ITIM Provisioning Policy Priority

/0 Comments/in , , /by

A provisioning policy in ITIM (IBM Tivoli Identity Manager) basically grants access and set entitlements to the ITIM managed services based on the provisioning policy membership.

Each provisioning policy consists of information and settings on the following tabs:

  • General
  • Members
  • Entitlements

Of course, there are factors to consider: Role Memberships, service selection policies and policy join behaviors to name a few but this blog is just looking at the value of the required priority attribute.

The priority setting is a required value on the General tab of the provisioning policy configuration.  This is a required numeric attribute and the lower the number the higher the priority of the Provisioning Policy.

When creating a provisioning policy it is easy to leave this as the default of ‘1’ and just move on to the Members tab or the Entitlements.  But leaving the Priority at default could have some unintended results.

If two provisioning policies with the same service and the same or overlapping membership exist.  The policy with the higher priority takes precedence.  It is important to set priority so the correct policies are applied to the policy membership.

I have found that setting the priority for the “All Users” or “Global” policies at a high number and then moving down in increments allows the ability to order the policies in the order or precedence and to group related policies.

Provisioning Policy Priority Group Entitlement Description
Default Provisioning   Policy for All Users 1000000 Domain Users “General User”
Default Provisioning   Policy for Employees 100000 Emp Users “Employee”
Default Provisioning   Policy for Contractors 100000 Cntr Users “Contractor”
Default Provisioning   Policy for Vendors 100000 Vend Users “Vendor”
Provisioning Policy   for West Coast Employees 10000 West Coast “West Coast Employee”
Provisioning Policy   for East Coast Employees 10000 East Coast East Coast Employee”
Provisioning Policy   for West Coast Administrators 1000 Domain Admin “West Coast   Administrator”

Using the table above it is easy to sort the provisioning polices in descending order and determine the policy with the highest precedence.  The priority also ensures the correct policy is used to provisioning the correct value to the attribute.

Assumption:  Each of the policies has a distinct membership but a person can be in multiple memberships.

As an example let’s use the Active Directory Groups based on the table above.  The AD group is a multi-valued attribute and could contain multiple values.  If a person is an Employee on the West Coast they will have the following entitlements.

Group:              Domain Users, Emp Users, West Coast
Description:      “West Coast Administrator”.

A Contractor would have the following entitlements.  The group would have the following values:

Group:              Domain Users, Cntr Users
Description:      Contractor

If the polices above all had the same priority, the multi-valued group entitlement would probably be correct depending on if the policy join was set to “Union” but it would be a different story with the Description attribute.  The policy join would most likely be set to Priority and there is a good chance the values would not be correct.

As you can see, setting the correct priority for a provisioning policy will make it easy to configure and manage the provisioning policies and help determine the policies that apply to the policy memberships.

You might also like
Top 8 Identity & Access Management Challenges with Your Saas Application
Strengthening the Authentication of Your Users
iTunes Accounts Hacked? or, Something Worse?
Zombie Attrition Process (ZAP)
Tivoli Directory Integrator – On Multiple Entries
Compliance or Agility? (Why Not Both?)
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply