Provisioning policy parameter usage scenarios

The following scenarios illustrate usage of provisioning policy parameters.

Scenario 1: No attributes defined

If no parameter values are selected for a multi-valued attribute, all values are valid for this attribute.

If a parameter is added for a multi-valued attribute with the parameter type as Allowed (valid), all other values for this attribute are implicitly excluded for this policy.

If an attribute value is added to a policy as valid, all other values are implicitly excluded for that parameter for the policy.

For multiple applicable entitlements, a valid attribute value is determined by the join directive for the attribute. See the following scenarios.

Scenario 2: Priority-based provisioning policy join directive

The following table identifies two examples of provisioning policies:

Table 1. Provisioning policy examples
Policy	Description
Policy 1	Priority = 1 Attribute: `erdivision` = divisionA, `enforcement` = DEFAULT
Policy 2	Priority = 2 Attribute: `erdivision` = divisionB, `enforcement` = MANDATORY

Because Policy 1 has a higher priority, only Policy 1's definition for the erdivision attribute is used. Policy 2's definition for the erdivision attribute is ignored.

During policy validation, including reconciliation with policy check option turned on, divisionA might exist on the erdivision attribute. All other values are valid, because the only policy that is being considered in a priority join is Policy 1, which has DEFAULT enforcement on erdivision. DEFAULT enforcement by itself is interpreted as valid for all values, but the default value is the value specified on the new account.

Note: A priority join directive is the default join directive for all single-valued and string-typed attributes.

Scenario 3: Union-based provisioning policy join directive

The following table identifies two example provisioning policies:

Table 2. Sample provisioning policies
Policy	Description
Policy 1	Priority = 1 Attribute: `localgroup` = groupA, `enforcement` = DEFAULT
Policy 2	Priority = 2 Attribute: `localgroup` = groupB, `enforcement` = MANDATORY

Because the join directive is defined as UNION, the resulting policy uses the following definitions for the policies:

During account creation, localgroup is defined as groupA and groupB.
During reconciliations, localgroup is defined as groupB if the attribute is undefined or incorrectly defined.

Note: A union join directive is the default join directive for multi-valued attributes.