Configuring role-based access control policies

2026-01-28Last updated

To ensure correct and up-to-date access permissions, you can define automatic provisioning policies. People in your organization to are automatically assigned roles based on their identity attributes. If an employee changes job title or department, or moves to a different site, the system automatically adjusts their access.

Before you begin

What you should know

  • Only Account administrators or Role owners can create or modify provisioning.
  • Each role can have up to 25 policies, each with up to 25 conditions.

Procedure

  1. From the homepage, click Organization > Roles and select a role.
  2. Click Provisioning policy, and then activate it.
  3. Enter a meaningful description.
  4. (Optional) Configure your automatic removal settings:
    1. Select Automatically remove members that no longer match.
    2. Choose:
    • After a specified number of days.
    • Immediately.
    For example, an IT role member who changes to a Developer job can keep access for 7 days for transition support.
  5. Add policy rules:
    1. Select the Property type.
      The listed property types are identity field attributes that can be found in the general details of any identity.
      Note:
      You can only select roles that you are a Role manager for.

      Provisioning attributes might include things like background check, drug and alcohol tests, NDA, Safety training, site induction training, and so on.

      Properties also include any identity custom fields configured in the system. You can enter or select values corresponding to the selected identity custom field property.
      Note:
      The following custom field data types are not supported:
      • Date
      • Decimal
      • Date Time
    2. Select an operator:
      • Contains
      • Does not contain
      • Is
      • Is not
    3. Enter a value or select an option that relates to the property type you selected.
    Note:
    The operator and value options that are displayed depend on the selected property type.
  6. (Optional) Add custom provisioning attributes:
    1. Select the provisioning attributes property.
    2. Select an operator:
      • Contains
      • Does not contain
    3. Enter custom attribute values.
      Note:
      The policy triggers only when the identity includes all specified attribute values.
  7. (Optional) Disable a rule by setting the Enabled slider to Disabled.
  8. (Optional) To duplicate a rule or set of rules, click .
  9. (Optional) To remove any policy rules, click .
  10. Click Save.
Users are now automatically added to or removed from roles based on their attributes.

Example

After you finish

Add role managers.