Configuring role-based access control policies

2025-10-01Last updated

To ensure that people in your organization always have up-to-date access permission levels, you can define provisioning policies that automatically assign people to specific roles based on their identity attributes. If an employee changes job title, department, or moves to a different site, the system automatically adjusts their access.

Before you begin

What you should know

  • Only account administrators, or role owners can create or modify provisioning.
  • Each role can have up to 25 policies, each with up to 25 conditions.

Procedure

  1. From the Home page, click Organization > Roles and select a Role.
  2. Click Provisioning policy, then toggle it to Active.
  3. Enter a meaningful Description.
  4. (Optional) Configure your automatic removal settings:
    1. Select Automatically remove members that no longer match.
    2. Choose:
    • After a specified number of days. The default is 7 days.
    • Immediately.
    For example, an IT role member who changes to a Developer job can keep access for 7 days for transition support.
  5. Add policy rules:
    1. Select the Property type.
      The listed property types are identity field attributes that can be found in the General details of any identity.
      Note:
      Only roles that you manage are available for selection.
      • Company
      • Country
      • Department
      • Descriptor
      • Extended grant time
      • External ID
      • Job title
      • Primary site
      • Provisioning attributes
      • Status
      • Supervisor name
      • Supervisors
      • Worker type code
      • Worker type description
      Properties also include any identity custom fields configured in the system. You can enter or select values corresponding to the selected identity custom field property.
      Note:
      The following custom field data types are not supported:
      • Date
      • Decimal
      • Date Time
    2. Select an Operator:
      • Contains
      • Does not contain
      • Is
      • Is not
    3. Enter a value or select an option that relates to the Property type you selected.
    Note:
    The Operators and Value options that are displayed depend on the selected Property type.
  6. (Optional) Add custom provisioning attributes:
    1. Select the Provisioning attributes property.
    2. Select an Operator from the following:
      • Contains
      • Does not contain
    3. Enter the custom attribute values.
      Note:
      The policy triggers only when the identity includes all specified attribute values.
  7. (Optional) Disable a rule by setting the Enabled slider to Disabled.
  8. (Optional) Click to duplicate a rule or set of rules.
  9. (Optional) Click to remove any policy rules.
  10. Click Save.
Users are now automatically added to or removed from roles based on their attributes.

Example

After you finish

Add role managers.