Previous Topic: Use Case: Approving Titles

Next Topic: Policy Xpress

Combining Identity Policies and Preventative Identity Policies

You can combine identity policies and preventative identity policies to address Segregation of Duties (SOD) requirements. In this case, identity policies address existing SOD violations and preventative identity policies prohibit new violations.

To support this use case, you configure an identity policy set with two types of actions:

Consider a company that wants to prevent users from having the HR Administrator and Salary Approver roles at the same time. That company creates an identity policy with two Action on Apply Policy actions:

Note: When you configure an identity policy with both of these types of actions, verify that the actions do not conflict. For example, you can configure an identity policy that prevents users from having the Manager and Contractor roles. In the policy, you specify two actions:

An approver approves the role assignment for the Manager and Contractor roles, but the second action removes the user from the Manager role when user synchronization occurs.