Identity Policies › Combining Identity Policies and Preventative Identity Policies

Combining Identity Policies and Preventative Identity Policies

You can combine identity policies and preventative identity policies to address Segregation of Duties (SOD) requirements. In this case, identity policies address existing SOD violations and preventative identity policies prohibit new violations.

To support this use case, you configure an identity policy set with two types of actions:

• Actions that occur during user synchronization

  These actions result in changes to user attributes, group and role members, administrators, or owners. For example, an action of this type may remove a user from a role when a violation is detected.

  These actions differ from preventative actions in that they are not applied when a task is submitted. They are applied only during user synchronization.

• Preventative actions

  These actions determine what CA Identity Manager does when a preventative identity policy violation occurs before a task is submitted. CA Identity Manager can allow the task to submit, issue a warning and trigger a workflow process, or prevent the task from submitting.

  In each of these cases, the violation is recorded in the audit database.

Consider a company that wants to prevent users from having the HR Administrator and Salary Approver roles at the same time. That company creates an identity policy with two Action on Apply Policy actions:

• Remove the user from role Salary Approver

  This action occurs when CA Identity Manager synchronizes users with identity policies.

  In this case, this company configured user synchronization for the Modify User task. When an administrator modifies a user, CA Identity Manager evaluates all applicable identity policies and applies the actions. In this example, CA Identity Manager removes users who have the HR Administrator role and the Salary Approver Role from the Salary Approver role.

• Reject the task

  This preventative action prohibits administrators from assigning these two roles to a person by not allowing the administrator to submit the task.

Note: When you configure an identity policy with both of these types of actions, verify that the actions do not conflict. For example, you can configure an identity policy that prevents users from having the Manager and Contractor roles. In the policy, you specify two actions:

• A warning that triggers a workflow process, which requires an approval before assigning the roles, and
• An action that removes a user from the Manager role

An approver approves the role assignment for the Manager and Contractor roles, but the second action removes the user from the Manager role when user synchronization occurs.