Configuring role-based access control policies

2024-02-07Last updated

To ensure that people in your organization always have up-to-date access permission levels, you can define provisioning policies that automatically assign people to specific roles based on their identity attributes. If an employee changes job title, department, or moves to a different site, the system automatically adjusts their access.

Before you begin

What you should know

  • Only account administrators, or role owners can create or modify provisioning policies that automatically associate people with a specific role.
  • A maximum of 25 policies with a maximum of 25 policy conditions can be defined for each role.

Procedure

  1. From the Home page, click Organization > Roles and select a Role.
  2. Click Provisioning policy and click or slide the toggle to Active.
  3. In the Description field, enter a meaningful policy description.
  4. (Optional) Configure your automatic removal settings for role members:
    1. Select the Automatically remove members that no longer match checkbox option.
    2. Specify when to automatically remove your role members. Choose one of the following:
    • After a specified number of days. The default is 7 days.
    • Immediately.
    For example, an IT role with access to server rooms. When an IT role member moves to a Developer job, they might still require access to server rooms for 7 days for support or skill transfer purposes. Role members are removed when their identity settings no longer match the policy settings for role-based access control.
  5. Add the policy rules for the role that you are configuring.
    1. Select the Property type that you require.
      The property types listed here are the default identity field attributes that can be found in the General details of any identity.
      Note: Only roles that you are a role manager for can be selected.
      Company
      Enter the company name.
      Country
      Select a country from the list.
      Department
      Enter a department name.
      Description
      Enter a description.
      Extended grant time
      Used to select True or False.
      External ID
      Enter an external ID
      Job title
      Enter a job title.
      Primary site
      Enter or select the primary office location.
      Provisioning attributes
      Type a custom provisioning attribute and press enter. Some examples might include: background check, drug and alcohol tests, NDA, Safety training, site induction training, and so on.
      Status
      Choose either Active or Inactive.
      Supervisor name
      Enter a name.
      Supervisors
      Add multiple supervisors.
      Worker type code
      Enter a worker type code
      Worker type description
      Enter a meaningful description for the worker type.
    2. Select an Operator from the following:
    • Contains
    • Does not contain
    • Is
    • Is not
    Note: The Operators that are displayed vary depending on the Property type that you select.
    1. Enter a value or select an option that relates to the Property type you selected.
    Note: The Value options or fields that are displayed vary depending on the Property type that you select.
  6. (Optional) Add custom provisioning attributes to your provisioning policy.
    1. Select the Provisioning attributes property.
    2. Select an Operator from the following:
      • Contains
      • Does not contain
    3. Enter the custom attribute values that you require.
      Note: For custom attributes, the provisioning policy is only triggered when an identity includes as a minimum all the provisioning attribute values specified in this policy.
  7. (Optional) To temporarily disable a policy rule, set the Enabled slider to Disabled.
  8. (Optional) Click Copy policy () when you want to copy a rule or set of rules.
  9. (Optional) Click to remove any policy rules that you no longer require.
  10. Click Save.
Users can now be automatically assigned to or removed from specific roles based on their identity attributes.

Example

After you finish

Add role managers.