Workflow and Preventative Identity Policies
Contents
cim1265
Contents
When a preventative identity policy is configured to issue a warning, you can define a task level policy-based workflow process, which is associated with the identity policy, for tasks that may trigger a violation. For example, if an identity policy prohibits Senior Accountants from being members of the IT department, you define a task level policy-based workflow process on the Create User and Modify User tasks.
All work items that are generated as a result of task level policy-based workflow must be approved before
Identity Manager
executes the task. Approvers see a work list item when they log into the User Console. When the approver clicks the work list item, an approval task, which includes the warning message that describes the violation, appears. The approver can choose to approve or reject the task, based on the violation.Policy-based workflow processes are associated with preventative identity policies by the policy name.
Identity Policy Violations in Approval Tasks
When a preventative identity policy is associated with a workflow process for a task,
Identity Manager
generates a work list item for the appropriate approvers. These approvers use an Approval task to approve or reject the change that triggered the policy violation.The default Approval task includes a section that lists identity policy violations. There may be more than one violation if the proposed changes trigger multiple preventative identity policies.
Each violation can have of the following status:
- Pending EvaluationIdentity Managerhas not started evaluating the approval rules for the task yet. This is the initial state.
- Awaiting ApprovalIdentity Managerlocated a match for the identity policy defined in the approval rules and triggered the associated workflow process.
- ApprovedAn approver approved the proposed changes.Identity Managermakes the changes that triggered the preventative identity policy violations.
- RejectedAn approver rejected the proposed change. The task is rejected.
- No Workflow ConfiguredThere is no workflow process configured for this violation. The task executes without any approval required.
How to Configure Workflow for Preventative Identity Policies
You configure workflow for preventative identity policies in the admin tasks that include changes that may trigger an identity policy violation.
For example, if the preventative identity policy prohibits users from having certain admin roles at the same time, configure tasks that assign admin roles to support workflow for preventative identity policies.
Note:
Before you configure workflow, create a preventative identity policy with the following settings:- A unique policy nameThe policy name must be unique across all identity policy sets because workflow processes are associated with preventative identity policies by the policy name.If multiple preventative identity policies have the same name, multiple workflow processes may apply.
- Warning in the Action on Apply Policy fieldWarning is the only action that can trigger a workflow process.
After you configure the preventative identity policy, determine the tasks that may trigger the policy violation. Then, create a workflow approval policy for those tasks.
Create a Workflow Approval Policy for Preventative Identity Policies
You can configure a task level policy-based workflow process for an admin task. This workflow process includes one or more approval policies that can associate a preventative identity policy with a workflow.
Identity Manager
executes the workflow when a violation of the associated preventative identity policy occurs.Note:
For more information about task level policy-based workflow processes, see Policy-Based Workflow.To create a workflow approval policy for preventative identity policies
- Modify the admin tasks that allow changes that might trigger a violation of a preventative identity policy.For example, if an identity policy violation occurs because a user has the User Manager and User Approver roles, modify the admin tasks that allow administrators to assign roles, such as Create User, Modify User, and Modify Admin Role Members/Administrators.
- Click the edit icon next to the Workflow Process field on the Profile tab for the task to add a workflow process.Identity Managerdisplays the Task Level Workflow Configuration screen.
- Select Policy Based, then click Add.
- In the Approval Rule section, select the Identity Policy Violation object.
- In the Identity Policy field select a filter that determines which identity policies trigger the workflow associated with the approval policy.In the filter, include the identity policy name,notthe identity policy set name.
- Configure the Rule Evaluation, Policy Order, and Policy Description fields as needed.
- Select a workflow process, then click OK.When you select a workflow process,Identity Managerdisplays additional fields.
- Specify approval tasks and approvers as needed.Identity Managerassociates the workflow process with the preventative identity policy.
Use Case Approving Titles
Forward, Inc has a company policy that states that all managers must be full-time employees. However, Forward, Inc has recently hired many contractors for special projects. To run these special projects efficiently, some of the contractors will be given the Manager title. Forward, Inc wants to require approvals from the Human Resources Director before allowing administrators to assign the Manager title to a contractor.
To automate the approval process in these situations, Forward, Inc creates a preventative identity policy, named Manager Titles for Contractors, that detects when a user title is Manager and user organization is Contractor. Forward, Inc also configures a policy-based approval process on the Modify User task. This approval process is triggered when the Manager Titles for Contractors policy is violated.
When an administrator changes a contractor's title to Manager,
Identity Manager
displays a warning message, and sends a work item to the Human Resources Director for approval. Identity Manager
does not change the contractor's title until the work item is approved.To configure support for this use case, you complete the following in
Identity Manager
:- Create a preventative identity policy called Manager Titles for Contractors with the following settings:
- Policy Condition: Users where (Title = "Manager" and Organization = "Contractor")
- Action on Apply Policy: Warning with message "Managers must be full-time employees"
- Modify the Modify User task to include a workflow process with the following settings:
- Workflow Process: Policy Based
- Approval Rule Object: Identity Policy Violation
- Identity Policy: where (Name = "Manager Title for Contractors")
- Workflow Process: SingleStepApproval