Versions Compared

Old Version 5

changes.mady.by.user Dev Raj Gautam

Saved on

compared with

New Version 6

changes.mady.by.user Dev Raj Gautam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID provides various offers several policy types for recertification audits that determine the type of access recertification to be performed. The policy outlines These policies outline the information to be evaluated regarding individuals' rights and access rights. During the recertification process, EmpowerID generates business requests that ask auditors to recertify the access during recertification. Each access is represented as a business request item that needs to be certifiedrequires certification, and the way the how these items are bundled into a single business request depends on the policy type.

Info

Key Information

  • The responsible Responsible party and Fallback Assigne are important persons in access recertification. A responsible party is an individual a person who is responsible for managing and maintaining IT resources. Responsible parties are special assignments that can reported on and used during the termination/leaver process to maintain and transfer governance oversight and be included in compliance and recertification policies. The responsible party can be configured according to the instructions provided here. On the other hand, the Fallback Group By Assignee is specified when an audit is created and serves as the default assignee for recertification requests for that specific audit.

  • You can configure additional decisions if default decisions provided in EmpowerID are inadequate, and you want more options. More information is provided in Configure Custom Decision for Business Requests.

...

Type

Purpose

Business Requests & Decesions

Account Validity

The account Validity recertification policy in EmpowerID collects and presents information about all the accounts owned by a user. Auditors can then review this information and determine whether a user's account is still necessary and should be certified. The responsibility for certifying whether an account should continue to exist or not is usually assigned to a responsible person, such as a manager, responsible party, or other designated individual.

The recertification engine in EmpowerID bundles the Recertification engine groups recertification items into a business requests request based on the responsible party Responsible Party assigned to each item . If an item being recertified or account.

In cases where an account has no responsible party assigned, the engine attempts to set the Account’s Manager as the Responsible Party and groups the recertification items based on it is bundled into one business request .

Lastly, the fallback is grouping the business items by Fallback Group By Assignee. When an account has neither Responsible Party nor the Manager, the engine groups the accounts into business requests based on the Fallback Group By Assignee. Assigne

The possible decisions for the business requests generated during the recertification process are typically set as certify, disable, or delete.

Business Role and Location Membership

The business role and location membership recertification policy checks if a user's access to a specific business role and location is still needed for valid business reasons. The responsible person reviews and approves this information via business requests and items.

The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the business role and location are the bundles for the business requests, and its members are items.

The possible decisions for the business requests are generally set to certify or revoke the business role and location membership.

Direct Reports

The Direct Reports recertification policy collects access data to validate if the managers and their direct reports are still required for a valid business purpose. The information is presented to the responsible person to certify whether a direct report for a particular manager should exist.

Group Membership

The group membership recertification policy collects access data to validate whether a group membership for a user is still required for a valid business purpose. This information is reviewed and approved by the responsible person who decides whether membership should exist.

The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the group is the business requests, and its members are items bundled into the request.

The possible decisions are generally set to certify or revoke the group membership.

Group Owner

The Group Owner membership recertification policy collects access data to validate whether an account as a group owner is still required for a valid business purpose. This information is reviewed and approved by the responsible person during an Audit who certifies whether an account should own a group. This policy type allows recertification of the inventoried native owners for groups as assigned in their external systems (e.g. Azure Teams owners).

Group Validity

The Group validity recertification policy collects access data to determine whether or not a group is still required. Auditors make a decision about whether a group should exist.

In the case of group validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is not assigned, it bundles them into one business request as per the fallback assignee.

The possible decisions are generally set to certify, disable or delete.

Management Role Access Assignment

The management role access assignment recertification policy collects data to certify access granted to a management role is still required for a valid business purpose. In other words, the management role access recertification policy is to certify whether an access grant to the management role should exist.

Management Role Membership

The management role membership recertification policy generates recertification data to certify whether a user's membership in a management role is still required for a valid business purpose.

The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the management role is the bundle for the business requests and its members are items.

The possible decisions are generally set to certify or revoke the management role membership.

Management Role Validity

The management role membership recertification policy generates recertification data to certify whether a management role is still required for a valid business purpose.

In the case of Management Role Validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is not assigned, it bundles them into one business request as per the fallback assignee.

The possible decisions for the business requests are generally set as certify, disable or delete.

Person Access Summary

The person access summary policy validates the person with all types of access assignments currently granted to a Person. This policy recertifies the person’s access, the level of access granted, and any special privileges or permissions they may have.

The person access summary recertifies

  • All RBAC assignments, including direct, relative, and by-location assignments

  • Direct Business Role and Location assignments

  • Any group memberships, including those on their accounts and those granted through RBAC

  • Any Management Role memberships

  • Account and group ownership

For the person access summary

Person Validity

The person validity recertification policy determines whether or not the Person object is still required. In other words, the person validity recertification policy certifies whether a Person object should exist in EmpowerID.

In case of person validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item recertified whose responsible party is null, it bundles them into one business request as per the fallback assignee.

The possible decisions for the business requests are generally set as certify, disable, or delete. However, these decisions are configurable.

...