Previous Topic: Important Notes about Preventative Identity PoliciesNext Topic: Use Case: Preventing Users from Having Conflicting Roles

Create a Preventative Identity Policy

Before you create a preventative identity policy, you create an identity policy set, which logically groups a set of identity policies.

Note: See Important Notes about Preventative Identity Policies before you begin.

To create a preventative identity policy set

  1. Open Policies, Create Identity Policy Set in the User Console.

    Create a new identity policy set or use an existing identity policy set as a template.

  2. Define the profile for the identity policy set on the Profile tab.
  3. Create a policy set member rule on the Policies tab.
  4. Create a preventative identity policy as follows:
    1. Click Add.
    2. Enter a name for the identity policy.

      Note: The Apply Once and Compliance settings do not apply to preventative identity policies.

    3. Identify the users to which the policy applies in the Policy Condition section.

      Note: The role owner filter and the LDAP query filter are not supported for preventative identity policies.

    4. In the Action on Apply Policy field, define the actions that CA Identity Manager takes when CA Identity Manager detects a policy violation:

      CA Identity Manager displays a message in View Submitted Tasks that describes the violation, but allows the task to be submitted.


      CA Identity Manager displays a message in the User Console and prohibits the task from submitting.


      CA Identity Manager displays a message in the User Console and in View Submitted Tasks. This action can optionally trigger a workflow process.

      When you select one of these actions, CA Identity Manager displays a text box where you can specify the message that appears when a violation occurs.

    5. Specify the message in the text box.

      Note: If you are localizing the User Console, you can specify a resource key instead of text in the message field. See the User Console Design Guide for more information about resource keys.

    6. Add additional actions if necessary and click OK.
  5. Specify owners for the Identity Policy set.

Note: Before you use the identity policy set that you created, make sure that identity policies are enabled in the Management Console. See the Configuration Guide for more information.