...
Recertification Policy Type | Description |
|---|---|
Account validity recertification policy is to certify whether an account should exist or not. Possible decisions areFor the recertification, an audit is created, that generates business requests that go for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. The possible decisions for business requests, in this case, is: certify, disable and deleteor delete. For more details on how to create an account validity recertification policy visit this page. | |
Business role and location membership policy are is to certify the membership of a business role and location. Possible decisions are: certify or revoke the member. | |
The group membership recertification policy is used to certify group membership, including user and nested groups. Possible decisions are: certify, revoke or convert to just-in-time membership(pre-approved). | |
The group validity recertification policy is to certify whether a group should exist or not in the group. For the recertification, an audit is created, that generates business requests that go for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. The Possible decisions are: certify, disable and delete. For more details on how to create an group validity recertification policy visit this page. | |
The management role access assignment recertification policy is to certify the access granted to the management role, including any RBAC assignment. | |
The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location. | |
The management role validity recertification policy is to certify the current validity of a management role. For the recertification, an audit is created, that generates business requests that go for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. This recertification determines if the management role should exist, be "disabled,” or deleted. For more details on how to create a management role validity recertification policy visit this page. | |
The person validity recertification policy is used to certify the person should exist or not. For the recertification, an audit is created, that generates business requests that go for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. The Possible decisions are: certify, disable and delete. For more details on how to create a person validity recertification policy visit this page. |
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID Query-Based Collections (SetGroups). These are comprised of Sets, which are LDAP or code-based queries. These Sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people. They can be based on questions written against the EmpowerID Identity Warehouse or external systems in a customer's environment. Query-Based Collections for Recertification policies provide a rich and flexible access review mechanism. Organizations can selectively collect the objects they want to incorporate within a given policy and then schedule that policy to create review tasks that best meet the organization's security requirements. For example, with SetGroups, you could create one Recertification Policy that targets high-security groups only, scheduling that policy to run more frequently, and create another Recertification Policy for lower security groups with a less frequent run schedule.
...