Policies overview

A policy is a set of considerations that influence the behavior of a managed resource (called a service in IBM Verify Identity Governance) or a user.

A policy represents a set of organizational rules and the logic that IVIG uses to manage other entities, such as user IDs, and applies to a specific managed resource as a service-specific policy.

IVIG enables your organization to use centralized security policies for specified user groups. You can use IVIG policies to centralize user access for disparate resources in an organization. You can implement additional policies and features that streamline operations associated with access to resources for users.

IVIG supports the following types of policies:
  • Adoption policies
  • Identity policies
  • Password policies
  • Provisioning policies
  • Recertification policies
  • Separation of duty policies
  • Service selection policies
A policy can apply to one or multiple service targets, which can be identified either by a service type or by listing the services explicitly. These policies do not apply to services that represent identity feeds.
  • Adoption policies apply to services. A global adoption policy applies to all services of a service type.
  • Identity policies, password policies, and provisioning policies can apply to all service types, all services of a service type, or specific services.
  • Recertification policies cannot act on all service types, but you can add all the different services for a specific recertification policy.
  • Separation of duty policies does not apply directly to service types, and apply only to role membership for users.
  • Service selection policies apply to only one service type.

Policy types and navigation

Table 1. Policy types and navigation
Type of policy Navigation
Adoption Manage Policies > Manage Adoption Policies
Identity Manage Policies > Manage Identity Policies
Password Manage Policies > Manage Password Policies
Provisioning Manage Policies > Manage Provisioning Policies
Recertification Manage Policies > Manage Recertification Policies
Separation of duty Manage Policies > Manage Separation of Duty Policies
Service selection Manage Policies > Manage Service Selection Policies

Account defaults

Account defaults define default values for an account during new account creation. The default can be defined at the service type level that applies to all services of that type. Alternatively, the default can be defined at the service level, which applies only to the service.

Policy enforcement

Global policy enforcement is the manner in which IVIG globally allows or disallows accounts that violate provisioning policies.

When a policy enforcement action is global, the policy enforcement for any service is defined by the default configuration setting. You can specify one of the following policy enforcement actions to occur for an account that has a noncompliant attribute.
Note: If a service has a specific policy enforcement setting, that setting is applied to the noncompliant accounts. The global enforcement setting does not apply. Policy enforcement can also be set for a specific service.
Mark
The existing user account on the old service is marked as disallowed, and a new account is not created on the new service.
Suspend
The existing user account on the old service instance is suspended, and a new account is not created on the new service.
Alert
An alert is sent to the recipient administrator to confirm removal of the old account on old services. A new account is created on new service if the user does not have account on new service, and entitlement is automatic.
Correct
Existing accounts are removed on the old service. A new account is created on new service if the user does not have account on new service and entitlement is automatic.
To work with global policy enforcement, go to the navigation tree and select Configure System > Configure Global Policy Enforcement.
Note: To set service policy enforcement, go to the navigation tree and select Manage Services.