Defining Trigger Filters

Trigger filters are the core of what drives joiner, mover, and leaver processes within Rapid Setup. Trigger filters are the constraint logic that determines which identities are subject to joiner, mover, and leaver business processes. Trigger filters use identity attributes or populations, coupled with operators and values, to choose identities to act on.

Important: These filters are called "trigger" filters because they define what should trigger each process. When setting up a trigger filter for movers or leavers, it's important to include criteria that identifies a change in an identity's status or condition; otherwise you risk running mover or leaver processes repeatedly on identities that have not changed.

Important: For example, you might want to trigger a leaver process any time an identity changes from Active to Inactive status. If you create a filter using the logic "Inactive Equals True" you will select all inactive identities every time the leaver process runs, regardless of whether they became inactive today or have been inactive for weeks. A better filter in this case would be "Inactive Changed to True"

Trigger filters are defined globally through a query builder in the Rapid Setup configuration pages for joiner, mover, and leaver processes. The filters you set in the configuration page for each type of process will apply to all applications that use Rapid Setup.

Here is an example of a simple trigger filter that will select all identities whose manager has changed:

You can build filters using multiple criteria, choosing "AND" or "OR" processing. For example, to select all identities with a change in either Manager or in Location, your query could look like this. Note that the OR operator is selected; if the AND operator had been selected, the filter would select only those identities who have changes to both Manager and Location.

You can also group sets of criteria, to allow for more complex filtering, by clicking Add Group. For example, if you wanted to select all identities that have a type of "Contractor" who have had a change to either Manager or Location, you would add a group to contain the Manager and Location filters, and your filter might look like this. Note that the AND condition applies to the Contractor type and to the group below it; within the grouping, an OR condition applies to the Manager and Location criteria.

For more complex filtering, you may wish to create populations to use as filtering criteria. Populations are created using the Intelligence > Advanced Analytics feature to search for identities using a wide variety of criteria, which can include things like roles and risk scores in addition to attributes. You can save the results of these searches as populations, which are then available to use as trigger filters in Rapid Setup. When you use a population as a filter, you can choose whether you want to select identities that are included in this population, or that are not.

For example, suppose you wanted to exempt both your senior executives and your Unix system administrators from standard mover processing. In this case you could use Advanced Analytics to create and save populations that filter on job title or department to identify your executives, and on role assignments to identify your Unix administrators. Then you can use those populations as filter criteria to exclude the identities in either of those populations from a standard mover process that is based on a change in manager.

To move criteria up or down, duplicate criteria rows, or delete groups or rows, use the gear icons at the right of each row and group of your criteria.

Note: If you are using date fields as part of your filter criteria, you can enter day, month, and year; actions that are triggered by date criteria will take place on midnight (local time) of the date specified.