US English (US)
FR French
DE German
PL Polish
SE Swedish
FI Finnish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

English (US)
US English (US)
FR French
DE German
PL Polish
SE Swedish
FI Finnish
  • Log in
  • Home
  • Identity Governance and Administration (IGA)
  • IGA solution library
  • Processes and use cases
  • Use case library
  • Automation & provisioning

Manage automated rules

Discover how to create, edit and optimize automated rules

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Service Management
    Matrix42 Professional Solution Matrix42 Core Solution Enterprise Service Management Matrix42 Intelligence
  • Identity Governance and Administration (IGA)
    IGA overview IGA solution library
  • Platform
    ESM ESS2 ESS Efecte Chat for Service Management Integrations Add-ons
  • Release Notes for M42 Professional, IGA, Conversational AI
    2026.1 2025.3 2025.2 2025.1 2024.2 2024.1 2023.4 2023.3 2023.2 2023.1 2022.4 2022.3 Release Information and Policies
  • Other Material
    Terms & Documentation Guidelines Accessibility Statements
  • Services
+ More

    • Service Management

    • Identity Governance and Administration (IGA)

    • Platform

    • Release Notes for M42 Professional, IGA, Conversational AI

    • Other Material

    • Services

Manage automated rules

Discover how to create, edit and optimize automated rules

Manage automated rules

 

In this article are described use cases for IGA admins to be able manage automated rules, which are used for granting access rights (entitlements and/or business roles) automatically to users, based on user's employment related information like for example, organizational unit, cost center or titles. 

IGA solution has capabilities to manage different type of rules,  

  • Attribute-Based Access Controls (ABAC) - Grant or remove access rights automatically based for example information like “is user a manager?”
  • Role-Base Access Controls (RBAC) - Grant or remove access rights automatically based on users title
  • Organizational-Based Access Controls (OrBAC) - Grant or remove access rights automatically based on users organizational unit or cost center
  • One-time mass updates - Grants or removes entitlements or business roles to/from users. IGA admin can execute when needed.

It is important to separate automated rules from birth rights, which are managed via account management settings, and are granted only once when account is created (to all users who has same user type). 

Both birth rights and automated rules can be used simultaneously, and in these cases birth rights are granted first and automated rules after that, which means that automated rules can overwrite / change immediately birth rights (for example all employee type of users will get minimum access to email, but based on automated rule for certain users with same title/organizational unit/cost center will get extended access to email).

This use case is part of IGA Growth and Enterprise packages. 


 

Important!

Access rights granted based on automated rules, are always also removed based on the rule. This means that end-user cannot remove automatically granted access rights from Self-Service, but can see them as active access rights in Self-Service.

 

 

Use case descriptions

Use cases for automation

In this chapter are described use cases how automated rules are granting or removing access rights (entitlements and/or business roles) from/to the user, during user lifecycle management processes. 

User can see from Self-Service own access rights granted based on automated rules, but cannot request them to be removed. 

Manager can see  from Self-Service own and subordinates access rights granted based on automated rules, but cannot request them to be removed.

 

  Description
Overview In these use cases are described how automated rules are working as a part of user lifecycle management use cases. These use cases are fully automated, please check own chapter for IGA admin use cases.
Operators

IGA solution
Prerequisites

Customer has user lifecycle management use cases in use (users employment related information are received from source system).
Result

Automated rule is granting or removing access rights based on received users employment related information.

 

