|
|
|
You can create a policy by selecting New Policy on the main Policy Xpress screen, or by clicking New Policy after you search for policies.
In addition to the four main elements of a policy, there are other fields that help with managing policies and refining policy capabilities.
Note: A policy is only effective in the environment it is created in. For example, if you create a policy while logged into the neteauto environment, the policy triggers only for the neteauto environment.
Provide the following fields when creating a policy:
Defines a friendly name for the policy. The name can be used to search for the policy, and is displayed in the log messages that describe the actions taken by the policy. This field requires value.
Defines the action that triggers the policy. Each policy type has a different configuration based on the type.
Note: You cannot change this field once the policy is saved.
Defines a group of related policies. This field is optional and allows you to group policies for ease of management.
Specifies a description of the policy.
Defines the environment that the policy is associated with. Different Identity Manager environments can have different policies associated with them. This value is automatically set to the environment you are creating the policy in. When you import policies, the environment is set to the target environment where the policy is imported.
Specifies if the policy should run only once. Some policies may need to run every time they meet criteria, and others may need to run only once. This value determines if action rules that have already executed in the past should execute again. For example, adding an SAP role to a user based on department is an action that should only occur the first time the user matches that department. Adding it repeatedly, even though the user is still a member of the department, can cause significant issues. Alternately, a policy that sets the user's salary level based on title would not be set to run once, for enforcement purposes. If anyone tried to change the user's salary level, the policy would reset it.
Specifies when a policy should run, if there are multiple policies that need to run at a single event. Policies are checked and executed based on their priority. The lower the number, the higher the priority (priority 1 runs first, 10 runs second, 50 runs third, and so on).
Setting priority is useful for policies which have a dependency on one another, or breaking an otherwise complex policy into two simple ones running one after the other.
For example, there are three policies which should only run if there is a specific value in the database. Instead of having each of the policies verify the database for that value, create a policy that runs before the other three policies, and checks the value. If the new policy matches the required value, a variable is set. The other three policies are configured to run only if that variable is set, which prevents redundant access to the database.