Identity Access Management Policy Life Cycle
Describes the life cycle of identity management policy.
An identity access management (IAM) policy goes through the following stages during its life cycle.
It is important to remember the following with respect to enforcement of an IAM policy:
- An IAM policy must be active and assigned to be enforceable on the SSO users and/or SSO groups, and roles. Similarly, an IAM policy must be inactive to be able to disarm the IAM policy.
-
The time taken to enforce an IAM policy is anywhere between 2 and 30 minutes in a multi-cluster environment, depending on the number of identities involved in the operation.
Policy State | Policy State Description | Supported Transitions to other Policy States |
---|---|---|
Unassigned | Policy is yet to be assigned to an identity | Policy can be assigned, modified, or deleted |
Assigned | Policy is assigned to an identity but not yet enforced | Policy can be unassigned from the current fabric resources to which it is assigned, modified, and deleted |
Enforcing | Policy enforcement is in progress | The IAM policy cannot be assigned, unassigned, modified or deleted during the transient phase. |
Enforced | Policy enforcement is complete | The IAM policy can be assigned, unassigned, modified, or deleted to other fabric resources. |
Disarming | Policy deactivation is in progress | Policy cannot be assigned, unassigned, modified, or deleted. |
Disarmed | Policy is deactivated | The IAM policy can be assigned, unassigned, modified, or deleted. |