Previous Topic: Example: Enforcing ComplianceNext Topic: Preventative Identity Policies

Example: Enforcing Segregation of Duties

Identity policies can define roles that are mutually exclusive and cannot be granted to the same user concurrently. For example, you can prevent a user manager who can grant raises from also being a salary approver.

To create an identity policy set that enforces segregation of duties, create an identity policy with the following settings:



Apply Once

Not enabled



Policy Condition

Use the "in <administrative-intersection-constraint>" option to define a set of conditions that violate a business policy. If a user meets all of the conditions, CA Identity Manager takes the actions in the Action on Apply Policy field.

For example, set the policy condition as follows:

intersection (who are members of <some_role>) and who are members of <some_other_role> )

Action on Apply Policy

The actions that CA Identity Manager should take when the policy condition applies--for example:

  • Compliance violation message: User has mutually exclusive roles
  • Remove member from <some_role>

The following figure illustrates the identity policy in this example.

The screen shows the identity policy with the columns Policy Name, Policy Member Rule, and Action on Apply Policy.