A preventative identity policy is a type of identity policy that prevents users from receiving privileges that may result in a conflict of interest or fraud. These policies support a company's Segregation of Duties (SOD) requirements.
Preventative identity policies, which execute before a task is submitted, allow an administrator to check for policy violations before assigning privileges or changing profile attributes. If a violation exists, the administrator can clear the violation before submitting the task.
For example, a company can create a preventative identity policy that prohibits users who have the User Manager role from also having the User Approver role. If an administrator uses the Modify User task to give a User Manager the User Approver role, CA Identity Manager displays a message about the violation. The administrator can change the role assignments to clear the violation before submitting the task.
You can create preventative identity policies for the following changes:
Prevents users from having certain roles at the same time.
For example, users cannot have the User Manager and User Approver roles at the same time.
Prevents users from being administrators of certain roles if they are administrators of other roles.
For example, users cannot be administrators for the User Manager and User Approver roles at the same time.
Prevents users from having certain profile attributes at the same time.
For example, users cannot have the title Senior Account and belong to the IT department.
Prevents user profiles from being created in a certain organization.
For example, administrators cannot create employee profiles in the Suppliers organization.
Prevents users from being members in certain groups.
For example, users cannot be members of the Project Team group and the Accounting Group.
Copyright © 2015 CA Technologies.
All rights reserved.