PingOne Advanced Identity Cloud

Manage policy rules

Policy rules set the criteria for violation conditions, specify who the criteria applies to, outline decision options, determine scan types, and manage the lifecycles of violations.

  1. In the Advanced Identity Cloud admin console, click Governance > Compliance.

  2. On the Policy Rules tab, click New Rule.

  3. On the New Policy Rule page, enter the policy rule details, and then click Next:

    Field Description

    Name

    Enter a name for your policy rule. Follow any naming convention established by your company.

    Description

    (Optional) Enter a general description for the new policy.

    Owner

    Select a policy owner for this new policy rule.

    Risk Score

    Assign a risk score for this rule. The range is 0 – 100. For example, a high risk score could be 80 – 100 for a rule.

    Mitigating Control

    (Optional) Enter instructions on what to do if a violation is unavoidable.

    Control URL

    (Optional) Enter a URL link to a reference site, such as an internal corporate policy page.

    #Correction Advice

    (Optional) Enter instructions on how to correct the violation.

  4. On the Violation Condition page, do the following:

    1. Use the filter to set your initial violation conditions. When done, click , and then click Add Rule or Add Group.

      Field Description

      Select entitlements if Any or All conditions are met.

      Select either Any or All.

      Select a property

      Values could include the following, depending on your glossary items:

      • Description

      • Display Name

      • Entitlement Owner

      • Requestable

      Connector

      Values include:

      • contains

      • is

      • starts with

      • ends with

      Attribute Value

      Enter an attribute.

    2. Next, enter a condition that cannot conflict with the previous condition. When done, click , and then click Add Rule or Add Group. Click Next:

      Field Description

      Select entitlements if Any or All conditions are met.

      Select either Any or All.

      Select a property

      Values include:

      • Description

      • Display Name

      • Entitlement Owner

      • Requestable

      Connector

      Values include:

      • contains

      • is

      • starts with

      • ends with

      Attribute Value

      Enter an attribute.

  5. On the Applies To page, select the end users for whom this policy applies. When done, click Next. Values include:

    Field Description

    Applies to

    Options are:

    • All users

    • A single user

    • Users matching a filter: Create a filtered condition to match users.

  6. On the Settings page, select the policy rule settings:

    Field Description

    Violation Owner

    Confirm the violation owner of the policy rule. Select an alternate owner if necessary.

    Decision Options

    Select the option to allow or grant a temporary exception to retain access:

    • Enable Allow: Click to allow an end user to retain their violating access permanently.

    • Enable Exception: Click to allow a user to be granted temporary exception to retain access. If you select this option, additional properties are displayed:

      • Exception Duration: Enter a number (in days) for the maximum duration for the exception.

      • Require a justification when allowing exceptions: Click to this option to always require a justification for the exception.

    Scan Types

    At least one value must be selected. Values include:

    • Preventative: Click to enforce rule during access request and provisioning. When this property is enabled, the end user sees a warning message when trying to request for a non-compliant entitlement:

      Granting access to these entitlement(s) will result in a Segregation of Duties (SoD) violation.

    • Detective: Click to enforce rule during compliance scans.

    Violation Lifecycle

    Select the settings for the violation life cycle:

    • When a violation is found: Select a setting if a violation is found. Options are:

      • Do nothing: Click to leave the violation as-is with no corrective action. The violation’s owner must decide what to do with the violation and take corrective action.

      • Launch Violation Workflow: Select the workflow to launch when a rule violation is triggered.

    • Violations Expire: Select what happens when a violation expires. Options are:

      • Never: Never expire the violation automatically.

      • After a specified time: Enter the number of times, in days, after which the violations expire.

    • When violation expires: Determines what happens when a violation expires. Options are:

      • Close violation: Closes the expired violation.

        The conflicting entitlements still remain with the user.

      • Create a new violation: Create a new violation.

      • Do nothing: Violation expires and no action is taken.

        The conflicting entitlements still remain with the user.

  7. Click Save.

Edit policy rules

  1. In the Advanced Identity Cloud admin console, click Governance > Compliance.

  2. On the Policies page, click Policy Rules.

  3. Click a policy rule and change any aspect of a policy rule. Click Save to keep your changes.