Policy Configuration
Policies control who can use self-service and under what conditions.
Policy Basics
A policy defines:
- Who: Target groups or OUs
- What: Allowed actions (unlock, reset)
- When: Risk thresholds for auto-approval
Creating a Policy
- Go to Policies → Create Policy
- Configure settings (see below)
- Click Save
Basic Settings
| Field | Description |
|---|---|
| Name | Descriptive name |
| Description | Purpose of policy |
| Active | Enable/disable |
| Priority | Order of evaluation |
Scope Settings
| Field | Description |
|---|---|
| Target Groups | AD groups to include |
| Target OUs | OUs to include |
| Exclude Groups | AD groups to exclude |
Action Settings
| Action | Description |
|---|---|
| Account Unlock | Allow unlocking accounts |
| Password Reset | Allow resetting passwords |
Risk Thresholds
| Threshold | Action When Exceeded |
|---|---|
| Auto-approve | Request auto-approved |
| Notify | Auto-approve but alert admin |
| Manual approval | Require admin approval |
| Block | Deny request |
Example Policies
Standard Employees
name: Standard Employees
target_ous:
- "OU=Staff,OU=Users,DC=company,DC=local"
exclude_groups:
- "Domain Admins"
actions:
- unlock
- reset_password
thresholds:
auto_approve: 30
notify: 50
manual_approve: 79
block: 80IT Department (Stricter)
name: IT Department
target_groups:
- "IT Staff"
exclude_groups:
- "Domain Admins"
actions:
- unlock
- reset_password
thresholds:
auto_approve: 20
notify: 35
manual_approve: 50
block: 60Contractors (Limited)
name: Contractors
target_ous:
- "OU=Contractors,DC=company,DC=local"
actions:
- unlock # No password reset
thresholds:
auto_approve: 15
notify: 25
manual_approve: 40
block: 50Policy Evaluation
When a request is made:
- Find policies matching user (by group/OU)
- If multiple match, use most restrictive
- Calculate risk score
- Apply threshold rules
Last updated on