A policy evaluates applications or application users against defined conditions and creates violations when those conditions are met.

Effective policy configuration requires:

• Integrated or discovered applications.
• Available application or application user attributes for evaluation.
• A clearly defined entity type for enforcement.
• A defined enforcement objective.
• Appropriate permissions to create and publish policies.

Examples of common enforcement objectives:

• Detect applications marked as Restricted.
• Identify application users inactive for a specified period.
• Flag applications without assigned owners.
• Detect license over-allocation or usage anomalies.

A defined objective ensures that scope and rule configuration align with the intended governance outcome.

Policy Components

A policy includes the following components:

• Basic details
• Triggers
• Scope
• Rules
• Remediation

Each component defines a specific aspect of policy behavior.

Basic details

Basic details identify the policy and establish accountability.

This includes:

• Policy name
• Description
• Severity level
• Owners
• Assignees

Owners oversee governance enforcement.

Assignees manage generated violations.

Triggers

Triggers determine when a policy runs.

A policy runs only after a configured trigger activates. A policy may include one or multiple triggers.

Trigger types

Policies support two trigger types:

Event-based trigger

Runs when a defined system event occurs, such as a change to an application or application user attribute.

Scheduled trigger

Runs at defined intervals, such as daily, weekly, or monthly.

Both trigger types can be configured within the same policy.

Scope

Scope defines the entities evaluated by the policy.

Scope configuration includes:

• Selecting the entity type (Application or Application User)
• Defining inclusion criteria
• Optionally defining exclusion criteria

Only entities that match inclusion conditions and do not match exclusion conditions are evaluated.

At least one inclusion condition is required.

Rules

Rules define the conditions that generate violations.

Rules are evaluated against entities that match the defined scope.

Configuration includes:

• Selecting the entity type
• Defining inclusion criteria
• Optionally defining exclusion criteria
• Applying operators such as equal to, greater than, less than, or in range

When rule conditions evaluate as true, the system creates a violation.

Remediation

Remediation defines the action taken after a violation is created.

Remediation includes:

• Enforcement mode (Monitor or Enforce)
• Remediation steps
• Notification settings

Monitor (Detect Only) records violations without enforcement.

Enforce (Detect and enforce) initiates enforcement actions in addition to detection.

Policy evaluation flow

When a trigger activates, the system:

1. Loads the defined scope.
2. Identifies matching entities.
3. Evaluates rule conditions.
4. Creates violations for matching entities.
5. Initiates remediation actions, if configured.
6. Records execution details in the Policy Run log.

Active exemptions suppress enforcement during evaluation.