Before you implement preventative identity policies, note the following:
For example, a company creates a preventative identity policy that prohibits users from having the User Manager and User Approver roles at the same time. An administrator assigns the Group Manager role to a user who already has the User Manager and User Approver roles. CA Identity Manager allows the new assignment to succeed because that change does not directly cause a violation of the policy.
For example, a company has a dynamic group that includes all users who have the title Manager. That company also creates a preventative identity policy that prohibits members of the Managers group from having the Contractors role.
An administrator changes the title of a user who has the Contractors role to Manager. This change will make the user a member of the Managers group after the task submits successfully. However, the user's title is not Manager at the time that CA Identity Manager evaluates the policy, so no violation is detected.
Copyright © 2015 CA Technologies.
All rights reserved.