To ensure that people in your organization always have up-to-date access permission
levels, you can define provisioning policies that automatically assign people to specific roles
based on their identity attributes. If an employee changes job title, department, or moves to a
different site, the system automatically adjusts their access.
Only account administrators, or role owners can create or modify provisioning policies
that automatically associate people with a specific role.
A maximum of 25 policies with a maximum of 25 policy conditions can be defined for each
role.
Procedure
From the Home page, click Organization
> Roles and select a Role.
Click Provisioning policy and click or slide the toggle to
Active.
In the Description field, enter a meaningful policy
description.
(Optional) Configure your automatic removal settings for role members:
Select the Automatically remove members that no longer match
checkbox option.
Specify when to automatically remove your role members. Choose one of the
following:
After a specified number of days. The default is 7 days.
Immediately.
For example, an IT role with access to server rooms. When an IT role member moves to a
Developer job, they might still require access to server rooms for 7 days for support or
skill transfer purposes. Role members are removed when their identity settings no longer
match the policy settings for role-based access control.
Add the policy rules for the role that you are configuring.
Select the Property type that you require.
The property types listed here are the default identity field attributes that can
be found in the General details of any identity.
Note: Only roles that you are a role manager for can be
selected.
Company
Enter the company name.
Country
Select a country from the list.
Department
Enter a department name.
Description
Enter a description.
Extended grant time
Used to select True or False.
External ID
Enter an external ID
Job title
Enter a job title.
Primary site
Enter or select the primary office location.
Provisioning attributes
Type a custom provisioning attribute and press enter. Some examples might
include: background check, drug and alcohol tests, NDA, Safety training, site
induction training, and so on.
Status
Choose either Active or
Inactive.
Supervisor name
Enter a name.
Supervisors
Add multiple supervisors.
Worker type code
Enter a worker type code
Worker type description
Enter a meaningful description for the worker
type.
Select an Operator from the following:
Contains
Does not contain
Is
Is not
Note: The Operators that are displayed vary
depending on the Property type that you select.
Enter a value or select an option that relates to the
Property type you selected.
Note: The Value options or fields that are displayed vary depending
on the Property type that you select.
(Optional) Add custom provisioning attributes to your provisioning policy.
Select the Provisioning attributes property.
Select an Operator from the following:
Contains
Does not contain
Enter the custom attribute values that you require.
Note: For custom attributes, the provisioning policy is only triggered when an
identity includes as a minimum all the provisioning attribute values specified in
this policy.
(Optional) To temporarily disable a policy rule, set the Enabled
slider to Disabled.
(Optional) Click Copy policy () when you want to copy a rule
or set of rules.
(Optional) Click to
remove any policy rules that you no longer require.
Click Save.
Users can now be automatically assigned to or removed from specific roles based on their
identity attributes.