IdentityIQ Configuration
Use this page to set default values for use with notifications, work item policy, object expiration, user interface preferences, and identity history. This page contains the following tabs:
Some escaped HTML characters are not recognized and do not display in descriptions if they are formatted using those characters. You must ensure that all files are formatted correctly before importing them into IdentityIQ and referencing them from the product. Use the following examples to format the HTML correctly:
test (to appear in bold) - <b>test</b>
<test> - <test>
<test> (to appear in bold) - <b><test><b\>
<<test>> - <<test><
"test" - "test"
'test' - 'test'
&test - &test
The Rule Editor lets you to edit any existing rule to your specifications. Click the [...] icon next to a rule drop-down list to access the rule editor throughout IdentityIQ. Choose to either create a new rule, or edit an existing rule structure.
The Rule Editor panel includes the following items:
Select an existing rule from the dropdown list. This option is available if you did not select a rule from the dropdown list on the previous page.
Field where code is input. IdentityIQ recognizes BeanShell programing language. You can edit code from an existing rule or create a new one from scratch.
Enter the description of your new rule.
Enter the name of your rule.
Non-editable field which displays the type of rule (for example, Violation).
Non-editable field which displays the type of return (for example, PolicyViolation).
Non-editable field which displays the arguments used in the rule (for example, log, context, state, etc.).
Non-editable field which displays the type of return the rule executes (for example, Violation).
When you have completed your rule edits, click Save to return to the previous page. The new rule is now available from the dropdown list.
Important: IdentityIQ does not perform file content validation or verification on attachments. It is your responsibility to ensure that only files that do not violate security policies within your environment are included as attachments.
Note: Attachments are only allowed on single-user requests, and are only available for manual access requests.
The attachments feature enables users to add attachments to single user access requests. For example, you could attach training certificates or a notarized document of authorization.
By enabling attachments on the Global Settings > IdentityIQ Configuration > Miscellaneous tab, you are enabling, but not requiring, any user to add an attachment to any single user access request. When the feature is enabled, requests display the attachment icon (paper clip) on each item in a request, but the icon is only active if an attachment is allowed for that item. When you click the icon, the attachment overlay is displayed and you can add an attachment by dragging and dropping or uploading a file.
Attachments are controlled through AttachmentConfig rules. If there are no AttachmentConfig rules for an item, or they all have null or empty prompts, the attachment overlay contains no additional information.
File attachment settings such as the maximum file size, maximum number of attachments per request, and the type(s) of files that can be attached to a request are configured on the Miscellaneous tab.
Attachments can be further configured through AttachmentConfig rules. When AttachmentConfig rules are set for file attachments, each of these rules is run with every request made. Use the AttachmentConfig rules to require attachments for specific access request scenarios and customize the prompts displayed on the attachment overlay. When an attachment is required, the word required is displayed with the attachment icon and an error is displayed if a request is submitted without an attachment.
Activate the attachment configuration rules to run with access requests by selecting them from the Configuration Rules list on the Global Settings > IdentityIQ Configuration > Miscellaneous tab under the gear icon.
You can import attachment configuration rules using the Global Settings > Import from File page under the gear icon.
To remove an attachment configuration rule from IdentityIQ, first deselect that rule from the Configuration Rules list and then delete the rule object.
These rules can be as simple or complex as the needs of your organization require.
These rules contain the following inputs:
-
requestor – the user making the request
-
requestee – the user for whom the request is being made
-
requestItem – the item being requested
-
action – the request action (add or remove)
Each attachment configuration rule is run once for each item being requested and returns a list of configuration objects.
The fields of an attachment configuration object are:
-
required – Boolean (true, false) where true means an attachment is required
-
prompt – string – the prompt that is displayed in the attachment overlay when attaching files to this request item
Multiple attachment configuration objects can be associated with a single request item. In this case, the prompt strings are concatenated on the attachment overlay.
A file containing an example of attachment configuration rules is included in the IdentityIQ installation package. The examplerules.xml
file is located in theIdentityIQ_HOME/WEB-INF/config
directory.
In rare cases attachments that are not associated with an access request might end up getting loaded into the database.The System Maintenance and System Maintenance Object Pruner tasks both include an option to prune those attachments and clean them out of your database. Use the Prune Attachments option in these tasks to delete any attachments that are more than 30 days old and and are not associated with an access request.
Files attached to abandoned access requests may also need to be cleared from your database. The System Maintenance and System Maintenance Object Pruner tasks both include an option to Prune Pending Attachments. When this option is selected, the task will delete any pending request attachments that are older than 12 hours. This timeframe can be overridden by adding an entry to the system configuration object called pendingAttachmentPruneAge
with a value that represents a number of hours.
For auditing purposes, there is an audit event called Prune Pending Attachments which can be triggered during the cleanup in the System Maintenance Task. To enable auditing for attachment pruning, enable the Prune Pending Attachments option in IdentityIQ's Audit Configuration.
.