Editing Policies

Field Name	Description
Name	A descriptive name of this policy. This is the name that displays on the Policies page.
Owner	The owner of the policy. The policy owner serves as the "fallback" owner if a Policy Violation Owner (that is, the person responsible for taking action on the policy violations arising from this policy) is not specified. If the notification option is enabled as part of the policy, the policy owner receives an email notification for each violation of the policy, by default. Entering the first letter, or letters, of a name or workgroup displays a selection list of valid users and workgroups with names containing that letter string.
Policy Violation Owner	The person responsible for taking action on the violations of this policy. This can be a specific identity, the manager of the user in violation of the policy, or someone selected according to a rule. You can also assign owners to each individual rule that makes up the policy. If you assign an owner at the rule level, it overrides the policy-level violation owner. Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed. If the notification option is enabled, only the owner receives a work item; the observers only receive email notifications.
Scope	If scoping is enabled in your system, you can set a scope for this policy. If scoping is not enabled, you will not see this option. If a scope is assigned, only the owner of the policy and users who control the designated scope can see this policy on the Policies page. The scope assigned to the policy does not impact the way violations are displayed, reported, or monitored. Depending on configuration settings, objects with no scope assigned might be visible to all users with the correct capabilities.
Description	A brief description of the policy and its use in your organization. To enter descriptions in multiple languages, use the language selector. The dropdown list displays any languages supported in your instance of IdentityIQ. The description displayed throughout the product is dependent on the language associated with the user's browser. If only one description is entered, that is the description used by default. You must Save each description before changing languages to enter another description.
Violation formatting rule	A violation formatting rule adds extra information to a policy violation, like an extra description, or the relevant applications that contain attributes that contributed to the violation. This can be especially relevant for advanced policies, for which IdentityIQ cannot always collect all information that may be relevant to the person who has to review the violation. If you want to use a rule to control violation formatting, select a violation rule from the dropdown list. Violation formatting rules are defined when your system is configured. Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.
Violation business process	Business processes can be used to define how violation work items are assigned, or how to handle the violation based on decision made on the work item. If you want to use a business process for the violation, select the business process from the dropdown list. A business process specified here for the entire policy will be overwritten by any business process that is specified as part of a policy rule on the Edit Rule pages.
State	Select the state (Active or Inactive), indicating whether the policy should be evaluated or not during policy checks. Active – use the policy to monitor roles or activity. Inactive – do not use the policy to monitor role or activity at this time.
Send Alerts	Select this option to display the Alert Properties section. You can set alerts to be sent by email and a work item opened each time a violation is detected. See Notifications, Reminders, and Escalations for Policies for more information.
Alert Properties: Not all of the alert property options are visible initially. This section expands as options are activated.
Initial Notification Email	The email template used for the initial notification of the policy violation and work item assignment.
Escalation	Specify a level of escalation for this policy. None – after the initial alert no further messages are sent and the work item is never escalated. Send Reminders – email reminders are sent periodically until the work item is complete. Reminders then Escalation – email reminders are sent periodically until the work item is complete or, if the work item is not completed in a timely manner, the work item is escalated. Escalation Only – the work item is escalated after a specified time period with no notifications or warning being sent.
Open Work Item	Select to automatically generate a work item for this violation.
Days Before First Reminder	The number of days after which the first email reminder is sent.
Reminder Frequency	The number of days, or interval, between email reminders being sent.
Reminder Email Template	Template used to format the reminder email. If none is selected, a system default is used.
Reminders Before Escalation	Maximum number of reminders to send before escalation begins. If this field is set to zero, no reminders are sent and escalation begins immediately.
Escalation Owner Rule	The rule used to determine the new owner of the escalated work item.
Escalation Email	Template used to format the escalation email.
Observers	Identities to whom the email notifications and work items are sent. Enter the first letter, or letters, of an identity name to display the suggest list or click the arrow to the right of the field to display all identities and select from the list. Select as many observers as required.
Rule Table	A list of the rules contained in this policy and a description of each. Click on a rule to access the edit rule pages. Account and Risk policies do not have a separate rule page.

