EmpowerID offers different policies that help configure the type of access recertification to perform. The policy defines what information about the user's access needs to be recertified. E.g.several types of Recertification policies for configuring the specific access recertification requirements for users. These policies determine the type of access information that needs to be reviewed and validated for each user. For example, the Group Membership policy recertifies focuses on recertifying a user's group membership in the group. In contrast, while the group validity Group Validity policy recertifies verifies the group's existence itself.
EmpowerID generates business request items or tasks for each access to recertify the access and routes these requests to the auditors. The Items are grouped or bundled into a Business Request to simplify the recertification process and enable auditors to review and approve multiple access recertification items at once. Based on the type of policy, the bundling is done based on Object, Responsible party, and Fallback Assigne attributesongoing validity of a group.
The table below explains the various types of policies and the logic of grouping business request items into a single request.
Info |
---|
Key Information
|
Type | Purpose | Business Requests & and Decesions |
---|---|---|
Account Validity | The account Account Validity recertification policy collects and presents information to recertify Recertification policy is designed to collect and present information about the accounts owned by the users. Auditors can then review this information and determine whether a user's account is users, making it easier for auditors to review and determine which accounts are still necessary and should be certified. This process helps organizations ensure policy is crucial in ensuring that only valid accounts exist as per compliance.Recertification in an organization in compliance with regulatory requirements. By using the Account Validity recertification policy, organizations can verify that user accounts are still required and actively being used. This helps in the elimination of redundant or outdated accounts, which could pose a security risk. | The recertification engine groups recertification items into a business request based on the Responsible Party assigned to each account or item or account.In cases where an account has no responsible party assigned. If no Responsible Party is assigned to an account, the engine attempts will attempt to set the Accountaccount's Manager manager as the Responsible Party and groups group the recertification items based on it.Lastly, the fallback is grouping the business items by Fallback Group By Assignee. When an account has neither Responsible Party nor the Manageraccordingly. In cases where an account does not have a Responsible Party or a manager, the engine groups the accounts into business requests based on the Fallback Group By AssigneThe possible decisions for Assignee. During the recertification process, auditors have the option to make decisions such as certifying, disabling, or deleting the business requests generated during the recertification process are certify, disable, or deleteby the engine. |
Business Role and Location Membership | The purpose of the Business Role and Location Membership Recertification policy is serves to certify usersa user's access or membership to a business role and locationspecific Business Role and Location. Auditors review the membership information and provided by this policy to determine whether a person's membership is still necessary and should be certified. This By doing so, this policy helps organizations ensure that only valid persons individuals are members of the particular relevant Business Role and Location.
For By using the Business Role and Location Membership Recertification policy, organizations can verify that individuals continue to require access to specific Business Roles and Locations. This helps in eliminating access to those who no longer require it, reducing the risk of unauthorized access. | In the Business Role and Location Membership policy, the recertification engine bundles the groups recertification items into business requests based on the object itself. Therefore, in this case, the business role and location are the target Business Role and Location. These objects serve as the bundles for the business requests, and its members are itemswith the members of the Business Role and Location being the items that require recertification. Possible decisions for the auditors during the recertification process for business roles and location memberships are to either certify or revoke them. |
Direct Reports | The Direct Reports recertification policy collects and presents information to recertify the Recertification policy is designed to collect and present information about managers and their direct reports. Auditors can then review the information about who reports to whom and if it , making it easier for auditors to review and determine if the reporting structure is correct and should be certified. This process helps organizations ensure policy is crucial in ensuring that each user reports to the right appropriate person as per in compliance with regulatory requirements. | For In the Business Role and Location Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, This means that in this casepolicy, the managers are serve as the bundles for the business requests, and the users reporting to the managers are the individual items that require recertification. |
Group Membership | The purpose of the Group Membership policy is intended to certify usersa user's membership in a specific group. Auditors review the membership information and provided by this policy to determine whether a person's membership is still necessary and should be certified. This By doing so, this policy helps organizations ensure that only valid persons individuals are members of the Groupgroup. | The In the Group Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, This means that in this casepolicy, the group is itself serves as the business requestsrequest, and while its members are the items that are bundled into the request. The possible decisions are generally set to During the recertification process, auditors typically have the option to make decisions such as certify or revoke the group membership. |
Group Owner | The Group Owner policy collects and presents access information to recertify whether an account should continue to serve as a group owner is still required. Auditors review the information and certify provided by this policy to determine whether an account should continue to own a group. This policy type allows for the recertification of the inventoried native owners for groups as assigned in their external systems (e.g., such as Azure Teams owners). | For In the Group Owner policy, the recertification engine bundles the recertification items into business requests based on the object itself. ThereforeAs a result, in this casepolicy, the group owner is serves as the bundle for the business requests, and with the groups owned by the group owner owns are being the individual items that require recertification. |
Group Validity | The purpose of Group Validity is policy serves to determine whether a group is still requirednecessary and should continue to exist. Auditors review the membership information and provided by this policy to determine whether the group's existence is valid in terms of compliance and should be certified. This policy helps organizations ensure is crucial in ensuring that only valid Groups groups continue to exist in the organization.
