Preventive Policy Evaluation
When the Lifecycle Manager module (LCM) is licensed and installed, IdentityIQ can check for policy violations as soon as an access request is submitted. Out-of-the-box business processes like LCM Provisioning (used for access requests) and LCM Create and Update (used for creating and editing identities) have options to control the policy checking during requests.
The LCM Provisioning business process, for example, includes the following options. These are on the Process Variables tab of the business process, in the Policy Checking section.
Policy Settings
-
Disable Policy Checking: No policies are checked. Even if the request would result in a violation, it will not be detected. Approvers will not be presented with any violation details.
-
Continue on Policy Violations: If a violation is found, any approver will see the violation and can choose to take action if necessary.
-
Present Failures to Requester: If a violation is found it is presented to the requester. The requester can then remove any items from the request that are causing a violation. If the requester submits the request for approval with violations, any of the approvers will see these violations and can choose to take action if necessary.
-
Fail Workflow: If a violation is found, the request process is terminated with an error message.
Policies to Check
Choose All to check all active policies, or choose Selected to specify which policies you want to check during provisioning. Note that only active policies are evaluated.