Back to Policies
Policies Important

Creating Policies

1 views

Creating Policies

This guide walks you through creating custom policies to enforce compliance and security standards in IdentityCenter.

Prerequisites

Before creating policies, ensure you have:

  • Administrator role in IdentityCenter
  • Understanding of your compliance requirements
  • Identity data synchronized from your sources
  • Knowledge of the attributes available for evaluation

Step 1: Navigate to Policies

  1. Log in to IdentityCenter
  2. Navigate to Governance > Policies
  3. Click New Policy

Step 2: Configure Basic Settings

Field Description Example
Name Descriptive policy name Stale Account Detection
Description Purpose of this policy Detects accounts with no login in 90+ days
Category Policy category Security
Framework Compliance framework (optional) SOX
Enabled Whether policy is active Yes

Policy Categories

Category Purpose
Security Protect against threats
Compliance Meet regulatory requirements
Governance Enforce organizational standards
Data Protection Protect sensitive data
Custom Organization-specific policies

Step 3: Define the Condition

The condition determines when a violation is detected.

Condition Builder

Use the visual builder for simple conditions:

Field: LastLoginDate
Operator: Older Than
Value: 90 days

Advanced Conditions

For complex logic, use the expression editor:

-- Stale account with access
LastLoginDate < DATEADD(day, -90, GETDATE())
AND Status = 'Active'
AND GroupCount > 0

-- Segregation of Duties
EXISTS (SELECT 1 FROM GroupMembership WHERE GroupName = 'Finance Approvers')
AND EXISTS (SELECT 1 FROM GroupMembership WHERE GroupName = 'Finance Requesters')

-- Missing required attributes
Email IS NULL OR Email = ''
OR Manager IS NULL
OR Department IS NULL

Condition Operators

Operator Description Example
Equals Exact match Status = 'Active'
Not Equals Does not match Status != 'Disabled'
Contains Text contains Email CONTAINS '@temp'
In Value in list Department IN ('IT', 'Security')
Older Than Date comparison LastLogin OLDER THAN 90 days
Greater Than Numeric comparison GroupCount > 10
Is Null Missing value Manager IS NULL
Exists In Group membership EXISTS IN group('Domain Admins')

Combining Conditions

Operator Description
AND All conditions must be true
OR Any condition can be true
NOT Negates a condition
() Groups conditions

Example:

(Department = 'IT' OR Department = 'Security')
AND Status = 'Active'
AND NOT (Title CONTAINS 'Director')

Step 4: Configure Severity

Level When to Use
Critical Immediate security threat, compliance failure
High Significant risk, needs quick attention
Medium Moderate risk, needs resolution soon
Low Minor issue, fix when convenient
Info Awareness only, no action needed

Severity Guidelines

Scenario Recommended Severity
Active admin without manager Critical
Stale account Medium
Missing email address Low
Non-standard naming Info
Terminated employee with access Critical

Step 5: Define Actions

Specify what happens when a violation is detected.

Available Actions

Action Description When to Use
Log Record in violation log Always
Email Alert Send notification Important violations
Create Ticket Open support ticket Items needing work
Disable Account Automatically disable Critical security issues
Flag for Review Mark for access review Include in next campaign
Remove from Group Auto-remediate Clear-cut violations

Action Configuration

Email Alert:

Action: Email Alert
Recipients:
  - security-team@company.com
  - {identity.manager.email}
Subject: "Policy Violation: {policy.name}"
Template: security-alert

Create Ticket:

Action: Create Ticket
Priority: High
Assignee: Security Team
Category: Policy Violation

Step 6: Configure Exceptions

Define who or what is exempt from this policy.

Exception Types

Type Description Example
User Specific users exempt CEO, service accounts
Group Group members exempt Emergency Access Group
Attribute Based on attribute Where Type = 'Service'
Time Time-based exception Maintenance windows

Creating an Exception

Exception Name: Service Account Exception
Type: Attribute-Based
Condition: AccountType = 'Service'
Reason: Service accounts don't have interactive logins
Expiration: Never
Approver: IT Security Manager

Exception Best Practices

  1. Always require justification
  2. Set expiration dates when possible
  3. Limit scope to minimum necessary
  4. Review exceptions quarterly

Step 7: Set Evaluation Schedule

Schedule Description Use Case
Real-time On every change Critical policies
Hourly Every hour Important policies
Daily Once per day Standard policies
Weekly Once per week Lower priority
Monthly Once per month Periodic checks

Schedule Configuration

Evaluation Schedule: Daily
Time: 02:00 AM
Time Zone: Eastern Time
Scope: All Active Identities

Step 8: Save and Test

Testing Your Policy

  1. Click Save Draft (not Publish yet)
  2. Click Test Policy
  3. Review test results:
    • How many violations found?
    • Are the violations valid?
    • Any false positives?
  4. Adjust conditions if needed
  5. Click Publish when ready

Test Mode Options

Option Description
All Identities Run against entire population
Sample Run against random sample
Specific Users Test against named users
Dry Run Show results without saving

Example Policies

Stale Account Policy

Name: Stale Account Detection
Category: Security
Condition: |
  LastLoginDate < DATEADD(day, -90, GETDATE())
  AND Status = 'Active'
Severity: Medium
Actions:
  - Log violation
  - Email manager
Schedule: Daily
Exceptions:
  - Service accounts
  - Conference room mailboxes

Orphaned Account Policy

Name: Orphaned Account Detection
Category: Governance
Condition: |
  Manager IS NULL
  AND Status = 'Active'
  AND AccountType != 'Service'
Severity: Medium
Actions:
  - Log violation
  - Email HR team
Schedule: Daily

Segregation of Duties Policy

Name: Finance SoD Violation
Category: Compliance
Framework: SOX
Condition: |
  EXISTS IN group('AP_Requesters')
  AND EXISTS IN group('AP_Approvers')
Severity: Critical
Actions:
  - Log violation
  - Email compliance team
  - Create ticket
Schedule: Real-time

Privileged Access Policy

Name: Privileged Access Tracking
Category: Security
Condition: |
  EXISTS IN group('Domain Admins')
  OR EXISTS IN group('Enterprise Admins')
  OR EXISTS IN group('Schema Admins')
Severity: Info
Actions:
  - Log (track all privileged users)
Schedule: Hourly

Missing Email Policy

Name: Missing Email Address
Category: Governance
Condition: |
  (Email IS NULL OR Email = '')
  AND Status = 'Active'
  AND AccountType = 'User'
Severity: Low
Actions:
  - Log violation
Schedule: Weekly

Troubleshooting

Policy Not Finding Expected Violations

  • Verify condition syntax
  • Check that data is synced
  • Review exceptions that might apply
  • Test with specific known cases

Too Many Violations

  • Conditions may be too broad
  • Add additional criteria
  • Create exceptions for valid cases
  • Consider splitting into multiple policies

Policy Not Running

  • Check that policy is published (not draft)
  • Verify schedule is configured
  • Check evaluation service is running
  • Review error logs

Next Steps

Tags: policies compliance configuration tutorial

Was this article helpful?

Related Articles

Policies Overview