About Policies and Policy Violations

Policies in IdentityIQ check identities for certain conditions that are unwanted, or even considered dangerous. Examples include:

  • A set of roles that should not be combined in a single identity, such as Payment Preparation and Payment Approval.

  • Two values of a multi-valued attribute.

  • A high conflicting risk score.

  • Cross-application combinations of permissions.

Most policies in IdentityIQ use rules to define the conditions of the policy. In some cases, a policy rule will be very simple – for example, if a user has a certain role, they may not also have a certain other role. In other cases, policy rules can be more complex, using filtering, matching, scripts, or rules that use BeanShell code to define the policy's requirements. Risk policies and Account policies check for a specific condition, such as a specific risk score, or whether a user has multiple accounts on a specific application, rather than using rules. See Types of Policies for more information about the kinds of policy rules you will use for different types of policies.

Policy violations occur when an identity is found to be in violation of an active policy. The person or workgroup responsible for the policy violation can take action to revoke or allow the access that violates the policy.

Each policy must have a policy owner, which is an individual or workgroup responsible for defining and maintaining the policy itself.

Policies also typically have a policy violation owner. This is a person or workgroup that is responsible for acting on policy violations and making decisions on access. The policy violation owner is configured as part of the policy definition, and can be a the manager of the identity that has a violation, a specific user or workgroup, or an identity that is selected via a rule. If no policy violation owner is defined in a policy, ownership of policy violations will default to the policy owner.

Policies are defined in Setup > Policies. Access to this option is typically restricted to users with System Administrator or Policy Administrator capabilities, though this can vary based on how your instance of IdentityIQ has been configured.

The Policy Violations page shows you any policy violations you are responsible for acting on. You can revoke the problematic access, allow the violation to continue for a set period of time, or take other actions such as forwarding the violation to another user. Use the Policy Violations page to manage policy violations outside of certifications. This page enables you to identify policy violations as soon as they are detected, and take immediate action to resolve those violations. See the Overview of the Policy Violations Page for more details.