Policies overview
A policy represents a set of organizational rules and the logic that ISIM uses to manage other entities, such as user IDs, and applies to a specific managed resource as a service-specific policy. ISIM enables the organization to use centralized security policies for specified user groups. We can use ISIM policies to centralize user access for disparate resources in an organization. We can implement additional policies and features that streamline operations associated with access to resources for users. Types of policies:
A policy can apply to one or multiple service targets, which can be identified either by a service type or by listing the services explicitly. These policies do not apply to services that represent identity feeds.
Adoption policies Apply to services. A global adoption policy applies to all services of a service type. Identity policies Apply to all service types, all services of a service type, or specific services. Password policies Apply to all service types, all services of a service type, or specific services. Provisioning policies Apply to all service types, all services of a service type, or specific services. Recertification policies Cannot act on all service types, but we can add all the different services for a specific recertification policy. Separation of duty policies Does not apply directly to service types, and apply only to role membership for users. Service selection policies Apply to only one service type.
Policy types and navigation
Enter of policy Navigation Adoption Manage Policies > Manage Adoption Policies Identity Manage Policies > Manage Identity Policies Password Manage Policies > Manage Password Policies Provisioning Manage Policies > Manage Provisioning Policies Recertification Manage Policies > Manage Recertification Policies Separation of duty Manage Policies > Manage Separation of Duty Policies Service selection Manage Policies > Manage Service Selection Policies
Account defaults
Account defaults define default values for an account during new account creation. The default can be defined at the service type level that applies to all services of that type. Alternatively, the default can be defined at the service level, which applies only to the service.
Policy enforcement
Global policy enforcement is the manner in which Security Identity Manager globally allows or disallows accounts that violate provisioning policies. When a policy enforcement action is global, the policy enforcement for any service is defined by the default configuration setting. We can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute. If a service has a specific policy enforcement setting, that setting is applied to the noncompliant accounts. The global enforcement setting does not apply. Policy enforcement can also be set for a specific service.
To work with global policy enforcement, go to the navigation tree and select Configure System > Configure Global Policy Enforcement. To set service policy enforcement, go to the navigation tree and select Manage Services.
- Mark
- The existing user account on the old service is marked as disallowed, and a new account is not created on the new service.
- Suspend
- The existing user account on the old service instance is suspended, and a new account is not created on the new service.
- Alert
- An alert is sent to the recipient administrator to confirm removal of the old account on old services. A new account is created on new service if the user does not have account on new service, and entitlement is automatic.
- Correct
- Existing accounts are removed on the old service. A new account is created on new service if the user does not have account on new service and entitlement is automatic.
Parent topic: Technical overview