...
An audit can be considered as a project with a start date and end date. We might want to audit or certify multiple items using an audit. For example, in a Q1 audit we might want to certify, an external partner, identify as well as a member of certain high-risk management roles. These items are specified in one or more recertification policies. EmpowerID maintains an audit trail of these access snapshots and the decisions made concerning the access. EmpowerID recertification audits can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will.
What is the recertification policy?
...
Recertification Policy Type | Description |
|---|---|
Account validity recertification policy is to certify whether an account should exist or not. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. The possible decisions are generally configured as certify, disable or delete. However, these decisions are configurable. For more details on how to create an account validity recertification policy visit this page. | |
Business role and location membership policy is to certify the membership of a business role and location. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the business role and location is the bundle for the business request and its members are items. The possible decisions are generally configured as certify or revoke the member. However, these decisions are configurable. For more details on how to create a business role and location membership recertification policy visit this page. | |
The group membership recertification policy is used to certify group membership, including Person resource for RBAC membership, group account, nested groups and any of the type of direct assignments. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the group is the bundle for the business request and its members are items. The possible decisions are generally configured as certify or revoke the member. However, these decisions are configurable. For more details on how to create a group membership recertification policy visit this page. | |
The group validity recertification policy is to certify whether a group should exist or not in the group. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. The possible decisions are generally configured as certify, disable or delete. However, these decisions are configurable. For more details on how to create an group validity recertification policy visit this page. | |
The management role access assignment recertification policy is to certify the access granted to the management role, including any RBAC assignment. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the management role is the bundle for the business request and its members are items. For more details on how to create a management role access assignment type recertification policy visit this page. | |
The management role membership recertification policy is to certify the current members of a management role, including people, group, and business role and location. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the management role is the bundle for the business request and its members are items. The possible decisions are generally configured as certify or revoke the member. However, these decisions are configurable. For more details on how to create a management role membership recertification policy visit this page. | |
The management role validity recertification policy is to certify the current validity of a management role. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. This recertification determines if the management role should exist, be "disabled,” or deleted. For more details on how to create a management role validity recertification policy visit this page. | |
The person validity recertification policy is used to certify the person should exist or not. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests as per the responsible party. For any item being recertified where its responsible party is null, it bundles them all into one business request where the subject of the request is the fall-back assignee. The possible decisions are generally configured as certify, disable or delete. However, these decisions are configurable. For more details on how to create a person validity recertification policy visit this page. |
...
. |
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID query-based collections (SetGroups). These are comprised of sets, which are SQL queries primarily or code-based queries in some cases. These sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people. They can be based on questions written against the EmpowerID identity warehouse or external systems in a customer's environment.
EmpowerID Recertification Policies can be scheduled to run periodically, such as on a quarterly or monthly basis, weekly, daily, or at will. When a policy is run manually or scheduled, a Recertification Review task is created for each object in the SetGroup. This allows authorized staff in an organization to review the access to resources that people within the organization have at any given time and how that access came about, whether by a direct assignment to a specific resource or through being delegated a Management Role with multiple Resources Role assignments.
...
To maintain the integrity of Recertification Reviews, users cannot recertify themselves. In other words, a user who can create a Recertification Policy cannot certify that policy. The EmpowerID
...
admin user is prohibited from participating in the review process by this feature.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
...