Important Notes about Preventative Identity Policies
Before you implement preventative identity policies, note the following:
cim1265
Before you implement preventative identity policies, note the following:
- Preventative identity policies only prevent violations that would occur because of proposed changes in the current task. They do not prevent existing violations.For example, a company creates a preventative identity policy that prohibits users from having the User Manager and User Approver roles at the same time. An administrator assigns the Group Manager role to a user who already has the User Manager and User Approver roles.Identity Managerallows the new assignment to succeed because that change does not directly cause a violation of the policy.
- If multiple preventative identity policies apply to a set of proposed changes,Identity Managerapplies policies with Reject actions first.
- Do not specify dynamic groups in preventative identity policy conditions. (Policy conditions determine the set of users that the preventative identity policy applies to.)For example, a company has a dynamic group that includes all users who have the title Manager. That company also creates a preventative identity policy that prohibits members of the Managers group from having the Contractors role.An administrator changes the title of a user who has the Contractors role to Manager. This change will make the user a member of the Managers groupafterthe task submits successfully. However, the user's title is not Manager at the time thatIdentity Managerevaluates the policy, so no violation is detected.
- The role owner filter and the LDAP query filter are not supported in policy conditions for preventative identity policies.