Identity Access Management Policy Life Cycle

Describes the life cycle of identity management policy.

An identity access management (IAM) policy goes through the following stages during its life cycle.

It is important to remember the following with respect to enforcement of an IAM policy:

  • An IAM policy must be active and assigned to be enforceable on the SSO users and/or SSO groups, and roles. Similarly, an IAM policy must be inactive to be able to disarm the IAM policy.
  • The time taken to enforce an IAM policy is anywhere between 2 and 30 minutes in a multi-cluster environment, depending on the number of identities involved in the operation.

Policy State Policy State Description Supported Transitions to other Policy States
Unassigned Policy is yet to be assigned to an identity Policy can be assigned, modified, or deleted
Assigned Policy is assigned to an identity but not yet enforced Policy can be unassigned from the current fabric resources to which it is assigned, modified, and deleted
Enforcing Policy enforcement is in progress The IAM policy cannot be assigned, unassigned, modified or deleted during the transient phase.
Enforced Policy enforcement is complete The IAM policy can be assigned, unassigned, modified, or deleted to other fabric resources.
Disarming Policy deactivation is in progress Policy cannot be assigned, unassigned, modified, or deleted.
Disarmed Policy is deactivated The IAM policy can be assigned, unassigned, modified, or deleted.