Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID offers different policies that help configure the type of access recertification to perform. The policy defines what information about the user's access needs to be recertified. E.g.several types of Recertification policies for configuring the specific access recertification requirements for users. These policies determine the type of access information that needs to be reviewed and validated for each user. For example, the Group Membership policy recertifies focuses on recertifying a user's group membership in the group. In contrast, while the group validity Group Validity policy recertifies verifies the group's existence itself.
EmpowerID generates business request items or tasks for each access to recertify the access and routes these requests to the auditors. The Items are grouped or bundled into a Business Request to simplify the recertification process and enable auditors to review and approve multiple access recertification items at once. Based on the type of policy, the bundling is done based on Object, Responsible party, and Fallback Assigne attributesongoing validity of a group.

The table below explains the various types of policies and the logic of grouping business request items into a single request.

Info

Key Information

  • The Responsible In access recertification, the responsible party and Fallback Assigne are important persons in access recertification. A responsible party is a person who fallback assignee are crucial roles. The responsible party is responsible for managing and maintaining IT resources. Responsible parties are special assignments that can This role can be reported on and used during the termination/leaver process to maintain and transfer governance oversight and . It can also be included in compliance and recertification policies. The You can configure the responsible party can be configured according to by following the instructions provided here. On the other hand, the Fallback Group By Assignee The fallback assignee is specified when an audit is created and serves as the default assignee for recertification requests for that specific audit.

  • If the default decisions provided by EmpowerID are not enough, you can configure additional decisions. For more information on this, refer to the Configure Custom Decision for Business Requests topic.

Type

Purpose

Business Requests & and Decesions

Account Validity

The account Account Validity recertification policy collects and presents information to recertify Recertification policy is designed to collect and present information about the accounts owned by the users. Auditors can then review this information and determine whether a user's account is users, making it easier for auditors to review and determine which accounts are still necessary and should be certified. This process helps organizations ensure policy is crucial in ensuring that only valid accounts exist as per compliance.Recertification in an organization in compliance with regulatory requirements.

By using the Account Validity recertification policy, organizations can verify that user accounts are still required and actively being used. This helps in the elimination of redundant or outdated accounts, which could pose a security risk.

The recertification engine groups recertification items into a business request based on the Responsible Party assigned to each account or item or account.In cases where an account has no responsible party assigned. If no Responsible Party is assigned to an account, the engine attempts will attempt to set the Accountaccount's Manager manager as the Responsible Party and groups group the recertification items based on it.Lastly, the fallback is grouping the business items by Fallback Group By Assignee. When an account has neither Responsible Party nor the Manageraccordingly. In cases where an account does not have a Responsible Party or a manager, the engine groups the accounts into business requests based on the Fallback Group By AssigneThe possible decisions for Assignee.

During the recertification process, auditors have the option to make decisions such as certifying, disabling, or deleting the business requests generated during the recertification process are certify, disable, or deleteby the engine.

Business Role and Location Membership

The purpose of the Business Role and Location Membership Recertification policy is serves to certify usersa user's access or membership to a business role and locationspecific Business Role and Location. Auditors review the membership information and provided by this policy to determine whether a person's membership is still necessary and should be certified. This By doing so, this policy helps organizations ensure that only valid persons individuals are members of the particular relevant Business Role and Location.

 

For By using the Business Role and Location Membership Recertification policy, organizations can verify that individuals continue to require access to specific Business Roles and Locations. This helps in eliminating access to those who no longer require it, reducing the risk of unauthorized access.

In the Business Role and Location Membership policy, the recertification engine bundles the groups recertification items into business requests based on the object itself. Therefore, in this case, the business role and location are the target Business Role and Location. These objects serve as the bundles for the business requests, and its members are itemswith the members of the Business Role and Location being the items that require recertification.

Possible decisions for the auditors during the recertification process for business roles and location memberships are to either certify or revoke them.

Direct Reports

The Direct Reports recertification policy collects and presents information to recertify the Recertification policy is designed to collect and present information about managers and their direct reports. Auditors can then review the information about who reports to whom and if it , making it easier for auditors to review and determine if the reporting structure is correct and should be certified. This process helps organizations ensure policy is crucial in ensuring that each user reports to the right appropriate person as per in compliance with regulatory requirements.

For In the Business Role and Location Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, This means that in this casepolicy, the managers are serve as the bundles for the business requests, and the users reporting to the managers are the individual items that require recertification.

Group Membership

The purpose of the Group Membership policy is intended to certify usersa user's membership in a specific group. Auditors review the membership information and provided by this policy to determine whether a person's membership is still necessary and should be certified. This By doing so, this policy helps organizations ensure that only valid persons individuals are members of the Groupgroup.

The In the Group Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, This means that in this casepolicy, the group is itself serves as the business requestsrequest, and while its members are the items that are bundled into the request.

The possible decisions are generally set to During the recertification process, auditors typically have the option to make decisions such as certify or revoke the group membership.

Group Owner

The Group Owner policy collects and presents access information to recertify whether an account should continue to serve as a group owner is still required. Auditors review the information and certify provided by this policy to determine whether an account should continue to own a group. This policy type allows for the recertification of the inventoried native owners for groups as assigned in their external systems (e.g., such as Azure Teams owners).

