Previous Topic: Identity PoliciesNext Topic: Identity Policy Set Planning Worksheet


Identity Policies

An Identity policy is a set of business changes that occur when a user meets a certain condition or rule. You can use identity policy sets to:

The business changes associated with an identity policy include:

For example, a company may create an identity policy which states that all Vice Presidents belong to the Country Club Member group and have the role Salary Approver. When a user’s title changes to Vice President and that user is synchronized with the identity policy, CA Identity Manager adds the user to the appropriate group and role. When a Vice President is promoted to CEO, she no longer meets the condition in the Vice President identity policy so the changes applied by that policy are revoked, and new changes based on the CEO policy are applied.

The change actions that occur based on an identity policy contain events which can be placed under workflow-control and audited. In the previous example, the Salary Approver role grants significant privileges to its members. To protect the Salary Approver role, the company can create a workflow process that requires a set of approvals before the role is assigned, and they can configure CA Identity Manager to audit the role assignment.

To simplify identity policy management, Identity policies are grouped in an identity policy set. For example, the Vice President and CEO policies may be part of the Executive Privileges identity policy set.

Note: CA Identity Manager includes an additional type of identity policy, called a preventative identity policy. These policies, which execute before a task is submitted, allow an administrator to check for policy violations before assigning privileges or changing profile attributes. If a violation exists, the administrator can clear the violation before submitting the task.