Configuring policy enforcement behavior

You can configure the policy enforcement behavior for accounts that do not comply with existing provisioning policies.

Before you begin

Depending on how your system administrator customized your system, you might not have access to this task. To obtain access to this task or to have someone complete it for you, contact your system administrator.

Before you can configure policy enforcement behavior on a service in IBM Verify Identity Governance, you must create a service instance.

Procedure

To configure the policy enforcement behavior, complete these steps:

  1. From the navigation tree, click Manage Services.
    The Select a Service page is displayed.
  2. On the Select a Service page, complete these steps:
    1. Type information about the service in the Search information field.
    2. In the Search by field, specify whether to search against services or business units.
    3. Select a service type from the Search type list.
    4. Select a status from the Status list, and then click Search.
      A list of services that matches the search criteria is displayed.
      If the table contains multiple pages, you can:
      • Click the arrow to go to the next page.
      • Type the number of the page that you want to view and click Go.
  3. In the Services table, click the icon (Context menu icon) next to the service to show the tasks that can be done on the service, and then click Configure Policy Enforcement.
    The tasks that you can do are dependent on the type of service.
    The Select Action page is displayed.
  4. On the Select Action page, select an enforcement action:
    • Select Mark to mark a disallowed account or an account that has a noncompliant attribute value, and then click Continue.
    • Select Suspend to suspend an account that is disallowed or that has noncompliant attribute values, and then click Continue.
    • Select Correct to remove an account or replace noncompliant attributes on an account with the correct attributes, and then click Continue. Disallowed accounts can be exempt from this action if they meet the criteria of exempt accounts, which is defined in the enRole.properties file. See Policy enforcement actions in Policy enforcement.
    • Select Alert to issue an alert for an account that is disallowed or that disallows attribute values (revoking attribute values), and then click Continue.
    • Select Use Global Enforcement Action to use the current global enforcement action for an account that has a noncompliant attribute, and then click Continue.
  5. On the Confirm page, specify the date and time for the enforcement action to occur, and then click Submit, or click Cancel.

Results

A message is displayed, indicating that you successfully saved the policy enforcement settings for the service.

What to do next

View the status of the request, or click Close. When the Select a Service page is displayed, click Refresh to refresh the Services table.