Recertification policies are policies that you add to audits to generate recertification review tasks for the access assignments given to people, roles, groups and Query-Based collections. Once you create a Recertification policy, you then scope the policy by adding targets to it, such as a specific Business Role and Location or Group.
Info |
---|
EmpowerID provides a number of Recertification policies that you can use out of the box. Each of theses policies creates snapshots of data for a particular resource type. You can use these policies as a starting point or create your own. |
...
Policy
...
Usage
...
Access for Active People (Logged in Last 90 Days)
...
For certifying the EmpowerID access assignments for all people who logged in during the last 90 days.
...
All Access Assignments for Shared Folders flagged as Audit
...
For certifying shared folder access.
...
Certify Access Assignments for Resource Mailboxes
...
For certifying access to resource mailboxes.
...
Direct Reports Recertification - All People Logged in Last 90 Days
...
For managers to recertify any direct reports who have logged in within the last 90 days.
...
Mailbox Permissions
...
For certifying mailbox permissions.
...
Management Role Access
...
For certifying the access granted to Management Roles.
...
Person Access Summary for People Logged in Last 90 Days
...
For certifying the access of all people who have logged in within the last 90 days.
...
Person Direct Entitlements
...
For managers to certify or revoke the access of their direct reports.
...
SharePoint Group Access Assignments
...
All EmpowerID access assignments for SharePoint groups.
A Recertification Policy outlines the procedures an organization follows to regularly review and verify access rights for employees. The policy includes information on the type of rights, data about the access rights of which people will be evaluated, and how the reviews align with the organization's policies and regulations. A recertification audit can have multiple recertification policies associated with it.
We can create recertification policies of different types in the EmpowerID system, which are reusable. For example, we want to certify external partners and members of certain high-risk management roles in an audit. These items are specified in one or more recertification policies and later added to the same audit.
Tip |
---|
Recertification Overview and Recertification Policy Types docs provide more conceptual information about the policy and audit. |
Please follow the instructions below to create a recertification policy.
Create a Recertification Policy
Log in to the EmpowerID
...
.
On the navbar, expand Compliance and select
...
Recertification.
On the
...
Recertification page, select the
...
Recertification Policies tab. Click the + icon to create a new recertification policy.
In the Policy Details form that appears, provide the necessary details and click Save,
Click the Policy Type drop-down and select from the
...
Assignee Granted Security – Access Level Assignments and Management Role assignments granted to an assignee as an actor
Direct Reports – who reports to whom
Exchange Mailbox Permissions – who currently has what type of access to a given Exchange mailbox
Folder Permissions – who currently has what type of access to a given Windows folder
Group Membership – who currently has membership in a given group
Management Role Membership – current assignees of a Management Role
Person Access Summary – all access assignments currently granted to a Person, including:
All RBAC assignments, including direct, relative, and by-location assignments
Business Role and Location assignments
Any group memberships, including those on their accounts and those granted through RBAC
Any Management Role memberships
Account and group ownership
Any native permissions, such as NTFS permissions for shared folders and Exchange mailbox permissions or ACLs
Person Direct Entitlements – current access granted to people (also creates recertification tasks for the managers of each person targeted by the policy)
Resource Granted Security – who currently has access to any given resource object for which the policy is created
...
Fill in the Name, Display Name and Description fields.
...
Select Enabled to enable the policy.
...
Click Save.
...
Next Steps
Add targets to recertification policies
...
options. EmpowerID provides different policy types that define data snapshots for a particular resource type. More information about the policy types is covered here in the doc Recertification Policy Types.
Fill in the Name, Display Name, and Description fields.
Select Enabled to enable the policy.
Select the appropriate option for Open Item Decision When Audit Is Closed to specify the default decision to make on business requests that are still open (decision pending) but the audit is closed. Suppose an Audit is closed with business request items that have been generated but awaiting a decision. The fulfillment engine will automatically close the items with the selected decision in this option.
Approve: Selecting the decision as "Approve" for an open business request item means that the access being reviewed is valid. The access rights will be granted or retained as they are currently.
Certify: Selecting the decision as "Certify" for an open business request item means that the reviewed access is certified. The access rights will be granted or retained as they are currently.
Convert to JIT: Selecting the decision as "Convert to JIT" for an open business request item in a recertification policy means that the current access will be revoked, but eligibility for the same access will be added as pre-approved. This means that if the user requests the same access from the IAM (Identity and Access Management) shop, it will be granted immediately without needing additional approvals because it has been pre-approved.
Do Nothing: Selecting the decision as "Do Nothing" for an open business request item in a recertification policy means no action will be taken, and the items will remain open.
Revoke: Selecting the decision as "Revoke" for an open business request item in a recertification policy means that the current access will be revoked.
Info |
---|
After EmpowerID creates the policy, the view one page appears where you can configure Targets of the Recertification and Item Type Scope (Data). A Recertification Policy is only complete once you add the target and scope. |
Next Step