Steps to Create a Policy

Follow these steps to create and publish a policy.

Basic & Triggers

1. Navigate to Identity Governance & Administration > Policy > Policy Library.
2. Select Create Policy.
3. Enter a unique Policy Name.
4. Enter a Description.
5. Confirm the Type. The type is set to Application Governance Policy.
6. Assign one or more Owners. Up to three owners can be assigned.
7. Assign one or more Assignees. Up to five assignees can be assigned.
8. Select a Severity:
   • Low
   • Medium
   • High

Add a Trigger

1. Select + Add Trigger.
2. In the Select a Trigger panel, choose one of the following:
   • Scheduled
   • App Ownership Changed
   • App Subcategory Changed
   • App Type Changed
   • New App Discovered
   • Application Archive
   • Application Unarchive
   • App Link Updated
   • App Status Changed
   • App Auth Status Change
   • App User Status Change
3. Configure trigger settings:
   • For Scheduled, configure frequency, time, and timezone.
   • For event-based triggers, define required conditions such as Changed from and Changed to.
4. Select Save.
5. Select Next.

Multiple triggers can be configured within the same policy.

Scope

1. Select the Entity Type:

   • Application
   • Application User

2. Under Include, define which entities the policy evaluates:

   • Select Scope Applications to choose specific applications.
   • Or select Add by Criteria to define attribute-based conditions.

3. Define at least one inclusion condition.

   At least one inclusion condition is required.

4. Under Exclude (Optional), define exclusions if needed:

   • Scope specific applications
   • Or define exclusion criteria using attributes

5. Select Save and Preview.

6. Review matching entities in the preview panel.

7. Select Next.

Rules

1. Select the Entity Type:
   • Application
   • Application User
2. Under Include, select Add by Criteria.
3. In the filter panel:
   • Select a category such as Application, Licence, Contract, Spend/Cost, or User.
   • Select the required attribute.
   • Choose an operator such as:
     • Is greater than
     • Is greater than or equal to
     • Is less than
     • Is less than or equal to
     • Is equal to
     • Is in range
   • Enter the comparison value.
   • Select Apply Filter.
4. Use Add Filter to add additional conditions within the same criteria set.
5. Use Add Filter Group to define additional logical groups.
6. Under Exclude (Optional), define exclusion conditions if required.
7. Select Save and Preview.
8. Review matching entities in the preview panel.
9. Select Next.

Rules define the violation criteria evaluated against scoped entities.

Remediation

1. Under Remediation, select a Mode:
   • Monitor (Detect Only) — Records violations without enforcement.
   • Enforce (Detect and enforce) — Records violations and executes a selected playbook.
2. If Monitor is selected, enter required Remediation steps.
3. If Enforce is selected, select a required Playbook.
4. Enable Allow exemptions if policy owners should be able to request exemptions.
5. Review notification events:
   • New Violation Detected
   • Policy Status Changed
   • Exemption Created
   • Exemption Revoked
   • Remediation Failed
   • Policy Evaluation Failed
6. Select Next.

Review & Publish

1. Review the configuration summary:
   • Basics & Trigger
   • Scope
   • Rules
   • Remediation
2. Select the edit icon next to any section to modify configuration if required.
3. Enter a required Publish Note.
4. Select Publish.

After Publishing

• The policy status changes to Published – v1.
• The policy appears in Policy Library with status Published.
• The system records:
  • Published Version
  • Published On
  • Published By

If the policy remains unpublished, the status remains Draft, and the policy does not execute.