Identity Policies

An Identity policy is a set of business changes that occurs when a user meets a certain condition or rule. You can use identity policy sets to:

Automate certain identity management tasks, such as assigning roles and group membership, allocating resources, or modifying user profile attributes.
Enforce segregation of duties. For example, you can create an identity policy set that prohibits members of the Check Signer role from having the Check Approver role, and restricts anyone in the company from writing a check over $10,000.
Enforce compliance. For example, you can audit users who have a certain title and make more than $100,000.
Identity policies that enforce compliance are called compliance policies.

The business changes associated with an identity policy include:

Assigning or revoking roles, including provisioning roles (if you are using a provisioning directory only)
Assigning or revoking group membership
Updating attributes in a user profile

For example, a company may create an identity policy which states that all Vice Presidents belong to the Country Club Member group and have the role Salary Approver. When a user's title changes to Vice President and that user is synchronized with the identity policy, Identity Manager adds the user to the appropriate group and role. When a Vice President is promoted to CEO, she no longer meets the condition in the Vice President identity policy so the changes applied by that policy are revoked, and new changes based on the CEO policy are applied.

The change actions that occur based on an identity policy contain events which can be placed under workflow-control and audited. In the previous example, the Salary Approver role grants significant privileges to its members. To protect the Salary Approver role, the company can create a workflow process that requires a set of approvals before the role is assigned, and they can configure Identity Manager to audit the role assignment.

To simplify identity policy management, Identity policies are grouped together in an identity policy set. For example, the Vice President and CEO policies may be part of the Executive Privileges identity policy set.