Configuring role-based access control policies in ClearID - ClearID

To ensure that people in your organization always have up-to-date access permission levels, you can define provisioning policies that automatically assign people to specific roles based on their identity attributes. If an employee changes job title, department, or moves to a different site, the system automatically adjusts their access.

1. From the Home page, click Organization > Roles and select a Role.
2. Click Provisioning policy and click or slide the toggle to Active.
3. In the Description field, enter a meaningful policy description.
4. (Optional) Configure your automatic removal settings for role members:
   
   1. Select the Automatically remove members that no longer match checkbox option.
   2. Specify when to automatically remove your role members. Choose one of the following:
   • After a specified number of days. The default is 7 days.
   • Immediately.
   For example, an IT role with access to server rooms. When an IT role member moves to a Developer job, they might still require access to server rooms for 7 days for support or skill transfer purposes. Role members are removed when their identity settings no longer match the policy settings for role-based access control.
5. Add the policy rules for the role that you are configuring.
   1. Select the Property type that you require.
      The property types listed here are the default identity field attributes that can be found in the General details of any identity.

      NOTE: Only roles that you are a role manager for can be selected.

      Company

      Enter the company name.

      Country

      Select a country from the list.

      Department

      Enter a department name.

      Description

      Enter a description.

      Extended grant time

      Used to select True or False.

      External ID

      Enter an external ID

      Job title

      Enter a job title.

      Primary site

      Enter or select the primary office location.

      Provisioning attributes

      Type a custom provisioning attribute and press enter. Some examples might include: background check, drug and alcohol tests, NDA, Safety training, site induction training, and so on.

      Status

      Choose either Active or Inactive.

      Supervisor name

      Enter a name.

      Supervisors

      Add multiple supervisors.

      Worker type code

      Enter a worker type code

      Worker type description

      Enter a meaningful description for the worker type.

   2. Select an Operator from the following:
   • Contains
   • Does not contain
   • Is
   • Is not
   NOTE: The Operators that are displayed vary depending on the Property type that you select.
   1. Enter a value or select an option that relates to the Property type you selected.
   NOTE: The Value options or fields that are displayed vary depending on the Property type that you select.
6. (Optional) Add custom provisioning attributes to your provisioning policy.
   1. Select the Provisioning attributes property.
   2. Select an Operator from the following:
      • Contains
      • Does not contain
   3. Enter the custom attribute values that you require.
      

      NOTE: For custom attributes, the provisioning policy is only triggered when an identity includes as a minimum all the provisioning attribute values specified in this policy.
7. (Optional) To temporarily disable a policy rule, set the Enabled slider to Disabled.
8. (Optional) Click Copy policy () when you want to copy a rule or set of rules.
9. (Optional) Click to remove any policy rules that you no longer require.
10. Click Save.