Types of Policies

IdentityIQ supports these types of policies. Each policy can contain one or more policy rules that make up the entire policy.

This separation of duties (SOD) policy type checks for any conflicting roles that an identity could have. The policy rules define two side-by-side lists, where any rule from the left-side list cannot be combined with any rule from the right-side list. For example the roles Payment and Payment Approval could be conflicting roles; in this example, the left-side list would contain Payment and the right-side list would contain Payment Approval. The roles in either list can be of any role type.

This separation-of-duties policy type checks for conflicting entitlements within an application or across applications. This is similar to the Role SOD Policy, but is used for values of application attributes that are marked as entitlements in the application schema. The policy rules are defined as two entitlement sets: First Entitlement Set and Second Entitlement Set. These sets are more advanced than the role sets of the Role SOD Policy type: the sets can use multiple levels of and / or expressions to combine entitlements within one set.

An effective entitlement SOD policy is similar to an entitlement SOD policy, but it checks for effective entitlements rather than direct entitlements. Effective entitlements are any indirect access that was granted through another object, such as a nested group, an unstructured target, or another role.

When Activity Data Sources are enabled on one or more applications this policy type can be used to check for any undesirable activities, such as login, logout, or creation or deletion of accounts. An activity rule can first select identities to check using a set of filters. Identities matching these criteria are now evaluated using the defined activity filters. An activity policy scans activity data for specific events, with the option to select time frames, source and target applications, and more.

Account policies only have a single policy rule: they check whether an identity has multiple accounts on an application.

Risk policies check for any identity with a composite risk score equal to or higher than the configured threshold. Like the account policy, this type of policy will only have a single policy rule.

An advanced policy handles situations where the other types do not suffice. An advanced policy can contain multiple types of rules using match lists, filters, scripts, BeanShell rules, or populations, which allows for greater flexibility.