Important Notes about Preventative Identity Policies

Before you implement preventative identity policies, note the following:
cim1265
Before you implement preventative identity policies, note the following:
  • Preventative identity policies only prevent violations that would occur because of proposed changes in the current task. They do not prevent existing violations.
    For example, a company creates a preventative identity policy that prohibits users from having the User Manager and User Approver roles at the same time. An administrator assigns the Group Manager role to a user who already has the User Manager and User Approver roles.
    Identity Manager
    allows the new assignment to succeed because that change does not directly cause a violation of the policy.
  • If multiple preventative identity policies apply to a set of proposed changes,
    Identity Manager
    applies policies with Reject actions first.
  • Do not specify dynamic groups in preventative identity policy conditions. (Policy conditions determine the set of users that the preventative identity policy applies to.)
    For example, a company has a dynamic group that includes all users who have the title Manager. That company also creates a preventative identity policy that prohibits members of the Managers group from having the Contractors role.
    An administrator changes the title of a user who has the Contractors role to Manager. This change will make the user a member of the Managers group
    after
    the task submits successfully. However, the user's title is not Manager at the time that
    Identity Manager
    evaluates the policy, so no violation is detected.
  • The role owner filter and the LDAP query filter are not supported in policy conditions for preventative identity policies.