| Recertification The recertification engine groups recertification items into a business request based on the Responsible Party assigned to each group . In cases where a Group has no responsible party in the Group Validity policy. If a group has no Responsible Party assigned, the engine groups the items by Fallback Group By Assignee. Possible decisions for the auditors during the During the recertification process for Group validity are to Validity, auditors can make decisions such as certify, disable, or delete the group. |
Management Role Access Assignment | The Management Role Access Assignment policy collects and presents access information to recertify whether the current Resource Roles assigned to a Management Role are still requirednecessary. Auditors review the information and certify provided by this policy to determine whether people's access to resources by their assignment to the Management Role complies with organization policies. This policy type allows recertification of the inventoried native owners for groups as assigned in their external systems (e.g., Azure Teams owners).For | In the Management Role Access Assignment policy, the recertification engine bundles the groups recertification items into business requests based on the object itself. Therefore, in this case, the management role is , which means that the Management Role is used as the bundle for the business requests, and the resource roles . Within each bundle, the Resource Roles assigned to the Management Role are the individual items that require recertification.
|
Management Role Membership | The purpose of the Management Role Membership policy is serves to certify usersa user's membership in a specific Management Role. Auditors review the membership information and provided by this policy to determine whether a person's membership is still necessary to be in the management role and should be certified. This policy helps organizations ensure is crucial in ensuring that only valid persons individuals are members of the Group.The the Management Role. By using the Management Role Membership policy, organizations can verify that individuals continue to require membership in the specific Management Role. This helps in eliminating membership to those who no longer require it, reducing the risk of unauthorized access. | In the case of the Management Role Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, in this case the management role policy, the Management Role is the bundle for the business requests, and its members are the items. The possible decisions are generally Possible decisions for auditors during the recertification process are typically set to certify or revoke the management role membership. |
Management Role Validity | The Management Role Validity policy collects and presents information to recertify whether a management role is still requiredis designed to collect and present information about a Management Role to determine whether it is still necessary and should continue to exist. Auditors review the information and certify whether the management role should exist as per complianceprovided by this policy to determine whether the Management Role's existence is valid in terms of compliance and should be certified. By using the Management Role Validity policy, organizations can verify that only necessary Management Roles continue to exist, reducing the risk of outdated or redundant Management Roles.
| The Recertification engine groups recertification items into a business request based on the Responsible Party assigned to each management role. In cases where If the management role has no responsible party assigned, the engine groups the management role items by Fallback Group By Assignee. Possible decisions for the auditors during the recertification process are During the recertification process, auditors have the option to make decisions such as certify, disable, or delete for the recertification items. |
Person Access Summary | The purpose of the Person Access Summary policy is designed to recertify the Person with all types of a person's access to all access assignments currently granted to that Personthem. Auditors review the Personperson's access, the level of access granted, and any special privileges or permissions they may have and certify it. This policy helps organizations ensure that the persons individuals only have the required permissionnecessary permissions. The person access summary policy recertifies:
| For In the case of the Management Role Access Assignment policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, in this casepolicy, the Person is the bundle for the business requests; business request bundle, and each access assignment the user has are is the business request item. Possible decisions for business requests are typically set as certify, disable, or delete. |
Person Validity | The Person Validity policy collects and presents information to recertify whether a Person is designed to collect and present information about a person object in EmpowerID to determine whether it is still requirednecessary and should continue to exist. Auditors review the information , certify provided by this policy to determine whether the person should exist,and access IT resources as per compliance.
's existence is valid in terms of compliance and should be certified. Additionally, the policy helps ensure that the person has appropriate access to IT resources. By using the Person Validity policy, organizations can verify that only necessary persons continue to exist in EmpowerID. | The Recertification engine groups recertification items into a business request based on the Responsible Party assigned to each item or person. In cases where If a person has no responsible party Responsible Party assigned, the engine attempts to set the Person’s person's Manager as the Responsible Party and groups the recertification items based on it.Lastly, the fallback is grouping the business items by Fallback Group By Assignee. When a Person has accordingly. In cases where neither Responsible Party nor the Manager is assigned, the engine groups the person objects into business requests based on the Fallback Group By AssigneThe possible Assignee. Possible decisions for the business requests are generally typically set as certify, disable, or delete. |
Tip |
---|
EmpowerID offers a real-time risk-based recertification feature that enables monitoring of group membership changes as they occur. This feature can be enabled on a per Account Store basis and is designed to monitor only those groups that are defined in a Query-Based Collection per Account Store. For more detailed information on this feature, please see Continuous Group Membership Change Recertifications. |
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
...