Provisioning policy parameter usage scenarios
The following scenarios illustrate usage of provisioning policy parameters.
Scenario 1: No attributes defined
If no parameter values are selected for a multi-valued attribute, all values are valid for this attribute.
If a parameter is added for a
multi-valued attribute with the parameter type as Allowed
(valid), all other values for this attribute are implicitly excluded
for this policy.
If an attribute value is added to a policy as valid, all other values are implicitly excluded for that parameter for the policy.
For multiple applicable entitlements, a valid attribute value is determined by the join directive for the attribute. See the following scenarios.
Scenario 2: Priority-based provisioning policy join directive
Policy | Description |
---|---|
Policy 1 | Priority = 1 Attribute: erdivision = divisionA, enforcement = DEFAULT |
Policy 2 | Priority = 2 Attribute: erdivision = divisionB, enforcement = MANDATORY |
Because Policy 1 has a higher priority, only Policy
1's definition for the erdivision
attribute is used.
Policy 2's definition for the erdivision
attribute
is ignored.
During policy validation, including reconciliation
with policy check option turned on, divisionA
might
exist on the erdivision
attribute. All other values
are valid, because the only policy that is being considered in a priority
join is Policy 1, which has DEFAULT enforcement on erdivision
. DEFAULT enforcement by itself is interpreted as valid for all values,
but the default value is the value specified on the new account.
Scenario 3: Union-based provisioning policy join directive
Policy | Description |
---|---|
Policy 1 | Priority = 1 Attribute: localgroup = groupA, enforcement = DEFAULT |
Policy 2 | Priority = 2 Attribute: localgroup = groupB, enforcement = MANDATORY |
- During account creation,
localgroup
is defined asgroupA
andgroupB
. - During reconciliations,
localgroup
is defined asgroupB
if the attribute is undefined or incorrectly defined.