For In the Group Owner policy, the recertification engine bundles the recertification items into business requests based on the object itself. ThereforeAs a result, in this casepolicy, the group owner is serves as the bundle for the business requests, and with the groups owned by the group owner owns are being the individual items that require recertification.

Group Validity

The purpose of Group Validity is policy serves to determine whether a group is still requirednecessary and should continue to exist. Auditors review the membership information and provided by this policy to determine whether the group's existence is valid in terms of compliance and should be certified. This policy helps organizations ensure is crucial in ensuring that only valid Groups groups continue to exist in the organization.

 

Recertification The recertification engine groups recertification items into a business request based on the Responsible Party assigned to each group . In cases where a Group has no responsible party in the Group Validity policy. If a group has no Responsible Party assigned, the engine groups the items by Fallback Group By Assignee.

Possible decisions for the auditors during the During the recertification process for Group validity are to Validity, auditors can make decisions such as certify, disable, or delete the group.  

Management Role Access Assignment

The Management Role Access Assignment policy collects and presents access information to recertify whether the current Resource Roles assigned to a Management Role are still requirednecessary. Auditors review the information and certify provided by this policy to determine whether people's access to resources by their assignment to the Management Role complies with organization policies. This policy type allows recertification of the inventoried native owners for groups as assigned in their external systems (e.g., Azure Teams owners).For

In the Management Role Access Assignment policy, the recertification engine bundles the groups recertification items into business requests based on the object itself. Therefore, in this case, the management role is , which means that the Management Role is used as the bundle for the business requests, and the resource roles . Within each bundle, the Resource Roles assigned to the Management Role are the individual items that require recertification.

  

Management Role Membership

The purpose of the Management Role Membership policy is serves to certify usersa user's membership in a specific Management Role. Auditors review the membership information and provided by this policy to determine whether a person's membership is still necessary to be in the management role and should be certified. This policy helps organizations ensure is crucial in ensuring that only valid persons individuals are members of the Group.The the Management Role.

By using the Management Role Membership policy, organizations can verify that individuals continue to require membership in the specific Management Role. This helps in eliminating membership to those who no longer require it, reducing the risk of unauthorized access.

In the case of the Management Role Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, in this case the management role policy, the Management Role is the bundle for the business requests, and its members are the items.

The possible decisions are generally Possible decisions for auditors during the recertification process are typically set to certify or revoke the management role membership.

Management Role Validity

The Management Role Validity policy collects and presents information to recertify whether a management role is still requiredis designed to collect and present information about a Management Role to determine whether it is still necessary and should continue to exist. Auditors review the information and certify whether the management role should exist as per complianceprovided by this policy to determine whether the Management Role's existence is valid in terms of compliance and should be certified.

By using the Management Role Validity policy, organizations can verify that only necessary Management Roles continue to exist, reducing the risk of outdated or redundant Management Roles.

 

The Recertification engine groups recertification items into a business request based on the Responsible Party assigned to each management role. In cases where If the management role has no responsible party assigned, the engine groups the management role items by Fallback Group By Assignee.

 Possible decisions for the auditors during the recertification process are During the recertification process, auditors have the option to make decisions such as certify, disable, or delete for the recertification items.

Person Access Summary

The purpose of the Person Access Summary policy is designed to recertify the Person with all types of a person's access to all access assignments currently granted to that Personthem. Auditors review the Personperson's access, the level of access granted, and any special privileges or permissions they may have and certify it. This policy helps organizations ensure that the persons individuals only have the required permissionnecessary permissions.

The person access summary policy recertifies:

  • All RBAC assignments, including direct, relative, and by-location assignments

  • Direct Business Role and Location assignments

  • Any group Group memberships, including those on of their accounts and those granted through by RBAC assignments

  • Any Management Role memberships

  • Account and group ownership.

For In the case of the Management Role Access Assignment policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, in this casepolicy, the Person is the bundle for the business requests; business request bundle, and each access assignment the user has are is the business request item.

  Possible decisions for business requests are typically set as certify, disable, or delete.

Person Validity

The Person Validity policy collects and presents information to recertify whether a Person is designed to collect and present information about a person object in EmpowerID to determine whether it is still requirednecessary and should continue to exist. Auditors review the information , certify provided by this policy to determine whether the person should exist,and access IT resources as per compliance.

 

's existence is valid in terms of compliance and should be certified. Additionally, the policy helps ensure that the person has appropriate access to IT resources.

By using the Person Validity policy, organizations can verify that only necessary persons continue to exist in EmpowerID.

The Recertification engine groups recertification items into a business request based on the Responsible Party assigned to each item or person. In cases where If a person has no responsible party Responsible Party assigned, the engine attempts to set the Person’s person's Manager as the Responsible Party and groups the recertification items based on it.Lastly, the fallback is grouping the business items by Fallback Group By Assignee. When a Person has accordingly. In cases where neither Responsible Party nor the Manager is assigned, the engine groups the person objects into business requests based on the Fallback Group By AssigneThe possible Assignee.

Possible decisions for the business requests are generally typically set as certify, disable, or delete.

Tip

EmpowerID offers a real-time risk-based recertification feature that enables monitoring of group membership changes as they occur. This feature can be enabled on a per Account Store basis and is designed to monitor only those groups that are defined in a Query-Based Collection per Account Store.

For more detailed information on this feature, please see Continuous Group Membership Change Recertifications.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue

...