Identity policies

An identity policy defines the characteristics of a user ID used when requesting a new account. An administrator defines the targets and the rule used to generate user IDs automatically for the services to which the rule is applied. The user ID can be based on attributes of the user for whom the account is being created.

An identity policy generates a default user ID used when requesting a new account. An administrator defines the rule to generate the user ID and specifies the service targets that apply. Identity policies can be defined for the following targets:

All services

The same policy is used for all services.

Enters of services

The policy is used for generating user IDs for services of the specified type.

Service instances

The policy is used for generating user IDs for the specified services.

The default identity policy is used to generate the user ID when creating users, when the system is configured to provision Security Identity Manager accounts automatically to users.

A basic approach requires no scripting. We can define basic rules for an identity policy. Basic rules can specify which attributes to use, how many characters are used from each attribute, and what case to use when creating a user ID..

An advanced approach involves scripting, and you can use it to define more complex and customized rules. Security Identity Manager provides a default script you can modify. See the example section for an illustration of the advanced approach, which includes use of JavaScript.

To set a character limit, an identity policy rule defines the number of characters to use from a first and second attribute to form the user ID. Forming the user ID from the attributes has the following conditions.

• If the number of characters in the attribute is greater than the specified character limit, only the character limit is used.
• If the number of characters in the attribute is less than or equal to the specified character limit, the entire value of the attribute is used.
• If a second attribute is not specified, only the first attribute is used.
• If a duplicate user ID exists when Security Identity Manager creates a user ID, the process appends an integer to the new user ID to create a unique user ID.

An identity policy rule determines whether case modification occurs in forming a user ID. We can set the following conditions.

• Lowercase (default)
• Existing case
• Uppercase

If the identity policy generates a user ID with a null value, Security Identity Manager attempts to form a user ID. Security Identity Manager uses the first letter of the user's given name, concatenated with the value of the user's family name, retaining the existing case.

Name and Business unit are required fields when we are creating an identity policy. Business unit is populated with our organization name if we are authorized to create identity policies at the organization level. If we do not have that authority, the Business unit field is blank. You must search for a business unit where you have the authority to create an identity policy.

• Identities
  An identity is the subset of profile data that uniquely represents a person in one or more repositories, and includes additional information related to the person.
• Identity policy script example (advanced approach)
  Identity policies can be defined dynamically through the use of JavaScript (the advanced approach). Policies can also be defined with the basic method (which does not require any JavaScript). JavaScript can use all standard functions and programming constructs, including loops and conditional branches.
• Create an identity policy
  An administrator can create an identity policy for use by all service types, specific service types, or specific service instances. For example, you can create an identity policy that specifies that a user ID is constructed from the family name of a user and a department number.
• Change an identity policy
  An administrator can change an identity policy to meet our organizational requirements for user IDs. For example, you might change an identity policy to use the office number of a user when a new user ID is created.
• Deleting an identity policy
  An administrator can delete an identity policy that is not needed to manage user IDs. Deleting an identity policy causes the services that are using the identity policy to use another identity policy. For example, the services use the default identity policy that applies to all services.

Parent topic: Policy administration