βThe functionality described in this article won't be available until the full feature release.
Conditional Policies give you granular control over Guest Settings in specific scenarios, allowing you to apply specific Rules for specific use cases. When first configuring EUM, you'll likely set up Standard Request, Approval, Onboarding, and Access Review procedures. However, on certain occasions, you might want to have special rules in place.
Let's say that in one of these special cases, whenever a Guest is added to a group of higher confidentiality, you want:
a special approver group that approves these requests
a special onboarding procedure that contains additional documents to be signed
a tighter access review, which is conducted more regularly, by specific people
Conditional Policies allow you to easily divert Requests to these Special Policies.
Let's explore how Conditional Policies work and help you gain more granular control over your Guest Settings.
π Conditions and Condition Packages
To define a Conditional Policy, we start by defining a set of Conditions. A Condition is nothing more than a statement that can either be True or False.
For instance, βThe Sensitivity Label of the Group that the Guest is being added to is "Confidential".
If the Team that the Guest is being added to has the Confidential label, this statement will be True; if not, it will be False.
These Conditions can be combined into a Condition Package, a collection of statements that are logically intertwined.
When all statements resolve True in an AND/OR combination with each other, the entire Condition Package resolves True as well.
βοΈ Conditional Settings
Once we have a Condition Package, we can bind it to specific Policy Settings.
If a given Request meets the Conditions defined by the Package, the corresponding Conditional Policy will be applied.
For example, if we want to trigger a unique Access Review for Guests who have been added to Teams with the "Confidential" Sensitivity Label, we can create a new Conditional Access Review that's triggered in that case.
We'll just specify how we want our Review to work and select a Condition Package that will trigger this Access Review instead of the Default one.
Now that our Conditional Access Review is ready, whenever a new Guest Request comes in, the system will check whether the Sensitivity Label of the Group is "Confidential", and if it is, the Guest will be subject to our Conditional Access Review for this Team.
π‘ If you want to explore how specific Conditional Settings operate, feel free to check out our articles about Conditional Access Reviews, Conditional Onboarding, and Conditional Approver Groups.
π¦ Policy Prioritization
You can have up to 30 Conditional Policies for a given Governance Setting, allowing for a high degree of customizability, for any use case you can think of.
If you have several Conditional Polices attached to a Governance Setting, the system will check each of them in order (first to last). The first Conditional Policy for which a linked Condition Package resolves true will be applied; if none of them resolve True, the Default Policy will be applied.
You can change a Policy's priority at any time by dragging it into the desired spot on the list.
π£ Next Steps
Now that you understand the mechanism behind Conditional Policies, it's time to get a better idea of how Conditional Packages work.
Alternatively, you can look into individual Conditional Governance Settings:
βοΈ Need more help?
Get further assistance with External User Manager through our support chat widget within the app, or reach out to us at [email protected]