Service selection policies

A service selection policy extends provisioning policies by enabling selection of a service based on person attributes. To be enforced, a service selection policy must be the target of a provisioning policy. The service selection policy then identifies the service type to target and defines the service based on JavaScript.

The service selection policy can be in the same container as the provisioning policy or in a container located above the container of the provisioning policy. The scope of a service selection policy determines which provisioning policies can target it. Service selection policies with single scope can be targeted only by provisioning policies at the same level in the organization tree as the service selection policy. Service selection policies with subtree scope can be targeted by provisioning policies at the same level or below the service selection policy. Service selection policies are evaluated in the following circumstances:

• When a user is added to an organizational role that is a member of a provisioning policy that targets the service selection policy
• When a user's attributes are modified
• When the policy itself is modified

Evaluating the policy might require moving a user's account to a different service instance than the one the user is currently using. A new account for the user is created on the new service instance. One of the following actions completes, depending on the policy enforcement setting of the service instance:

• Suspends the existing user account on the old service instance. The account is deleted, suspended, or marked as disallowed only if the service selection policy does not allow the account on that service. An account on the new service is not created.
• Deletes the existing user account on the old service instance.
• Sends a work item to alert the recipient to delete the existing user account on the old service instance.
• Marks the account on the old service instance as disallowed.

• Create a service selection policy
  An administrator can create a service selection policy.
• Change a service selection policy
  An administrator can change a service selection policy. Service selection policies are not usually modified after being created.
• Deleting a service selection policy
  An administrator can delete a service selection policy, which can be removed when no provisioning policy references it.

Parent topic: Policy administration