Governance - Toxic Policies
With Tools4ever's HelloID identity and access management (IAM) solution, you can automate account and permission management to a large extent. You remain in control and can define the IAM approach in detail by configuring HelloID. This article explains toxic policies, a capability that keeps specific permissions separated so they can never be assigned to the same user.
What Are Toxic Policies?
Toxic policies allow you to exclude specific permission combinations. This ensures these combinations can never be assigned to a user. For example, when they pose an excessive security risk or increase the risk of fraud.
Typically, you use business rules based on role or job function to determine the permissions assigned to a user. In some cases, you want to make an exception. For example, when a user performs additional tasks that are not standard for the role. In other cases, employees hold multiple roles within the same organization. Such exceptions can lead to conflicting permissions. With toxic policies, you define which combinations of permissions HelloID must never grant to the same user. This prevents human error and safeguards security.
When Should You Use Toxic Policies?
You may choose to use toxic policies for various reasons. Consider security-related reasons, such as preventing fraud and excluding specific permission combinations, as well as avoiding unnecessary costs from duplicate licenses.
Security
Toxic policies offer several options to strengthen security. For example, you can enforce that users never simultaneously have permissions to create and to pay invoices. Also consider managing access to specific zones, rooms, or areas, for example, when working with highly sensitive customer data. Or limiting access to specific medicine cabinets, so users never have simultaneous access to multiple medicine cabinets.
Avoid Unnecessary Costs
You can also use toxic policies to prevent unnecessary license assignment and reduce costs. If an employee holds multiple functions or roles in the organization, this can result in multiple licenses for the same software being linked to the user. Duplicate licenses add no value but do increase costs. Toxic policies prevent this and help you avoid unnecessary licensing costs.
In both examples, implementing this via business rules can be difficult or even unfeasible. Toxic policies provide a solution that lets you specify very precisely which combinations of permissions you want to exclude.
Simplify Business Rules
Another benefit of toxic policies is the ability to simplify business rules significantly. It is no longer necessary to capture all exceptions through business rules, since toxic policies already cover these. In practice, this reduces complexity, simplifies license assignment, and prevents duplicate assignments.
Suppose you want to assign users an F1 license by default, and an E3 license only in exceptional cases. In this case, configure a simple business rule that assigns the F1 license to every user. Then define in a toxic policy that a user with an E3 license may never also have an F1 license. If you then assign an E3 license to a user, HelloID automatically revokes the user's F1 license due to this toxic policy.
Get Started
Ready to get started with HelloID Governance? More information about this module is available on our website. Questions? Contact us; our experts are ready to help!