Previous Topic: Policy ConditionsNext Topic: Specify Owners for the Identity Policy Set


Actions on Apply/Remove Policies

You can define change actions that CA Identity Manager performs when it evaluates the identity policy. The actions include:

Actions on Apply Policy

A set of actions that CA Identity Manager performs when a user meets the conditions in the policy conditions.

Actions on Remove Policy

A set of actions that CA Identity Manager performs when a user no longer meets the conditions in the policy conditions.

The actions that CA Identity Manager can perform when identity policies are applied or removed are the same. See the following table for more information.

Change Action

Description

Add to group <group-name> [...]

Adds users to a group.

When you select this option, CA Identity Manager presents a screen where you can search for the group you want.

Add to <group-name> in user’s organization

Adds users to a local group.

When you select this option, CA Identity Manager presents a text box where you can enter the name of the group that you want.

Set <single-value-user-attribute> to value

Sets the value of an attribute in a user profile.

If there is an existing value, CA Identity Manager overwrites it with the value specified in the change action.

Add <value> to <multi-value-user-attribute>

Adds a value to a multi-value user attribute.

This option does not overwrite existing values.

Make member of access role

Assigns users to an access role.

Make administrator of access role

Make users administrators of an access role

Make member of admin role

Makes users members of an admin role

Make administrator of admin role

Makes users administrators of an admin role

Make member of provisioning role

Makes users members of a provisioning role, which creates associated endpoint accounts.

Note: To use provisioning roles, CA Identity Manager must integrate with a Provisioning Server. See the Installation Guide for your application server.

Make administrator of provisioning role

Makes users administrators of a provisioning role.

Note: To use provisioning roles, CA Identity Manager must integrate with a Provisioning Server. See the Installation Guide for your application server.

Remove from group <group-name> [...]

Removes users from a group.

When you select this option, CA Identity Manager presents a screen where you can search for the group you want.

Remove from <group-name> in user’s organization

Removes users from a local group.

When you select this option, CA Identity Manager presents a text box where you can enter the name of the group that you want.

Remove <value> from <multi-value-user-attribute>

Removes a value from a multi-value user attribute.

Remove member from access role

Revokes an access role.

Remove administrator from access role

Revokes administrator privileges for a specific access role

Remove member from admin role

Revokes an admin role.

Remove administrator from admin role

Revokes administrator privileges for a specific admin role

Remove member from provisioning role

Revokes a provisioning role.

Remove administrator from provisioning role

Revokes administrator privileges for a specific provisioning role.

Send audit message

Sends a message that you create to the audit database.

This message may appear in a report that you create.

Compliance violation

Sends a message that you create to the audit database.

If you create a compliance report, the message appears each time the identity policy is applied/removed from a user. See the Configuration Guide for more information about auditing.

Note: You must enable the Compliance check box on the Profile tab for the Identity Policy Set to use the Compliance Violation option.

Accept

(Action on Apply Policies only)

Allows the task to submit when there is a preventative identity policy violation.

When you select this action, you provide a message that CA Identity Manager writes in the audit database and displays in View Submitted Tasks when a violation occurs.

Reject

(Action on Apply Policies only)

Prevents a task from submitting when an identity policy violation occurs.

This action is used with preventative identity policies to prevent users from receiving privileges that may result in a conflict of interest or fraud.

When you select this action, you also provide a message that CA Identity Manager displays when a violation occurs. The message is stored in the audit database and displayed in the User Console.

Warning

(Action on Apply Policies only)

Triggers a workflow process when a preventive identity policy violation occurs, if you associate that violation with a workflow approval policy.

CA Identity Manager allows the task to submit regardless of whether workflow is configured.

Note: For information about associating a workflow process with a preventative identity policy, see Workflow and Preventative Identity Policies.

When you select this action, you also provide a message that CA Identity Manager displays when a violation occurs. The message is stored in the audit database and displayed in View Submitted Tasks.

 

 

More information:

Preventative Identity Policies

Workflow and Preventative Identity Policies