate action as needed.

To create or edit a policy, see Working with Policies.

For an overview of developing and using rules in IdentityIQ, see Rules and Scripts in IdentityIQ (link).

To access the Edit SOD Rule Page, navigate to Setup > Policies, select the SOD Policy you want to edit, then scroll down to the bottom of the page. Select an existing rule from the table, or click Create New Rule. The following information is displayed on an Edit SOD Rule page:

Field Name Description
Summary A brief summary of this rule. This information is displayed in the Rules column of the Rules table on the Edit Policy page.
Description A brief description of the rule.
Policy Violation Owner The person responsible for taking action on the policy violations. This can be a specific identity, the manager of the user in violation of the policy, or someone selected according to a rule.

You can also assign owners to each individual rule that makes up the policy. If you assign an owner at the rule level, it overrides the policy-level violation owner.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

If the notification option is enabled, only the owner receives a work item, the observers only receive email notifications.
Violation formatting rule A violation formatting rule adds extra information to a policy violation, like an extra description, or the relevant applications that contain attributes that contributed to the violation.

If you want to use a rule to control violation formatting, select a violation rule from the dropdown list. Violation formatting rules are defined when your system is configured.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.
Violation business process Business processes can be used to define how violation work items are assigned, or how to handle the violation based on decision made on the work item. If you want to use a business process for the violation, select the business process from the dropdown list.

A business process specified here for the entire policy will be overwritten by any business process that is specified as part of a policy rule on the Edit Rule pages.
Disabled Enable or disable the rule
Compensating Control A description of exceptions or compensating factors that apply to this rule. For example, certain policies or rules might not apply to users at the executive level in your organization.

This field is for documentation purposes only. Information entered here does not impact risk scoring associated with this rule or the reporting of policy violations.

See Compensating Controls and Correction Advice.
Correction Advice Text entered in this field is displayed if a violation of this policy appears on a certification request and is selected for revocation. Use this field to enter information that can be used by a certifier to make the correct revocation decision.

See Compensating Controls and Correction Advice.
Role SOD Rules:
Any of these roles/entitlements The lists of conflicting roles that define this rule. If an identity is assigned ANY of the roles from the Any of these table and ANY of the roles from the conflict with any of these table, they are in violation of this rule and their risk score card reflects that violation.
Each table can contain multiple items, but if a user has even one role in each list it is a violation of the policy.
conflict with any of these roles/entitlements
Entitlement SOD Rule:
First Entitlement Set The list of conflicting entitlements that define this rule.
Add identity attributes or account attributes and permissions to create lists of conflicting entitlements.
Use the Or / And dropdown list to determine if an identity has to match all of the items in the list or just one to be in violation of this policy.
Second Entitlement Set
Effective Entitlement SOD Rule:
First Entitlement Set The list of conflicting entitlements that define this rule.
Add identity attributes, account attributes and permissions, and target permissions to create lists of conflicting entitlements.
Use the Or / And dropdown list to determine if an identity has to match all of the items in the list or just one to be in violation of this policy.
Second Entitlement Set
Run or View Simulation Use the simulation option to simulate the policy rule before you make it active in your production environment.

Before testing the rule, make sure the names of rules are unique in a policy.

When you run a simulation for a single rule, only the rule is disabled. The state of the policy is NOT changed.

When you run a simulation for all the enabled rules in a policy, the state of the policy is changed to inactive. To activate the policy, you must change the state to Active and save the changes to the policy.

Edit Activity Rule Page

Use the Edit Activity Policy Rule page to define new rules for activity polices or edit existing rules. Rules are used to monitor the activities performed by users within your enterprise.

To create or edit a policy, see Working with Policies.

For an overview of developing and using rules in IdentityIQ, see Rules and Scripts in IdentityIQ (link).

To access the Edit Activity Rule Page, navigate to Setup > Policies, select the Activity Policy and then scroll down to the bottom of the page. Select an existing rule from the table or click Create New Rule. The following information is displayed on the Edit Activity Policy Rule page:

Field Name Description
Activity Rule:
Summary A brief summary of this rule. This information is displayed in the Rules column of the Rules table on the Edit Policy page.
Description A brief description of the rule.
Policy Violation Owner The person responsible for taking action on the policy violations. This can be a specific identity, the manager of the user in violation of the policy, or someone selected according to a rule.

You can also assign owners to each individual rule that makes up the policy. If you assign an owner at the rule level, it overrides the policy-level violation owner.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

If the notification option is enabled, only the owner receives a work item; the observers only receive email notifications.
Violation formatting rule A violation formatting rule adds extra information to a policy violation, like an extra description, or the relevant applications that contain attributes that contributed to the violation.

If you want to use a rule to control violation formatting, select a violation rule from the dropdown list. Violation formatting rules are defined when your system is configured.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.
Violation business process Business processes can be used to define how violation work items are assigned, or how to handle the violation based on decision made on the work item. If you want to use a business process for the violation, select the business process from the dropdown list.

A business process specified here for the entire policy will be overwritten by any business process that is specified as part of a policy rule on the Edit Rule pages.
Disabled Enable or disable the policy.
Compensating Control A description of exceptions or compensating factors that apply to this rule. For example, certain policies or rules might not apply to users at the executive level in your organization.

