Use the following guidelines when you create identity policies:
Identity Manager creates objects in the object store that support identity policies. To reduce the number of objects in the object store, create identity policies with complex expressions.
A similar approach is recommended for role policies.
You can configure the recursion level for an identity policy, which determines the number of times that CA Identity Manager evaluates and applies identity policies when a user is synchronized. For example, an identity policy may change a user's department when the user is assigned a role. The new department triggers another identity policy. However, if the recursion level is set to 1, the subsequent change is not made until the user is synchronized again.
Setting the recursion level limits the number of times that CA Identity Manager must evaluate identity policies.
You can create an identity policy where the change action (Action on Apply Policy or Action on Remove Policy) of one policy is used in the identity policy condition of another policy as shown in the following table.
Identity Policy Condition |
Action on Apply Policy |
Action on Remove Policy |
---|---|---|
where (Job Code = "100") |
Make member of (provisioning role "Account Manager") |
Remove member of (provisioning role "Account Manager") |
Who are members of (provisioning role "Account Manager") |
Make member of (group "Account Managers") |
Remove member of (group "Account Managers") |
When CA Identity Manager evaluates this type of policy, it must evaluate and apply changes at least twice to ensure that both conditions are met. The recursion level, which is set for an entire Identity Manager environment, must be greater than 1, which then causes additional evaluations for each identity policy set.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |