Previous Topic: Create an Identity Policy

Next Topic: Policy Conditions


The Apply Once Setting

CA IdentityMinder applies an identity policy differently, based on the Apply Once setting.

Enabling the Apply Once Setting

If the Apply Once setting is enabled, CA IdentityMinder applies the changes associated with the identity policy when a user first meets the condition defined in the policy. The change actions associated with the policy occur only once. Therefore, CA IdentityMinder does not apply policy updates to users, if the policy was previously applied.

When a user no longer meets the condition defined in the policy, CA IdentityMinder executes the policy’s remove actions.

The Apply Once setting is typically used when provisioning resources. For example, you may have a policy that assigns a cell phone to managers. When a user first becomes a manager, that user is assigned a cell phone. CA IdentityMinder only issues the cell phone once, not each time the policy is evaluated. If the cell phone policy is updated to include a newer cell phone model, CA IdentityMinder does not issue new cell phones to existing managers.

Note: Resource provisioning is available when CA IdentityMinder integrates with a Provisioning Server.

Disabling the Apply Once Setting

If the Apply Once setting is not enabled, the change actions associated with the identity policy are applied each time an identity policy is evaluated. This means that CA IdentityMinder applies change actions for every user who meets the condition in the policy, regardless of whether the change actions were applied previously.

Typically, you disable the Apply Once setting in an identity policy that enforces compliance. For example, you can create an identity policy that restricts managers’ spending authority to $5,000. If CA IdentityMinder encounters a manager whose spending authority is set to $10,000, it resets the spending authority to $5,000. Each time a manager is synchronized with the identity policy, CA IdentityMinder checks to make sure the spending authority is set correctly.

If a manual change that conflicts with a change action is made to a user profile, CA IdentityMinder overwrites the change when the user is synchronized with the policy.

In the previous example, if someone manually increases a manager’s spending authority to $10,000, CA IdentityMinder resets the spending authority to $5,000 when the manager is synchronized with the policy.

The following table summarizes the effects of enabling or disabling the Apply Once setting.

If Apply Once is...

Then...

Enabled

  • Change Actions associated with the identity policy are applied only once
  • Manual changes made after the identity policy is applied are preserved
  • Updates are not applied to users who meet the condition in an identity policy, if CA IdentityMinder applied the policy previously
  • When a user no longer meets the condition in an identity policy, CA IdentityMinder executes the remove actions

Disabled

  • Change actions associated with the identity policy are applied every time a user is synchronized with the policy
  • Manual changes are overwritten when the identity policy is applied
  • Updates to the policy are applied when a user is synchronized
  • When a user no longer meets the condition in an identity policy, CA IdentityMinder executes the remove actions