Identity policies

An identity policy defines the characteristics of a user ID used when requesting a new account. An administrator defines the targets and the rule that is used to generate user IDs automatically for the services to which the rule is applied. The user ID can be based on attributes of the user for whom the account is being created.

An identity policy generates a default user ID used when requesting a new account. An administrator defines the rule to generate the user ID and specifies the service targets that apply.

Identity policies can be defined for the following targets:
All services
The same policy is used for all services.
Types of services
The policy is used for generating user IDs for services of the specified type.
Service instances
The policy is used for generating user IDs for the specified services.
Note: The default identity policy is used to generate the user ID when creating users, when the system is configured to provision IVIG accounts automatically to users.

A basic approach requires no scripting. You can define basic rules for an identity policy. Basic rules can specify which attributes to use, how many characters are used from each attribute, and what case to use when creating a user ID.

An advanced approach involves scripting, and you can use it to define more complex and customized rules. IVIG provides a default script you can modify. See the example section for an illustration of the advanced approach, which includes use of JavaScript.

To set a character limit, an identity policy rule defines the number of characters to use from a first and second attribute to form the user ID. Forming the user ID from the attributes has the following conditions:

  • If the number of characters in the attribute is greater than the specified character limit, only the character limit is used.
  • If the number of characters in the attribute is less than or equal to the specified character limit, the entire value of the attribute is used.
  • If a second attribute is not specified, only the first attribute is used.
  • If a duplicate user ID exists when IVIG creates a user ID, the process appends an integer to the new user ID to create a unique user ID.

An identity policy rule determines whether case modification occurs in forming a user ID. You can set the following conditions:

  • Lowercase (default)
  • Existing case
  • Uppercase

If the identity policy generates a user ID with a null value, IVIG attempts to form a user ID. IVIG uses the first letter of the user's given name, concatenated with the value of the user's family name, retaining the existing case.

Name and Business unit are required fields when you are creating an identity policy. Business unit is populated with your organization name if you are authorized to create identity policies at the organization level. If you do not have that authority, the Business unit field is blank. You must search for a business unit where you have the authority to create an identity policy.