This field is for documentation purposes only. Information entered here does not impact risk scoring associated with this rule or the reporting of policy violations.

See Compensating Controls and Correction Advice.
Corrective Advice Text entered in this field is displayed if a violation of this policy appears on a certification request and is selected for revocation. Use this field to enter information that can be used by a certifier to make the correct revocation decision.

See Compensating Controls and Correction Advice.
Identity Filters:
Enable you to identify which types of identities should be considered when scanning activities for violations of this policy. These filters can be grouped and controlled using AND / OR operations and be as simple or complex as needed.
The Add a Filter box is used to create the individual filters, the Filter(s) box is used to view and manipulate the existing filters.
Operation The operation used to control the interaction between the filters.
Field A distinguishing characteristic associated with the identity type for which you are searching. The dropdown list contains all of the categories by which identities can be differentiated.
Search Type The qualifier associated with the attribute value. For example, equals or is like.
The choices in this dropdown list are dependent on the Field specified.
Value The value of the attribute.
Ignore Case Specifies whether case should be a factor when scanning for the value specified.
**Activity Filters:
**Enable you to select which types of activities should be considered violations of this policy. You can also choose Time Periods in order to define when this activity is considered a violation of this policy.
Time Periods The time periods during which the activity is in violation of the policy.

For example, if someone is logging into a sensitive application on the weekends or during non-office hours it might be a violation. The time periods are configured during the deployment of IdentityIQ.
Operation The operation used to control the interaction between the filters.
Field A distinguishing characteristic associated with the action for which you are searching. For example, start or end date, or the data source on which the action occurred.
Search Type The qualifier associated with the field value. For example, equals or is like.

The choices in this dropdown list are dependent on the Field specified.
Value The value of the attribute.
Ignore Case Specifies whether case should be a factor when scanning for the value specified.
Run or View Simulation Use the simulation option to simulate the policy rule before you make it active in your production environment.

Before testing the rule, make sure the names of rules are unique in a policy.

When you run a simulation for a single the rule, only the rule is disabled. The state of the policy is NOT changed.

When you run a simulation for all the enabled rules in a policy, the state of the policy is changed to inactive. To activate the policy, you must change the state to Active and save the changes to the policy.

Edit Advanced Policy Rule Page

Use the Edit Advanced Rule page to define new rules for advanced polices, or to edit existing rules. Advanced rules are used to create custom, violation monitoring based on a variety of entitlement, filters, scripts, rules, and populations.

To create or edit a policy, see Working with Policies.

For an overview of developing and using rules in IdentityIQ, see Rules and Scripts in IdentityIQ (link).

The following information is displayed on the Edit Advanced Rule page:

Field Name Description
Advanced Rule:
Summary A brief summary of this rule. This information is displayed in the Rules column of the Rules table on the Edit Policy page.
Description A brief description of the rule and its use in your organization.
Violation formatting rule A violation formatting rule adds extra information to a policy violation, like an extra description, or the relevant applications that contain attributes that contributed to the violation.

This can be especially useful for advanced policies, for which IdentityIQ cannot always collect all information that may be relevant to the person who has to review the violation.

If you want to use a rule to control violation formatting, select a violation rule from the dropdown list. Violation formatting rules are defined when your system is configured.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.
Violation business process Business processes can be used to define how violation work items are assigned, or how to handle the violation based on decision made on the work item. If you want to use a business process for the violation, select the business process from the dropdown list.

A business process specified here for the entire policy will be overwritten by any business process that is specified as part of a policy rule on the Edit Rule pages.
Disabled Enable or disable the policy.
Compensating Control A description of exceptions or compensating factors that apply to this rule. For example, certain policies or rules might not apply to users at the executive level in your organization.

This field is for documentation purposes only. Information entered here does not impact risk scoring associated with this rule or the reporting of policy violations.

See Compensating Controls and Correction Advice.
Corrective Advice Text entered in this field is displayed if a violation of this policy appears on a certification request and is selected for revocation. Use this field to enter information that can be used by a certifier to make the correct revocation decision.

See Compensating Controls and Correction Advice.
Selection Method:
The selection method used when scanning for and assigning policy violations.

For more information and examples for using Match Lists, Filters, Scripts, Rules, and Populations, see the IdentitySelectors in the IdentityIQ User Interface technical white paper on Compass.
Match List A list of entitlements that define a policy violation.
An identity that is assigned the entitlements in this list is in violation of this policy.
Filter A custom filter (XML database query) used to define a rule for this policy.
Script A custom script used to define a rule for this policy.
Rule The rule selected from the rules list.
Population A population of users. Populations are based on saved queries from the Advanced Analytics feature.
Run or View Simulation Use the simulation option to simulate the policy rule before you make it active in your production environment.

Before testing the rule, make sure the names of rules are unique in a policy.
When you run a simulation for a single the rule, only the rule is disabled. The state of the policy is NOT changed.

When you run a simulation for all the enabled rules in a policy, the state of the policy is changed to inactive. To activate the policy, you must change the state to Active and save the changes to the policy.