Actions on Apply/Remove Policies

Identity Policies › Create an Identity Policy Set › Create an Identity Policy › Actions on Apply/Remove Policies

Actions on Apply/Remove Policies

You can define change actions that Identity Manager performs when it evaluates the identity policy. The actions include:

Actions on Apply Policy--A set of actions that Identity Manager performs when a user meets the conditions in the policy conditions.
Actions on Remove Policy--A set of actions that Identity Manager performs when a user no longer meets the conditions in the policy conditions.

The actions that Identity Manager can perform when identity policies are applied or removed are the same. See the following table for more information.

Change Action	Description
Add to group <group-name> [...]	Adds users to a group. When you select this option, Identity Manager presents a screen where you can search for the group you want.
Add to <group-name> in user's organization	Adds users to a local group. When you select this option, Identity Manager presents a text box where you can enter the name of the group that you want.
Set <single-value-user-attribute> to value	Sets the value of an attribute in a user profile. If there is an existing value, Identity Manager overwrites it with the value specified in the change action.
Add <value> to <multi-value-user-attribute>	Adds a value to a multi-value user attribute. This option does not overwrite existing values.
Make member of access role	Assigns users to an access role.
Make administrator of access role	Make users administrators of an access role
Make member of admin role	Makes users members of an admin role
Make administrator of admin role	Makes users administrators of an admin role
Make member of provisioning role	Makes users members of a provisioning role, which creates associated endpoint accounts. Note: To use provisioning roles, Identity Manager must integrate with a Provisioning Server. See the Installation Guide for your application server.
Make administrator of provisioning role	Makes users administrators of a provisioning role. Note: To use provisioning roles, Identity Manager must integrate with a Provisioning Server. See the Installation Guide for your application server.
Remove from group <group-name> [...]	Removes users from a group. When you select this option, Identity Manager presents a screen where you can search for the group you want.
Remove from <group-name> in user's organization	Removes users from a local group. When you select this option, Identity Manager presents a text box where you can enter the name of the group that you want.
Remove <value> from <multi-value-user-attribute>	Removes a value from a multi-value user attribute.
Remove member from access role	Revokes an access role.
Remove administrator from access role	Revokes administrator privileges for a specific access role
Remove member from admin role	Revokes an admin role.
Remove administrator from admin role	Revokes administrator privileges for a specific admin role
Remove member from provisioning role	Revokes a provisioning role.
Remove administrator from provisioning role	Revokes administrator privileges for a specific provisioning role.
Send audit message	Sends a message that you create to the audit database. This message may appear in a report that you create.
Compliance violation	Sends a message that you create to the audit database. If you create a compliance report, the message appears each time the identity policy is applied/removed from a user. See the Configuration Guide for more information about auditing. Note: You must enable the Compliance check box on the Profile tab for the Identity Policy Set to use the Compliance Violation option.