Identity policies can define roles that are mutually exclusive and cannot be granted to the same user concurrently. For example, you can prevent a user manager who can grant raises from also being a salary approver.
To create an identity policy set that enforces segregation of duties, create an identity policy with the following settings:
|
Setting |
Value |
|---|---|
|
Apply Once |
Not enabled |
|
Compliance |
Enabled |
|
Policy Condition |
Use the "in <administrative-intersection-constraint>" option to define a set of conditions that violate a business policy. If a user meets all of the conditions, CA Identity Manager takes the actions in the Action on Apply Policy field. For example, set the policy condition as follows: intersection (who are members of <some_role>) and who are members of <some_other_role> ) |
|
Action on Apply Policy |
The actions that CA Identity Manager should take when the policy condition applies--for example:
|
The following figure illustrates the identity policy in this example.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|