Previewing a modified provisioning policy

An administrator can preview the effect of a provisioning policy on users before adding, modifying, or deleting the policy.

Before you begin

Depending on how your system administrator customized your system, you might not have access to this task. To obtain access to this task or to have someone complete it for you, contact your system administrator.

About this task

Previewing a provisioning policy provides you with a summary of the number of accounts that are affected and specific details for each account that the policy impacts. The provisioning policy preview provides details about the accounts that are:
  • Provisioned
  • Suspended
  • Deleted
  • Modified
  • Marked as noncompliant
  • Get a changed status from noncompliant to compliant

If the results of the preview are what you expected, you can continue submitting and activating the policy. If the results of the preview are not what you expected, you can revise the policy.

When you preview a modified policy, you can choose to have IBM Verify Identity Governance compute the impact of the entire policy on all users that belong to policy memberships. Alternatively, you can choose to compute only the impact of the changes you made to the policy. For example, you modified an existing provisioning policy to include a newly defined role. You might want to preview the results of the modified policy selectively as they apply to users who were assigned to that role.

If a role is a member of another organizational role in a provisioning policy, then that role member also inherits the permissions of provisioning policy.

If you change the ownership type of a service policy entitlement, accounts are evaluated based on that ownership type. Accounts with a different ownership type than the one specified in the changed entitlement are disallowed on that service. The exceptions are if you change the ownership type to All or the ownership type is covered by another entitlement on the same policy. In those cases, the accounts are not disallowed.

Procedure

  1. From the navigation tree, select Manage Policies > Manage Provisioning Policies.
  2. On the Manage Provisioning Policies page, type information about the provisioning policy in the Policy information field, or type an asterisk (*), and click Search.
  3. In the Provisioning Policies table, locate and select a provisioning policy, and click Change.
  4. On the Manage Provisioning Policies page, modify the information about the General, Members, and Entitlements pages, and click Preview.
  5. On the Preview Policy Enforcement page, select Enforce changes only or Enforce entire policy.
  6. Click Continue.
    The preview is generated and displayed on the Preview Policy Summary page, which is categorized by the following states:
    • Disallowed accounts
    • Noncompliant accounts
    • Compliant accounts
    Click a category of account changes to view the individual accounts that the policy changes affect.
  7. On the Preview Policy Summary page, click Close.

What to do next

After you determine that the effects of the policy changes are acceptable, the changes can be submitted to the system.