IGA admin can use automated rules also for one-time mass updates.
Automated rules during user creation
  1. New users personal and employment related information is received to IGA solution
    • Options for receiving data are described in user lifecycle management use cases
  2. IGA solution
    • Creates user to IGA solution according to work period management
    • Creates user account(s) to the directory/directories according to account management
      • Notice, that birth rights are granted at this point
    • Validates from active automated rules if title, cost center or organizational unit is matching users work period information
    • Starts provisioning towards directory/directories
  3. Auditing details are saved and process ends
Automated rules during user updates
  1. Changes in users personal and employment related information are received to IGA solution
    • Options for receiving data are described in user lifecycle management use cases
  2. IGA solution
    • Updates user information to IGA solution according to work period management.
    • Validates from users work period information, if title, cost center or organizational unit related information is changed
    • Validates from active automated rules if access rights (entitlements and/or business roles) are removed or added based on the rule.
    • Starts provisioning towards directory/directories
  3. Auditing details are saved and process ends
Automated rules during update departing user information
  1. Users work period end-date is received to IGA solution
    • Options for receiving data are described in user lifecycle management use cases
  2. IGA solution
    • Validates from account management settings when access rights are removed from the user
Automated rule for one-time mass updates
  1. IGA admin creates automated rule for one-time mass update
  2. IGA solution 
    • Calculates users matching the rule content and adds/removes entitlements or business roles to/from the users according to rule content. 
    • Saves auditing details 
 
 

Use cases for IGA admins

 

In this chapter are described use cases for IGA admins to be able to create, update, inactivate and report automated rules. 

 

  Description
Overview In these use cases are described how IGA admin can define and change automated rules, which are used for granting or removing access rights automatically to/from users based on their employment related information. IGA admin can also use automated rules for one-time mass updates.
Operators

IGA admin

IGA solution
Prerequisites

Customer has user lifecycle management use cases in use (users employment related information are received from source system).
Result

IGA admin has created/updated/inactivated automated rule. 

Automated rules are granting or removing access rights (entitlements and/or business roles) based on received users employment related information or based on IGA admin actions.
Create automated rule 
  1. IGA admin 
    • Opens IGA automated rule view
    • Selects “new” from the view
    • Fulfills required information
      • Automated rule information: name, description and type of the rule (continuous or one-time)
      • Automated rule relations defines, what attributes are used for granting rule content to users
      • Automated rule content defines what access rights (entitlements or business roles) are granted automatically to users
    • Saves the data card
  2. IGA solution starts calculating how many and which users the new rule is going to grant access rights (entitlements and/or business roles)
  3. IGA admin 
    • Validates from provisioning preview, that automated rule is granting/removing access rights correctly to/from users
    • In case rule is correct, IGA admin can start provisioning by editing provisioning preview information by selecting “start provisioning”, setting execution time for the rule and saving the data card
      • IGA solution starts provisioning according the execution time, and will add access rights (entitlements and/or business roles) to related users, which one of the selected attributes is matching users work period information.
      • It is recommended to set the time out side of busiest business hours, especially if it is causing lot of provisioning towards directory/directories
    • In case rule is incorrect, IGA admin can cancel changes by editing provisioning preview information by selecting “cancel changes” and saving the data card.
      • IGA solution does not start provisioning, but cancel changes so that IGA admin can re-do the rule. 
  4. Auditing details are saved and process ends.
Update existing automated rule
  1. IGA admin can only update existing continuous rules
    • Opens IGA automated rule view
    • Selects existing data card from the list view 
    • Changes settings for
      • Automated rule information - name and description change affects to auditing, where with same rule ID there are different names and descriptions, but changes does not start any provisioning towards directory/directories.
      • Automated rule attributes - changing rule attributes for active rule, will add or remove access rights from users with certain title, cost center or organizational unit.
      • Automated rule content - changing the content for active rule, will add or remove access rights (entitlements or business roles) from the users 
  2. IGA solution starts calculating how many and which users the rule is going to grant or remove access rights (entitlements and/or business roles
  3. IGA admin validates that automated rule is granting access rights correctly to users
    • In case rule is correct, IGA admin can start provisioning by editing provisioning preview information by selecting “start provisioning”, setting execution time for the rule and saving the data card
      • IGA solution starts provisioning according the execution time, and will add and/or remove access rights from related users based on the change.
      • It is recommended to set the time out side of busiest business hours, especially if it is causing lot of provisioning towards directory/directories
    • In case rule is incorrect, IGA admin can cancel changes by editing provisioning preview information by selecting “cancel changes” and saving the data card.
    • IGA solution does not start provisioning, but cancel changes so that IGA admin can re-do the rule. 
  4. Auditing details are saved and process ends.
Inactive existing rule
  1. IGA admin can only inactive existing continuous rules
    • Opens IGA automated rule view
    • Selects existing data card from the list view 
    • Selects inactivate rule option by editing provisioning preview information
    • Adds execution time for access right removal
    • Saves the data card
      • IGA solution starts provisioning according the execution time, and will remove related access rights (entitlements and/or business roles) from all related users.
      • It is recommended to set the time out side of busiest business hours, especially if it is causing lot of provisioning towards directory/directories
  2. Auditing details are saved and process ends.
Auditing & reporting

