Policies

Access policies define automated approval rules for access review campaigns. When configured properly, they can significantly reduce the manual effort required during access reviews.

Policy Types:

• Role-Based Access: Auto-approve access based on assigned roles
• Owner Account Approval: Auto-approve all accounts owned by users with specific roles
• Application Access: Auto-approve access to applications based on role assignments
• Group Membership: Auto-approve group memberships based on role assignments

Policies and Rules work as an entity in automating review campaigns. A policy with it's associated rules are evaluated and decisions are made based on the following:

• if any policy or rule is supposed to reject access if a certain condition is met, then the review entity is rejected.
• if any policy or rule is conditions evaluates to accept access, then the review entity is accepted.
• if the evaluation process cannot determine a condition to either reject or accept, the review entity is set to pending review.

The Access Policies page shows stats about how many policies are configured, how many are active, what type of policies they are and if they are auto-approval enabled. The page has a search function and can be filtered by type and/or status.

Each policy has an overview tile, providing specific data points for that policy. On the tile, use the top-right ellipses to view details, edit, deactivate or delete the policy.

Creating a Policy

Creating a new or editing an existing policy follows the same workflow steps.

1. Under Basic Information, provide or specify
   • a Policy Name and Description.
   • a Policy Type via drop-down. Options are
     • Role-based access
     • Owner account approval
     • Application access
     • Group membership
   • a status via dropd-down. The default is active.
   • optionally Auto-Approve Enabled via on/off switch.
2. Under Associated Roles, select from the list of preconfigured roles. Refer to Role Configuration.
3. Under Target Application, select from the list of connected data sources.
4. Under Target Groups, select from the list of groups for which this policy manages the membership access.
5. Save your policy.

NOTE

Changing the policy type may require adjusting associated resources.

CAUTION

Changes to active policies will take effect immediately and may impact ongoing campaigns.