Previous Topic: Example: Automatically Populating User AttributesNext Topic: Example: Enforcing Compliance


Example: Allocating Resources and Entitlements

Identity policies can automatically assign resources, such as domain accounts, or grant entitlements, such as making a user a member of a role, when users meet the policy condition. For example, you can create a set of identity policies that assign resources and roles based on a user’s title.

To create an identity policy set for allocating resources and roles, create an identity policy with the following settings for each of the titles in your organization:

Setting

Value

Policy Condition

title = <some_title>

Action on Apply Policy

Any actions that allocate resources or entitlements to users who meet the policy condition, for example:

  • make member of <some_group>
  • make member of admin role <some_admin_role>
  • make member of provisioning role <some_provisioning role>

Action on Remove Policy

Any actions that remove resources or entitlements when a user no longer meets the policy condition. For example, if CA Identity Manager made the user a member of a role when the identity policy was applied, you may want to configure CA Identity Manager to revoke the role when the user no longer meets the policy condition.

The following figure illustrates sample policies in the Employee Resources identity policy set:

The screen shows sample policies in the Employee Resources Identity Policy Set with the columns Policy Name, Policy Member Rule, Action on Apply Policy, and Action on Remove Policy.