Identity Policies › Preventative Identity Policies › Important Notes about Preventative Identity Policies

Important Notes about Preventative Identity Policies

Before you implement preventative identity policies, note the following:

• Preventative identity policies only prevent violations that would occur because of proposed changes in the current task. They do not prevent existing violations.

  For example, a company creates a preventative identity policy that prohibits users from having the User Manager and User Approver roles at the same time. An administrator assigns the Group Manager role to a user who already has the User Manager and User Approver roles. CA Identity Manager allows the new assignment to succeed because that change does not directly cause a violation of the policy.

• If multiple preventative identity policies apply to a set of proposed changes, CA Identity Manager applies policies with Reject actions first.
• Do not specify dynamic groups in preventative identity policy conditions. (Policy conditions determine the set of users that the preventative identity policy applies to.)

  For example, a company has a dynamic group that includes all users who have the title Manager. That company also creates a preventative identity policy that prohibits members of the Managers group from having the Contractors role.

  An administrator changes the title of a user who has the Contractors role to Manager. This change will make the user a member of the Managers group after the task submits successfully. However, the user's title is not Manager at the time that CA Identity Manager evaluates the policy, so no violation is detected.

• The role owner filter and the LDAP query filter are not supported in policy conditions for preventative identity policies.