Name

A descriptive name of this policy. This is the name that displays on the Policies page.

Owner

The owner of the policy. The policy owner serves as the "fallback" owner if a Policy Violation Owner (that is, the person responsible for taking action on the policy violations arising from this policy) is not specified.

If the notification option is enabled as part of the policy, the policy owner receives an email notification for each violation of the policy, by default.

Entering the first letter, or letters, of a name or workgroup displays a selection list of valid users and workgroups with names containing that letter string.

Policy Violation Owner

The person responsible for taking action on the violations of this policy. This can be a specific identity, the manager of the user in violation of the policy, or someone selected according to a rule.

You can also assign owners to each individual rule that makes up the policy. If you assign an owner at the rule level, it overrides the policy-level violation owner.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

If the notification option is enabled, only the owner receives a work item; the observers only receive email notifications.

Scope

If scoping is enabled in your system, you can set a scope for this policy. If scoping is not enabled, you will not see this option.

If a scope is assigned, only the owner of the policy and users who control the designated scope can see this policy on the Policies page. The scope assigned to the policy does not impact the way violations are displayed, reported, or monitored.

Depending on configuration settings, objects with no scope assigned might be visible to all users with the correct capabilities.

Description

A brief description of the policy and its use in your organization.

To enter descriptions in multiple languages, use the language selector. The dropdown list displays any languages supported in your instance of IdentityIQ. The description displayed throughout the product is dependent on the language associated with the user's browser. If only one description is entered, that is the description used by default.

You must Save each description before changing languages to enter another description.

Violation formatting rule

A violation formatting rule adds extra information to a policy violation, like an extra description, or the relevant applications that contain attributes that contributed to the violation. This can be especially relevant for advanced policies, for which IdentityIQ cannot always collect all information that may be relevant to the person who has to review the violation.

If you want to use a rule to control violation formatting, select a violation rule from the dropdown list. Violation formatting rules are defined when your system is configured.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

Violation business process

Business processes can be used to define how violation work items are assigned, or how to handle the violation based on decision made on the work item. If you want to use a business process for the violation, select the business process from the dropdown list.

A business process specified here for the entire policy will be overwritten by any business process that is specified as part of a policy rule on the Edit Rule pages.

State

Select the state (Active or Inactive), indicating whether the policy should be evaluated or not during policy checks.

Active – use the policy to monitor roles or activity.
Inactive – do not use the policy to monitor role or activity at this time.

Send Alerts

Select this option to display the Alert Properties section. You can set alerts to be sent by email and a work item opened each time a violation is detected. See Notifications, Reminders, and Escalations for Policies for more information.

Alert Properties: Not all of the alert property options are visible initially. This section expands as options are activated.

Initial Notification Email

The email template used for the initial notification of the policy violation and work item assignment.

Escalation

Specify a level of escalation for this policy.
None – after the initial alert no further messages are sent and the work item is never escalated.
Send Reminders – email reminders are sent periodically until the work item is complete.
Reminders then Escalation – email reminders are sent periodically until the work item is complete or, if the work item is not completed in a timely manner, the work item is escalated.
Escalation Only – the work item is escalated after a specified time period with no notifications or warning being sent.

Open Work Item

Select to automatically generate a work item for this violation.

Days Before First Reminder

The number of days after which the first email reminder is sent.

Reminder Frequency

The number of days, or interval, between email reminders being sent.

Reminder Email Template

Template used to format the reminder email. If none is selected, a system default is used.

Reminders Before Escalation

Maximum number of reminders to send before escalation begins. If this field is set to zero, no reminders are sent and escalation begins immediately.

Escalation Owner Rule

The rule used to determine the new owner of the escalated work item.

Escalation Email

Template used to format the escalation email.

Observers

Identities to whom the email notifications and work items are sent.
Enter the first letter, or letters, of an identity name to display the suggest list or click the arrow to the right of the field to display all identities and select from the list.
Select as many observers as required.

Rule Table

A list of the rules contained in this policy and a description of each. Click on a rule to access the edit rule pages.
Account and Risk policies do not have a separate rule page.