Skip to main content
Version: On prem: 15.0.2

Prioritization policy

Prioritization policies make it possible to configure resources in such a way that they are mutually exclusive.

You can use the Prioritization policy data object type to define a number of resources that are mutually exclusive. When more than one resource is assigned to an identity (for each of the accounts of the identity), only one resource is assigned for provisioning on the basis of the selection type of the Prioritization policy. The remaining assignments become disabled (with the effect of being deprovisioned). The RoPE identity calculation will include information on the reason why the assignments were disabled.

Three selection types are available:

  • Priority - this selection type approach assigns the resource with the highest priority/order among the resources selected for the policy.

  • Most specific assignment - this selection type assigns the resource that has been assigned "most specifically", defined as the latest assignment in the prioritized list of the following three methods:

    • Direct assignments
      • Find the direct assignment with the latest creation date for the Resource Assignment object. If no assignment is found, proceed to the assignment policies method.
    • Assignment policies
      • Use a closeness factor to prioritize assignments based on their contextual significance according to policy. For instance, a policy specific to an identity's department will take precedence over a policy pertaining to the division as a whole. Assignments governed solely by scoping views will be assigned the lowest priority.
      • In cases where two or more assignment policies possess the same closeness factor, a warning will be generated during the calculation process.
      • Should no assignment be found, proceed to the survey verdicts method.
    • Survey verdicts
      • If there are multiple verdicts, prioritize the one with the latest creation date.
      • If none of the verdicts results in a definitive winner, check if the resource is a child resource. If so, attempt to locate the prioritized resource from its parent(s) using the same three methods explained above.

  • Hybrid - the Hybrid method combines the first two methods, giving precedence to direct assignments. If there are direct assignments present, the Most specific assignment type will be utilized to identify the prioritized resource. Alternatively, if no direct assignments are found, the Priority selection type will be employed.

info

The PrioritizationPolicyExtension must be run before the AttributeValueResolver extension (placed above up in the config file) because the PrioritizationPolicyExtension may disable assignments used in the resource-driven attribute concept in the AttributeValueResolver extension.