CA Identity Manager applies an identity policy differently, based on the Apply Once setting.
If the Apply Once setting is enabled, CA Identity Manager applies the changes associated with the identity policy when a user first meets the condition defined in the policy. The change actions associated with the policy occur only once. Therefore, CA Identity Manager does not apply policy updates to users, if the policy was previously applied.
When a user no longer meets the condition defined in the policy, CA Identity Manager executes the policy’s remove actions.
The Apply Once setting is typically used when provisioning resources. For example, you may have a policy that assigns a cell phone to managers. When a user first becomes a manager, that user is assigned a cell phone. CA Identity Manager only issues the cell phone once, not each time the policy is evaluated. If the cell phone policy is updated to include a newer cell phone model, CA Identity Manager does not issue new cell phones to existing managers.
Note: Resource provisioning is available when CA Identity Manager integrates with a Provisioning Server.
If the Apply Once setting is not enabled, the change actions associated with the identity policy are applied each time an identity policy is evaluated. This means that CA Identity Manager applies change actions for every user who meets the condition in the policy, regardless of whether the change actions were applied previously.
Typically, you disable the Apply Once setting in an identity policy that enforces compliance. For example, you can create an identity policy that restricts managers’ spending authority to $5,000. If CA Identity Manager encounters a manager whose spending authority is set to $10,000, it resets the spending authority to $5,000. Each time a manager is synchronized with the identity policy, CA Identity Manager checks to make sure the spending authority is set correctly.
If a manual change that conflicts with a change action is made to a user profile, CA Identity Manager overwrites the change when the user is synchronized with the policy.
In the previous example, if someone manually increases a manager’s spending authority to $10,000, CA Identity Manager resets the spending authority to $5,000 when the manager is synchronized with the policy.
The following table summarizes the effects of enabling or disabling the Apply Once setting.
|
If Apply Once is... |
Then... |
|---|---|
|
Enabled |
|
|
Disabled |
|
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|