|
|
|
Identity policies can define roles that are mutually exclusive and cannot be granted to the same user concurrently. For example, you can prevent a user manager who can grant raises from also being a salary approver.
To create an identity policy set that enforces segregation of duties, create an identity policy with the following settings:
Setting |
Value |
|---|---|
Apply Once |
Not enabled |
Compliance |
Enabled |
Policy Condition |
Use the "in <administrative-intersection-constraint>" option to define a set of conditions that violate a business policy. If a user meets all of the conditions, Identity Manager takes the actions in the Action on Apply Policy field. For example, set the policy condition as follows: intersection (who are members of <some_role>) and who are members of <some_other_role> ) |
Action on Apply Policy |
The actions that Identity Manager should take when the policy condition applies--for example:
|
The following figure illustrates the identity policy in this example.
