Prioritization policy
Prioritization policies make it possible to configure resources in such a way that they are mutually exclusive.
You can use the Prioritization policy data object type to define a number of resources that are mutually exclusive. When more than one resource is assigned to an identity (for each of the accounts of the identity), only one resource is assigned for provisioning on the basis of the selection type of the Prioritization policy. The remaining assignments become disabled (with the effect of being deprovisioned). The RoPE identity calculation will include information on the reason why the assignments were disabled.
Three selection types are available:
-
Priority - this selection type approach assigns the resource with the highest priority/order among the resources selected for the policy.
-
Most specific assignment - this selection type assigns the resource that has been assigned "most specifically", defined as the latest assignment in the prioritized list of methods (which considers direct assignments, assignment policies, and survey verdicts).
-
Hybrid - the Hybrid method combines the first two methods. The logic in this case causes assignments assigned via a policy to be assigned according to the Priority mode. If one or more direct assignments exist, the Most specific assignment mode is used.
The PrioritizationPolicyExtension must be run before the AttributeValueResolver extension (placed above up in the config file) because the PrioritizationPolicyExtension may disable assignments used in the resource-driven attribute concept in the AttributeValueResolver extension.