How Policies Work
Policies are evaluated per identity. An evaluation can be triggered during aggregation, Identity Cube refresh, a specialized task (such as a dedicated refresh task), or as part of the Lifecycle Manager access request process.
In IdentityIQ, policies can be both detective and preventive.
Detective Policies
Policies are detective when they find and flag any access that already exists and is in violation of your business rules. In IdentityIQ, the Refresh Identities task checks all identities against policies, and marks the ones that are in violation of your active policies. Evaluation during aggregation can also be a detective way of finding violations.
To enable policy evaluation during aggregation or during an Identity Refresh task, the Check active policies option must be selected in the aggregation or refresh task.
Preventive Policies
Policies can also be preventive, helping you spot and avoid the granting of problematic access before it occurs. Users can be alerted to violations at the time access is requested, and when it is approved. Making policies preventive is optional, and is configured using a business process for provisioning. This configuration is optional because there might be some cases, such as when using a Separation of Duties policy, when you do not want to let users know which access combinations can provide an opportunity for fraud or for circumvention of security controls. The out-of-the-box business process that manages this behavior is LCM Provisioning, but you can implement your own business processes as needed, using LCM Provisioning as a model.
IdentityIQ's Policy Violations page shows you any policy violations you are responsible for acting on. You can revoke the problematic access, allow the violation to continue for a set period of time, or take other actions such as forwarding the violation to another user. See the Overview of the Policy Violations Page for more details.