You can define change actions that CA Identity Manager performs when it evaluates the identity policy. The actions include:
A set of actions that CA Identity Manager performs when a user meets the conditions in the policy conditions.
A set of actions that CA Identity Manager performs when a user no longer meets the conditions in the policy conditions.
The actions that CA Identity Manager can perform when identity policies are applied or removed are the same. See the following table for more information.
|
Change Action |
Description |
|
|---|---|---|
|
Add to group <group-name> [...] |
Adds users to a group. When you select this option, CA Identity Manager presents a screen where you can search for the group you want. |
|
|
Add to <group-name> in user’s organization |
Adds users to a local group. When you select this option, CA Identity Manager presents a text box where you can enter the name of the group that you want. |
|
|
Set <single-value-user-attribute> to value |
Sets the value of an attribute in a user profile. If there is an existing value, CA Identity Manager overwrites it with the value specified in the change action. |
|
|
Add <value> to <multi-value-user-attribute> |
Adds a value to a multi-value user attribute. This option does not overwrite existing values. |
|
|
Make member of access role |
Assigns users to an access role. |
|
|
Make administrator of access role |
Make users administrators of an access role |
|
|
Make member of admin role |
Makes users members of an admin role |
|
|
Make administrator of admin role |
Makes users administrators of an admin role |
|
|
Make member of provisioning role |
Makes users members of a provisioning role, which creates associated endpoint accounts. Note: To use provisioning roles, CA Identity Manager must integrate with a Provisioning Server. See the Installation Guide for your application server. |
|
|
Make administrator of provisioning role |
Makes users administrators of a provisioning role. Note: To use provisioning roles, CA Identity Manager must integrate with a Provisioning Server. See the Installation Guide for your application server. |
|
|
Remove from group <group-name> [...] |
Removes users from a group. When you select this option, CA Identity Manager presents a screen where you can search for the group you want. |
|
|
Remove from <group-name> in user’s organization |
Removes users from a local group. When you select this option, CA Identity Manager presents a text box where you can enter the name of the group that you want. |
|
|
Remove <value> from <multi-value-user-attribute> |
Removes a value from a multi-value user attribute. |
|
|
Remove member from access role |
Revokes an access role. |
|
|
Remove administrator from access role |
Revokes administrator privileges for a specific access role |
|
|
Remove member from admin role |
Revokes an admin role. |
|
|
Remove administrator from admin role |
Revokes administrator privileges for a specific admin role |
|
|
Remove member from provisioning role |
Revokes a provisioning role. |
|
|
Remove administrator from provisioning role |
Revokes administrator privileges for a specific provisioning role. |
|
|
Send audit message |
Sends a message that you create to the audit database. This message may appear in a report that you create. |
|
|
Compliance violation |
Sends a message that you create to the audit database. If you create a compliance report, the message appears each time the identity policy is applied/removed from a user. See the Configuration Guide for more information about auditing. Note: You must enable the Compliance check box on the Profile tab for the Identity Policy Set to use the Compliance Violation option. |
|
|
Accept (Action on Apply Policies only) |
Allows the task to submit when there is a preventative identity policy violation. When you select this action, you provide a message that CA Identity Manager writes in the audit database and displays in View Submitted Tasks when a violation occurs. |
|
|
Reject (Action on Apply Policies only) |
Prevents a task from submitting when an identity policy violation occurs. This action is used with preventative identity policies to prevent users from receiving privileges that may result in a conflict of interest or fraud. When you select this action, you also provide a message that CA Identity Manager displays when a violation occurs. The message is stored in the audit database and displayed in the User Console. |
|
|
Warning (Action on Apply Policies only) |
Triggers a workflow process when a preventive identity policy violation occurs, if you associate that violation with a workflow approval policy. CA Identity Manager allows the task to submit regardless of whether workflow is configured. Note: For information about associating a workflow process with a preventative identity policy, see Workflow and Preventative Identity Policies. When you select this action, you also provide a message that CA Identity Manager displays when a violation occurs. The message is stored in the audit database and displayed in View Submitted Tasks.
|
|
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|