11.3 Creating and Editing Data Policies

Identity Governance provides default collection data policies and publication data policies. In addition, it enables you to create and edit data policies.

To create and edit data policies:

  1. Log in as a Customer, Global, or Data Administrator.

  2. Select Data Administration > Policies and Controls.

  3. (Optional) Click the gear icon to customize display settings for collection and publication data policies. For example, you could choose to display Analysis Type column.

  4. In the Collection Data Policies or Publication Data Policies tab, select + to create a new policy.

  5. Select the type of metric you want to run:

    • Any attribute changes to detect any changes to a selected attribute value.

      For example: If you want to start a user profile micro certification when the “Supervisor” attribute for a user changes, select Identity as the Data Source Type, then configure the criteria to User: Supervisor, then select is changed.

    • Attribute changes with criteria to monitor changes to attribute values based on your specified criteria in published data.

      If you configure only Entities which changed to match the following criteria, the simple criteria policy returns all entity types that match the criteria.

      For example: “All users whose location is Boston.”

      You can Add optional criteria to this data policy to configure Entities which changed from the following criteria and narrow the results to list only changes from a specified value.

      For the previous example: If you also configure the optional criteria to specify users whose location changed from Chicago, the policy returns only “Users currently located in Boston who previously were located in Chicago.”

    • Criteria to detect and monitor user, permissions, or accounts based on your specified criteria in collected or published data.

      NOTE:Data collection policies use only collected values, and exclude curated values from the policy. To include data for extended attributes, you must first collect that data.

    • Entity changes to detect changes such as addition or removal of entities such as identities, accounts, and permissions, and permission assignments, or monitor changes based on the number of entities in collected or published data.

    • Statistics to detect the number of specified entities such as users, groups, permissions, or accounts in collected or published data.

      NOTE:You cannot calculate violations for these types of statistics and the number of entities is displayed in the Data Sources > Activity page.

  6. Select detection type such as violation or event.

  7. Select trigger method for detections.

    1. (Conditional) When selecting events as trigger, select one or more events.

    2. (Conditional) When selecting schedule, if you had not previously created a schedule, create a schedule after saving the data policy.

  8. Select the desired data source type, analysis type, and entity type for the policy, and specify additional criteria.

    NOTE:When specifying criteria, press Enter after typing a value for it to be included as a parameter in data policy analysis and calculations.

    1. (Conditional) If you select entity analysis type and choose to analyze permissions and account changes in application sources or to analyze user changes in identity sources, add and remove respective data sources as needed to expand or constrain analysis.

    HINT:When selecting dates, in addition to selecting a specific date using the date picker, you can also create date formula that calculates the date based on your criteria.

  9. (Optional) Click Estimate impact when available to show estimated violations for the policy.

  10. Save your settings.

  11. Select Data Administration > Policies and Controls.

  12. (Optional) Select the policy, then select Edit to edit the policy.

  13. (Optional) Click Show All Detections to view previous detection instances.