Recertification policies contain procedures for ensuring that users affirm that they have a genuine, continuous need for a particular resource or membership. The recertification policy also defines the frequency with which users must validate their requirement for a resource or membership.
EmpowerID recertification policies have the following types.
...
Recertification Policy Type
...
Description
...
Account Validity
Account validity recertification is a method of determining whether or not accounts are still required. Certain actions must be made if the accounts are no longer required. In other words, an account validity recertification policy to certify whether an account should exist or not.
...
EmpowerID provides various policy types for recertification audits that determine the type of access recertification to be performed. The policy outlines the information to be evaluated regarding individuals' rights and access rights. During the recertification process, EmpowerID generates business requests that ask auditors to recertify the access. Each access is a business request item that needs to be certified, and the way the items are bundled into a single request depends on the policy type.
| Info |
|---|
Key Information
|
Type | Purpose | Business Requests & Decesions |
|---|---|---|
Account Validity | The account Validity recertification policy in EmpowerID collects and presents information about all the accounts owned by a user. Auditors can then review this information and determine whether a user's account is still necessary and should be certified. The responsibility for certifying whether an account should continue to exist or not is usually assigned to a responsible person, such as a manager, responsible party, or other designated |
For the recertification, a recertification policy is created, a recertification audit is created, and the recertification policy is added to the audit. The audit is compiled, which generates business requests that are sent for approval.
In the case of account validity recertification, the recertification engineindividual. | The recertification engine in EmpowerID bundles the recertification items into business requests |
based on the responsible party assigned |
to each item. If an item being recertified |
has no responsible party |
, it |
is bundled into one business request |
based on the Fallback Group By Assignee. The possible decisions for the business requests generated during the recertification process are |
typically set as certify, disable, or delete. |
Business Role and Location Membership | The business role and location membership recertification |
policy checks if a user's access to a specific business role and location is still |
needed for |
valid business |
reasons. The responsible person reviews and approves this information via business requests and items. | The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the business role and location are the bundles for the business requests, and its members are items. The possible decisions for the business requests are generally set to certify or revoke the business role and location membership |
. |
Direct Reports | The Direct Reports recertification |
policy collects access data to validate if the managers and their direct reports are still required for a valid business purpose. |
The information is presented to the responsible person to certify whether a direct report for a particular manager should exist |
. |
Group Membership | The group membership recertification |
policy collects access data to validate whether a group membership for a user is still required for a valid business purpose. |
This information is reviewed and approved by the responsible person who decides whether membership should exist. | The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the group is the |
business requests, and its members are items bundled into the request. The possible decisions are generally set to certify or revoke the group membership. |
Group Owner | The Group Owner membership recertification |
policy collects access data to validate whether an account as a group owner is still required for a valid business purpose. |
This information is reviewed and approved by the responsible person during an Audit who certifies whether an account should own a group |
. |
Group Validity | The Group validity recertification |
policy collects access data to determine whether or not |
a group is still required. Auditors make a decision about whether a group should exist. | In |
the |
case of group validity recertification, the recertification engine bundles the recertification items into business requests as per the |
responsible party assigned. For any item being recertified where its responsible party is |
not assigned, it bundles them into one business request as per the |
fallback assignee. The possible decisions are generally set to certify, disable or delete. |
Management Role Access Assignment | The management role access assignment recertification |
policy collects data to certify access granted to a management role is still required for a valid business purpose. |
In other words, the management role access recertification policy is to certify whether an access grant |
to |
the |
management role should exist. | |
Management Role Membership | The management role membership |
recertification policy generates recertification data to certify whether a user's membership in a management role is still required for a valid business purpose |
. |
For the recertification, a recertification policy is created, a recertification audit is created, and the recertification policy is added to the audit. The audit is compiled, which generates business requests that are sent for approval.
The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the management role is the bundle for the business requests, and its members are items.
The possible decisions are generally set to certify or revoke the management role membership. However, these decisions are configurable.
For more details on creating a management role membership recertification policy, visit the management role membership page.
Management Role Validity | The management role |
In the management role validity recertification process, a responsible person (owner, responsible party, or other designated person) checks the management role and decides whether this management role should continue to exist or not.
For the recertification, a recertification policy is created, a recertification audit is created, and the recertification policy is added to the audit. The audit is compiled, which generates business requests that are sent for approval.
In the case of management role validity recertification, the recertification engine bundles the recertification items into business requests according to the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee.
The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable.
For more details on how to create a management role validity recertification policy, visit the management role validity recertification page.
membership recertification policy generates recertification data to certify whether a management role is still required for a valid business purpose. | |
Person Access Summary | The person access summary policy validates the person with all types of access assignments currently granted to a Person. |
, this policy is to certify if a person should have the access that the person currently possesses. The person access summary recertifies
|
Person Validity | The person validity recertification |
policy determines whether or not the |
Person object is still required. |
In other words, the person validity recertification policy |
certifies whether a |
Person object should exist |
in EmpowerID. | In |
For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then the audit is compiled, which generates business requests that are sent for approval.
Incase of person validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item |
recertified |
whose responsible party is null, it bundles them into one business request as per the |
fallback assignee. The possible decisions for the business requests are generally set as certify, disable, or delete. However, these decisions are configurable. |
If you would like more details on creating a person validity recertification policy, you can visit the person validity recertification page.
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID query-based collections. These are comprised of sets, primarily SQL queries or code-based queries in some cases. These sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people. They can be based on questions written against the EmpowerID identity warehouse or external systems in a customer's environment.
| Tip |
|---|
EmpowerID also supports real-time risk-based recertification of group membership changes as they are detected. This feature can be enabled per Account Store basis and is targeted to monitor only those groups defined in a Query-Based Collection per Account Store. More information is provided in the doc Continuous Group Membership Change Recertifications. |
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
...