Skip to content

How Policies Work

Policies are evaluated per identity. An evaluation can be triggered during aggregation, Identity Cube refresh, a specialized task (such as a dedicated refresh task), or as part of the Lifecycle Manager access request process.

In IdentityIQ, policies can be both detective and preventive.

Detective Policies

  • Policies are detective when they find and flag any access that already exists and is in violation of your business rules. In IdentityIQ, the Refresh Identities task checks all identities against policies, and marks the ones that are in violation of your active policies. Evaluation during aggregation can also be a detective way of finding violations. See Detective Policy Evaluation (Link).

  • To enable policy evaluation during aggregation or during an Identity Refresh task, the Check active policies option must be selected in the aggregation or refresh task. See Account Aggregation and Identity Refresh.

Preventive Policies

  • Policies can also be preventive, helping you spot and avoid the granting of problematic access before it occurs. Users can be alerted to violations at the time access is requested, and when it is approved. Making policies preventive is optional, and is configured using a business process for provisioning. This configuration is optional because there might be some cases, such as when using a Separation of Duties policy, when you do not want to let users know which access combinations can provide an opportunity for fraud or for circumvention of security controls. The out-of-the-box business process that manages this behavior is LCM Provisioning, but you can implement your own business processes as needed, using LCM Provisioning as a model. See Preventive Policy Evaluation (Link).

IdentityIQ's Policy Violations page shows you any policy violations you are responsible for acting on. You can revoke the problematic access, allow the violation to continue for a set period of time, or take other actions such as forwarding the violation to another user. See the Overview of the Policy Violations Page (Link) for more details.

Detective Policy Evaluation

Detective policy evaluation is triggered as part of an aggregation or a task that refreshes identities (such as an Identity Refresh task).

For policy evaluation during aggregation, select the option Check active policies in the aggregation task to include policy evaluation as part of the task.

For policy evaluation during an Identity Refresh task, the same option, Check active policies, must be selected. In an Identity Refresh task there are two additional options for evaluation during the task:

  • Keep previous violations keeps all existing violations, even if they are found to be resolved or do not match any active policy.

  • A comma separated list of policy names. Entering a list of policies in this field means the task will check only the listed policies that are active; leaving this field blank tells the refresh task to check all active policies. Note that if a policy is included in this field but is inactive, it will not be evaluated as part of the task.

Preventive Policy Evaluation

When the Lifecycle Manager module (LCM) is licensed and installed, IdentityIQ can check for policy violations as soon as an access request is submitted. Out-of-the-box business processes like LCM Provisioning (used for access requests) and LCM Create and Update (used for creating and editing identities) have options to control the policy checking during requests.

The LCM Provisioning business process, for example, includes the following options. These are on the Process Variables tab of the business process, in the Policy Checking section.

Policy Settings

  • Disable Policy Checking: No policies are checked. Even if the request would result in a violation, it will not be detected. Approvers will not be presented with any violation details.

  • Continue on Policy Violations: If a violation is found, any approver will see the violation and can choose to take action if necessary.

  • Present Failures to Requester: If a violation is found it is presented to the requester. The requester can then remove any items from the request that are causing a violation. If the requester submits the request for approval with violations, any of the approvers will see these violations and can choose to take action if necessary.

  • Fail Workflow: If a violation is found, the request process is terminated with an error message.

Policies to Check

Choose All to check all active policies, or choose Selected to specify which policies you want to check during provisioning. Note that only active policies are evaluated.