To ensure that people in your organization always have up-to-date access permission
levels, you can define provisioning policies that automatically assign people to specific roles
based on their identity attributes. If an employee changes job title, department, or moves to a
different site, the system automatically adjusts their access.
What you should know
- Only account administrators, or role owners can create or modify provisioning policies
that automatically associate people with a specific role.
- A maximum of 25 policies with a maximum of 25 policy conditions can be defined for each
role.
Procedure
-
From the Home page, click and select a Role.
-
Click Provisioning policy and click or slide the toggle to
Active.
-
In the Description field, enter a meaningful policy
description.
-
(Optional) Configure your automatic removal settings for role members:
-
Select the Automatically remove members that no longer match
checkbox option.
-
Specify when to automatically remove your role members. Choose one of the
following:
- After a specified number of days. The default is 7 days.
- Immediately.
For example, an IT role with access to server rooms. When an IT role member moves to a
Developer job, they might still require access to server rooms for 7 days for support or
skill transfer purposes. Role members are removed when their identity settings no longer
match the policy settings for role-based access control.
-
Add the policy rules for the role that you are configuring.
-
Select the Property type that you require.
The property types listed here are the default identity field attributes that can
be found in the
General details of any identity.
NOTE: Only roles that you are a role manager for can be
selected.
- Company
- Enter the company name.
- Country
- Select a country from the list.
- Department
- Enter a department name.
- Description
- Enter a description.
- Extended grant time
- Used to select True or False.
- External ID
- Enter an external ID
- Job title
- Enter a job title.
- Primary site
- Enter or select the primary office location.
- Provisioning attributes
- Type a custom provisioning attribute and press enter. Some examples might
include: background check, drug and alcohol tests, NDA, Safety training, site
induction training, and so on.
- Status
- Choose either Active or
Inactive.
- Supervisor name
- Enter a name.
- Supervisors
- Add multiple supervisors.
- Worker type code
- Enter a worker type code
- Worker type description
- Enter a meaningful description for the worker
type.
-
Select an Operator from the following:
- Contains
- Does not contain
- Is
- Is not
NOTE: The Operators that are displayed vary
depending on the Property type that you select.
-
Enter a value or select an option that relates to the
Property type you selected.
NOTE: The Value options or fields that are displayed vary depending
on the Property type that you select.
-
(Optional) Add custom provisioning attributes to your provisioning policy.
-
Select the Provisioning attributes property.
-
Select an Operator from the following:
- Contains
- Does not contain
-
Enter the custom attribute values that you require.
NOTE: For custom attributes, the provisioning policy is only triggered when an
identity includes as a minimum all the provisioning attribute values specified in
this policy.
-
(Optional) To temporarily disable a policy rule, set the Enabled
slider to Disabled.
-
(Optional) Click Copy policy () when you want to copy a rule
or set of rules.
-
(Optional) Click to
remove any policy rules that you no longer require.
-
Click Save.
Results
Users can now be automatically assigned to or removed from specific roles based on their
identity attributes.
After you finish
Add role managers.