To ensure that people in your organization always have up-to-date access permission
levels, you can define provisioning policies that automatically assign people to specific roles
based on their identity attributes. If an employee changes job title, department, or moves to a
different site, the system automatically adjusts their access.
Only account administrators, or role owners can create or modify provisioning.
Each role can have up to 25 policies, each with up to 25 conditions.
Procedure
From the Home page, click Organization
> Roles and select a Role.
Click Provisioning policy, then toggle it to
Active.
Enter a meaningful Description.
(Optional) Configure your automatic removal settings:
Select Automatically remove members that no longer
match.
Choose:
After a specified number of days. The default is 7 days.
Immediately.
For example, an IT role member who changes to a Developer job can keep access for 7
days for transition support.
Add policy rules:
Select the Property type.
The listed property types are identity field attributes that can be found in the
General details of any identity.
Note:
Only roles that you manage are available for selection.
Company
Country
Department
Descriptor
Extended grant time
External ID
Job title
Primary site
Provisioning attributes
Status
Supervisor name
Supervisors
Worker type code
Worker type description
Properties also include any identity custom fields configured in the system.
You can enter or select values corresponding to the selected identity custom field
property.
Note:
The following custom field data types are not
supported:
Date
Decimal
Date Time
Select an Operator:
Contains
Does not contain
Is
Is not
Enter a value or select an option that relates to the
Property type you selected.
Note:
The Operators and
Value options that are displayed depend on the selected
Property type.
(Optional) Add custom provisioning attributes:
Select the Provisioning attributes property.
Select an Operator from the following:
Contains
Does not contain
Enter the custom attribute values.
Note:
The policy triggers only when the identity includes all specified attribute
values.
(Optional) Disable a rule by setting the Enabled slider to
Disabled.
(Optional) Click to
duplicate a rule or set of rules.
(Optional) Click to
remove any policy rules.
Click Save.
Users are now automatically added to or removed from roles based on their
attributes.