Working with Policies

To create a new policy, use the New Policy dropdown menu. Select a type from the dropdown menu to display the Edit Policy page. To work with an existing policy, click on that policy row in the table or right-click on the policy and select Edit from the dropdown menu.

To remove a policy, right-click on the policy and select Delete from the dropdown menu.

Use the SailPoint-provided risk policy to set a maximum risk threshold for identities before they are considered in violation of your compliance standards. From the Policies page, click the risk policy in the Policies table to display the Edit Policy page and enter the Composite score threshold.

See Policies Page and Editing Policies

You can create multiple risk policies, but only one can be operational within IdentityIQ at any time.

Use the SailPoint provided account policy to ensure that no identities have multiple accounts on any of the applications within your enterprise. Use the Edit Policy page to activate the account policy and add information such as a name and owner.

See Policies Page and Editing Policies

Separation of Duties (SOD) policies are created using the Edit Policy and Edit SOD Rule pages. Use this procedure to create new policies or edit existing ones.

  1. Click Setup > Policies.

  2. Optional: If you are editing an existing policy, you can use the search options to search by policy name and policy type.

  3. Select Role SOD, Entitlement SOD, or Effective Entitlement SOD from the New Policy dropdown list, or click on an existing policy to display the Edit Policy page.

  4. Enter the general policy information. See Editing Policies

  5. Right-click on a rule or select Create New Rule to display the Edit SOD Rule page.

  6. Enter the SOD Rule information in the top portion of the page. See Edit SOD Rule Page for detailed descriptions of those fields.

  7. To create a rule based on roles:

    1. Select a role from the Add Role dropdown list below the Any of these roles table.

    2. Select a role from the Add Role dropdown list below the conflict with any of these roles table.

      The dropdown list contains all of the roles defined for your organization. You can enter as many roles as are needed to build this rule.

  8. To create a rule based on attributes:

    1. Select an application and use the Add Attribute or Add Permission buttons to build the First Entitlement Set.

    2. Select an application and use the Add Attribute or Add Permission buttons to build the Second Entitlement Set.

      • For attributes, select an attribute from the dropdown list and enter a value.

      • For permissions, enter the name (target) and value (right).

      • Enter as many attributes and permissions as needed to build this rule.

  9. Click Done to return to the Edit Policy page.

  10. Repeat steps 5 through 9 until all of the rules needed for this policy have been added or modified.

  11. Click Save to save the policy and return to the Policies page.

Advanced policies are created using the Edit Policy and Edit Activity Policy Rule pages. Use this procedure to create new policies or edit existing ones.

  1. Click Setup > Policies.

  2. Optional: If you are editing an existing policy, you can use the search options to search by policy name and policy type.

  3. Select Activity Policy from the New Policy dropdown list, or click on an existing policy to display the Edit Policy page.

  4. Enter the general policy information. See Editing Policies.

  5. Click on a rule or Create New Rule to display the Edit Activity Policy Rule page.

  6. Enter the Activity Policy Rule information in the top portion of the page. See Edit Activity Rule Page for detailed descriptions of those fields.

  7. Create the filters necessary to identify the identity and activity types that should be considered when performing the policy scans for this violation.

Use the Identity Filters and Activity Filters panels to add and combine filters for use in the policy. Apply qualifiers to filters to limit the values returned and then use grouping, AND / OR operations, and time periods to create the rules that make up the policy.

Create the filters that make up the rules.

Field

Select an attribute value from the dropdown list.

Search Type

The qualifier to associate with the value, such as equals or like.

Value

The value of the field selected.

Ignore Case

Specifies whether case should be factored into the query.

Filter(s)

The Operations dropdown list lets you specify AND / OR relationships between the filters in the list. Select multiple filters and group them to create sub-filters and use multiple layers of filter grouping to create complex rules.

Click view / edit filter source to display an editable text version of the filter.

See the online help for details on using the advanced filtering functions.

Click Done to save the new policy and return to the Edit Policies page.

Policies are created using the Edit Policy and Edit Activity Policy Rule pages. Use this procedure to create new policies.

  1. Click or mouse over the Define tab and select Policies.

  2. Optional: Use the filtering options to limit the number of policies displayed in the table.
    You can filter by both policy name and policy type.

  3. Select Advanced Policy from the Create new policy dropdown list or click on an existing policy to display the Edit Policy page.

  4. Enter the general policy information. See Editing Policies.

  5. Click Create New Rule or right-click on an existing rule to display the Edit Advanced Rule page.

  6. Enter the Advanced Rule information in the top portion of the page. See Edit Advanced Policy Rule Page for detailed descriptions of those fields.

  7. Select a method by which to generate this rule. In other words, any condition you define here is considered a violation of this policy:

Match List

Define a list of entitlements to determine the rule.
For attributes, select an attribute from the dropdown list and type a value.
For permissions, type the name (target) and value (right).

Filter

Enter a custom XML database query to define identities for this rule.

Script

Enter a custom script to define the rule. Scripts are similar to rules, but the source is stored with the policy and can be edited from this page.

Rule

Select an existing rule from the dropdown list.

Population

Select a population from the list. Any identity that matches the criteria defined for the population displayed is in violation of this policy.

For more information and examples for using Match Lists, Filters, Scripts, Rules, and Populations, see the IdentitySelectors in the IdentityIQ User Interface technical white paper on Compass.

Click Done to save the new policy and return to the Edit Policies page.