Policies Overview

Policies in IdentityCenter define the rules and constraints that govern identity management in your organization. They automate compliance checks, enforce security standards, and ensure consistent governance across all connected systems.

What are Policies?

Policies are configurable rules that:

• Detect violations of security and compliance requirements
• Alert administrators to potential issues
• Enforce governance standards automatically
• Report on compliance status for auditors

Policy Types

Compliance Policies

Ensure adherence to regulatory frameworks:

Security Policies

Protect against security risks:

Governance Policies

Enforce organizational standards:

Policy Architecture

┌─────────────────────────────────────────────────────────────┐
│                    Policy Engine                             │
├─────────────────────────────────────────────────────────────┤
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐         │
│  │  Evaluator  │  │  Scheduler  │  │  Reporter   │         │
│  └─────────────┘  └─────────────┘  └─────────────┘         │
├─────────────────────────────────────────────────────────────┤
│                    Policy Rules                              │
│  ┌──────────────────────────────────────────────────────┐   │
│  │ Conditions  │  Actions  │  Exceptions  │  Severity  │   │
│  └──────────────────────────────────────────────────────┘   │
├─────────────────────────────────────────────────────────────┤
│                    Violation Store                           │
│  ┌──────────────────────────────────────────────────────┐   │
│  │  Active Violations  │  History  │  Remediation Log   │   │
│  └──────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────┘

Policy Components

Conditions

Define when a policy violation occurs:

IF [Condition] THEN [Violation]

Examples:
- IF account.lastLogin > 90 days THEN "Stale Account"
- IF account.manager IS NULL THEN "Missing Manager"
- IF user IN group("Domain Admins") AND user IN group("Finance") THEN "SoD Violation"

Severity Levels

Actions

What happens when a violation is detected:

Exceptions

Exclude specific cases from policy enforcement:

Built-in Policies

IdentityCenter includes these pre-configured policies:

Account Lifecycle

Access Control

Segregation of Duties

Data Protection

Policy Evaluation

Evaluation Triggers

Evaluation Scope

Violation Management

Violation Lifecycle

┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐
│  New     │ → │  Active  │ → │Remediated│ → │  Closed  │
└──────────┘   └──────────┘   └──────────┘   └──────────┘
                    │
                    ▼
              ┌──────────┐
              │ Excepted │
              └──────────┘

Managing Violations

Compliance Reporting

Standard Reports

Compliance Dashboards

• Overall compliance score
• Violations by severity
• Violations by policy
• Trend over time
• Top violating accounts

Best Practices

Policy Design

1. Start with Frameworks - Use compliance requirements as your guide
2. Be Specific - Clear conditions reduce false positives
3. Set Realistic Severity - Not everything is critical
4. Document Rationale - Explain why each policy exists

Exception Management

1. Require Justification - Document why exceptions are needed
2. Set Expiration - Exceptions should be temporary
3. Review Regularly - Audit exception list quarterly
4. Limit Scope - Make exceptions as narrow as possible

Continuous Improvement

1. Monitor False Positives - Tune policies that generate noise
2. Track Trends - Identify systemic issues
3. Update for Changes - Adjust when requirements change
4. Benchmark - Compare to industry standards

Next Steps

• Creating Policies
• Policy Conditions Reference
• Managing Violations
• Compliance Reports