Provisioning policies

A provisioning policy grants access to managed resources, such as IBM Security Identity Manager Server, Windows NT servers, and Solaris servers. Each provisioning policy consists of the following components:

• General Information
• Membership
• Entitlements

A provisioning policy targets one or more service instances, service types, or a service selection policy. System administrators use provisioning policy parameters to define required and optional attribute values. Provisioning policies define accounts and access for a user or automatically provisioned by the user's role. When account and access are authorized to a user by a provisioning policy, they can be requested by the user. A provisioning policy can be used to support role-based provisioning, in which accounts and access are automatically provisioned to a user, based on the user's roles.

Provisioning policies support security compliance. ISIM evaluates all account and access requests based on the provisioning policy to identify accounts and access that are not authorized and take appropriate actions to handle noncompliant account and access. Based on the enforcement configuration on the service, ISIM can either mark the account or access as noncompliant. ISIM can also suspend the account, alert the administrator to revoke disallowed privilege, or automatically correct the account or access and make it compliant. A provisioning policy is part identity lifecycle management automation.

ISIM provides APIs that interface to information about provisioning policies defined in ISIM, and interface to the access granted to an individual task. These APIs can be used to generate audit data.

When two or more provisioning policies are applied to the same user, a join directive defines how to handle attribute values from different policies. To work with policy joins or customize them, go to the navigation tree and select Configure System > Configure Policy Join Behaviors.

Provisioning policies can be mapped to services of a distinct portion or level of the organizational hierarchy. The business unit to which the provisioning policy belongs determines the services the policy governs. The scope of the provisioning policy indicates whether to cover services in the same level of the business unit or the subtree of the business unit. An entitlement in the provisioning policy support different types of service targets. Target types include all services, services of same type, services defined by service selection policy, or a specific service instance. In all cases, the services must be within the specified scope of the business unit where the policy is defined. A service selection policy enables service selection base on person attributes.

• Policy enforcement
  
• Provisioning policy parameter enforcement rules
  
• Create a provisioning policy
  
• Change a provisioning policy
  
• Preview a modified provisioning policy
  
• Create a draft of an existing provisioning policy
  
• Committing a draft provisioning policy
  
• Deleting a provisioning policy
  
• Manage provisioning policies by role
  

Parent topic: Policy administration