...
Recertification Policy Type | Description |
---|---|
Account Validity | Account validity recertification policy is used to audit if certify whether an account should exist , be disabled, or be deletedor not. Possible decisions are: certify, disable and delete. |
Business Role and Location Membership | Business role and location membership policy is used to audit if to certify the membership of a business role and location, person membership, exists. Possible decisions are: certify or revoke the member. |
Direct Reports | This The direct reports recertification policy is used to audit certify who reports to whom. To certify a manager’s direct reports. |
Exchange Mailbox Permissions | This The exchange mailbox permissions recertification policy is used to audit who currently has what type of access to a given exchange mailboxto certify the mailbox permission. Possible decisions are: certify or revoke permission. |
Folder Permissions | This The folder permission recertification policy is used to audit who currently has what type of access to a given to certify the folder permission of a windows folder. Possible decisions are: certify or revoke permission. |
Group Membership | This The group membership recertification policy is used to audit who currently has membership in a given groupcertify group membership including user and nested groups. Possible decisions are: certify, revoke or convert to just in time membership(pre-approved). |
Group Owner | This The group owner recertification policy is used to audit the attestation for ownership of groupscertify the group owners. |
Group ValidityGroup Validity, checks that the account should exists, routes the request to group owner first and then fall-back | The group validity recertification policy is to certify whether a group should exist or not in the group. Possible decisions are: certify, disable and delete. |
Management Role Access Assignment | This The management role access assignment recertification policy is used to audit certify the access granted by the to management role including any RBAC assignment. |
Management Role Membership | This The management role membership recertification policy is used to audit certify the current assignees members of a management role, including people, group and business role and location. |
Management Role Validity | This The management role validity recertification policy is used to audit certify the current validity of a management role. This recertification determines if the management role should exist, be "disabled", or deleted. |
Person Access Summary | This The person access summary recertification policy is used to audit certify all the access assigned directly to a person. |
Person Direct Entitlements | This The person direct entitlements recertification policy is used to audit certify all the entitlements given directly to a person. |
Person ValidityPerson Validity, checks that the account should exists, routes the request to Person owner first and then fall-back | The person validity recertification policy is used to certify the a person should exist or not. Possible decisions are: certify, disable and delete. |
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID Query-Based Collections (SetGroups). These are comprised of Sets, which are LDAP or code-based queries. These Sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people or resources based upon queries written against the EmpowerID Identity Warehouse or even external systems in a customer's environment. The use of Query-Based Collections for Recertification policies provides a rich and flexible access review mechanism by which organizations can selectively collect the objects they want to incorporate within a given policy and then schedule that policy to create review tasks in a manner that best meets the security requirements of the organization. As an example, with SetGroups you could create one Recertification Policy that targets high security groups only, scheduling that policy to run more frequently, and create another Recertification Policy for lower security groups with a less frequent run schedule.
...