IGA solution contains ready-made reports for automated rules, but mainly reporting is made when auditing users access rights, or entitlement relations. 

  • Automated rules related to organization units
  • Automated rules related to titles
  • Automated rules related to cost centers
  • Entitlements related to automated rules

IGA admin can easily create new reports and dashboards, share them with others or save them as personal reports. 

 

 

 

Delivery instructions

Relations & configuration instructions

Here are described relations to other use cases and configuration instructions.

Relations to other use cases, 

​User lifecycle management 
Account management
Manage organizational data
 

Relations to other data cards, 

IGA Access Right Record
IGA Entitlements
IGA Business Roles
Organization
Title
Cost Center

 

Configuration instructions,

Configure workflows,

  1. Go to IGA Automated rule template and workflow called “IGA Automated rule”
    • Publish the workflow 
       
  2.  Go to IGA Access Right Record template and workflow called “2.0 Add or remove group membership”
    • Publish the workflow
       
  3.  Go to IGA Service Request template and workflow called “2.5 Automated rule change request”
    • Publish the workflow

Configure connector, 

  1. Configure connector for the directory and test connection
  2. Configure event-based task called “[Directory] IGA Access Right Record: Remove or Add Group”
    • Define user and group filters and settings
    • No need to change user identity mappings

 


 

 

System- and approval testing instructions

Testing automated rules are depended on user lifecycle management testing, and it is recommended to perform these simultaneously. 

Preparations, 

  1. Work period and account management settings are in place
  2. User's personal and employment related information are received with one of the options in user lifecycle management
  3. IGA admin has validated data received data is up to date and automated rules can be based on the data
  4. IGA admin has created necessary IGA automated rule data cards, matching users employment related information 
  5. Title, cost center and organizational unit data cards can be found from IGA solution and automated rules are related to those.

Testing instructions,

  1. Create, update and depart users according to user lifecycle management use cases
    • Validate from IGA solution, that new users are granted with access rights defined in the rule from following data cards related to the user
      • Person
      • IGA account
      • IGA work period
      • IGA entitlement
      • IGA business role 
      • IGA identity storage
      • IGA access right record
    • Validate from the customers directory that group-membership connections are correctly provisioned
    • Validate from Self-Service
      • User can see access rights in My Things view
      • Manager can see subordinates access rights in My Employee view
  2. Change existing rule content
    • Add and remove entitlements and/or business roles from existing rule and change rule attributes.
      • Validate that provisioning preview is working correctly
      • Validate that changes are provisioned correctly to the customers directory/directories
      • Validate from IGA solution that data is updated correctly to following data cards related to the user
        • Person
        • IGA account
        • IGA work period
        • IGA entitlement
        • IGA business role 
        • IGA identity storage
        • IGA access right record
  3. Inactivate existing rule
    • Inactive and select execution time for existing rule
      • Validate that provisioning preview is working correctly
      • Validate that changes are provisioned correctly to the customers directory/directories
      • Validate from IGA solution that data is updated correctly to following data cards related to the user
        • Person
        • IGA account
        • IGA work period
        • IGA entitlement
        • IGA business role 
        • IGA identity storage
        • IGA access right record
        • Title / cost center / organizational unit 

 

 

 

organize rules rule automation

Was this article helpful?

Yes
No
Give feedback about this article

Table of Contents

Related Articles

  • Manage request catalog
  • Manage Administration Tasks
  • Manage entitlements

Copyright 2026 – Matrix42 Professional.

Matrix42 homepage


Knowledge Base Software powered by Helpjuice

0
0
Expand