1. Using Advanced Controls
  2. Autogenerate Provisioning Rules

Autogenerate Provisioning Rules

To identify pairs of conflicting roles, the Generate Provisioning Rules job evaluates all active access controls in your environment, regardless of whether the person who runs the job is authorized to work with them.

To autogenerate rules:

  1. In the Advanced Controls work area, click the Provisioning Rules tab.

  2. In the Provisioning Rules page, click the Generate Provisioning Rules button. A message reports a number identifying the job; make a note of it.

  3. Click the Monitor Jobs button to navigate to the Monitor Jobs page. In the row for the number you noted, determine when the Generate Provisioning Rules job status reaches Completed.

  4. Click the Done icon in the Monitor Jobs page to return to the Provisioning Rules page.

When the Generate Provisioning Rules job finishes running, the Provisioning Rules page displays an Autogenerated Rules panel, which contains a row for each access control that generated rules. Each row:

  • Reports the control name.

  • Reports the number of rules generated for the control. Each control may define multiple conflicts, for example among multiple access points included in entitlements. Paths to these access points may involve numerous roles. Since each provisioning rule involves only two conflicting roles, each control may generate many rules. Rules may define conflicts between job roles, between duty roles, and between job and duty role combinations.

  • Permits you to export rule data to a spreadsheet. Click the Export icon. A file-download window offers you options to open or save the export file. Select the Save option. The export file is saved in .xls format in your downloads folder. The file documents pairs of conflicting roles identified by the control whose row you're exporting from.

You can sort the control list by control name or by rule count; you can also use a search field to search for controls by name. A field beneath the search field reports the date and time of the most recent run of the Generate Provisioning Rules job.

The Generate Provisioning Rules job has no effect on any provisioning rules you create or edit manually.