It classifies users based on their position in an organization, and supporting attributes that describe users. It defines roles as collections of pre-defined kinds of access to information systems and other I.T. infrastructure. Policies are designed to automatically attach users to roles based on their dynamic classification.
This document illustrates why policy-based provisioning, though appealing in theory, is impractical to implement in enterprise-sized organizations. It then describes alternate solutions that can be successfully deployed in such organizations.