EmpowerID provides various policy types for recertification audits that offers several types of Recertification policies for configuring the specific access recertification requirements for users. These policies determine the type of access recertification to be performed. The policy outlines the information to be evaluated regarding individuals' rights and access rights. During the recertification process, EmpowerID generates business requests that ask auditors to recertify the access. Each access is a business request item that needs to be certified, and the way the items are bundled into a single request depends on the policy typeinformation that needs to be reviewed and validated for each user. For example, the Group Membership policy focuses on recertifying a user's group membership, while the Group Validity policy verifies the ongoing validity of a group.
The table below explains the various types of policies and the logic of grouping business request items into a single request.
| Info |
|---|
Key Information
|
Type | Purpose | Business Requests & and Decesions | |||
|---|---|---|---|---|---|
Account Validity | The account Account Validity recertification policy in EmpowerID collects and presents Recertification policy is designed to collect and present information about all the accounts owned by a user. Auditors can then review this information and determine whether a user's account is users, making it easier for auditors to review and determine which accounts are still necessary and should be certified. The responsibility for certifying whether an account should continue to exist or not is usually assigned to a responsible person, such as a manager, responsible party, or other designated individualThis policy is crucial in ensuring that only valid accounts exist in an organization in compliance with regulatory requirements. By using the Account Validity recertification policy, organizations can verify that user accounts are still required and actively being used. This helps in the elimination of redundant or outdated accounts, which could pose a security risk. | The recertification engine in EmpowerID bundles the groups recertification items into a business requests request based on the responsible party Responsible Party assigned to each account or item. If an item being recertified has no responsible party, it is bundled into one business request no Responsible Party is assigned to an account, the engine will attempt to set the account's manager as the Responsible Party and group the recertification items accordingly. In cases where an account does not have a Responsible Party or a manager, the engine groups the accounts into business requests based on the Fallback Group By Assignee. The possible decisions for the business requests generated during During the recertification process are typically set as certify, disable, or delete, auditors have the option to make decisions such as certifying, disabling, or deleting the business requests generated by the engine. | |||
Business Role and Location Membership | The business role and location membership recertification policy checks if Business Role and Location Membership Recertification policy serves to certify a user's access or membership to a specific business role and location is still needed for valid business reasons. The responsible person reviews and approves this information via business requests and items. The engine bundles the Business Role and Location. Auditors review the membership information provided by this policy to determine whether a person's membership is still necessary and should be certified. By doing so, this policy helps organizations ensure that only valid individuals are members of the relevant Business Role and Location. By using the Business Role and Location Membership Recertification policy, organizations can verify that individuals continue to require access to specific Business Roles and Locations. This helps in eliminating access to those who no longer require it, reducing the risk of unauthorized access. | In the Business Role and Location Membership policy, the recertification engine groups recertification items into business requests based on the object itself. Therefore, in this case, the business role and location are the target Business Role and Location. These objects serve as the bundles for the business requests, and its members are items.The possible decisions for the business requests are generally set to certify or revoke the business role and location membershipwith the members of the Business Role and Location being the items that require recertification.
| |||
Direct Reports | The Direct Reports recertification policy collects access data to validate if the Recertification policy is designed to collect and present information about managers and their direct reports are still required for a valid business purpose. The information is presented to the responsible person to certify whether a direct report for a particular manager should exist, making it easier for auditors to review and determine if the reporting structure is correct and should be certified. This policy is crucial in ensuring that each user reports to the appropriate person in compliance with regulatory requirements. | In the Business Role and Location Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. This means that in this policy, the managers serve as the bundles for the business requests, and the users reporting to the managers are the individual items that require recertification. | |||
Group Membership | The Group Membership policy is intended to certify a user's membership in a specific group membership recertification policy collects access data to validate whether a group membership for a user is still required for a valid business purpose. This information is reviewed and approved by the responsible person who decides whether membership should exist.The . Auditors review the membership information provided by this policy to determine whether a person's membership is still necessary and should be certified. By doing so, this policy helps organizations ensure that only valid individuals are members of the group. | In the Group Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, This means that in this casepolicy, the group is itself serves as the business requestsrequest, and while its members are the items that are bundled into the request. The possible decisions are generally set to During the recertification process, auditors typically have the option to make decisions such as certify or revoke the group membership. | |||
Group Owner | The Group Owner membership recertification policy collects and presents access data information to validate recertify whether an account should continue to serve as a group owner is still required for a valid business purpose. This information is reviewed and approved by the responsible person during an Audit who certifies . Auditors review the information provided by this policy to determine whether an account should continue to own a group. This policy type allows for the recertification of the inventoried native owners for groups as assigned in their external systems (e.g. Azure Teams owners), such as Azure Teams owners. | In the Group Owner policy, the recertification engine bundles the recertification items into business requests based on the object itself. As a result, in this policy, the group owner serves as the bundle for the business requests, with the groups owned by the group owner being the individual items that require recertification. | |||
Group Validity | The Group validity recertification policy collects access data Validity policy serves to determine whether or not a group is still required. Auditors make a decision about whether a group should exist. In the case of group validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is not assigned, it bundles them into one business request as per the fallback assignee. The possible decisions are generally set to certify, disable or deletenecessary and should continue to exist. Auditors review the membership information provided by this policy to determine whether the group's existence is valid in terms of compliance and should be certified. This policy is crucial in ensuring that only valid groups continue to exist in the organization.
| The recertification engine groups recertification items into a business request based on the Responsible Party assigned to each group in the Group Validity policy. If a group has no Responsible Party assigned, the engine groups the items by Fallback Group By Assignee. During the recertification process for Group Validity, auditors can make decisions such as certify, disable, or delete the group. | |||
Management Role Access Assignment | The management role access assignment recertification Management Role Access Assignment policy collects data to certify access granted to a management role is still required for a valid business purpose. In other words, the management role access recertification policy is to certify whether an access grant to the management role should exist. | Management Role Membership | The management role membership recertification policy generates recertification data to certify whether a user's membership in a management role is still required for a valid business purpose. | The and presents access information to recertify whether the current Resource Roles assigned to a Management Role are still necessary. Auditors review the information provided by this policy to determine whether people's access to resources by their assignment to the Management Role complies with organization policies. | In the Management Role Access Assignment policy, the recertification engine groups recertification items into business requests based on the object itself, which means that the Management Role is used as the bundle for the business requests. Within each bundle, the Resource Roles assigned to the Management Role are the individual items that require recertification.
|
Management Role Membership | The Management Role Membership policy serves to certify a user's membership in a specific Management Role. Auditors review the membership information provided by this policy to determine whether a person's membership is still necessary and should be certified. This policy is crucial in ensuring that only valid individuals are members of the Management Role. By using the Management Role Membership policy, organizations can verify that individuals continue to require membership in the specific Management Role. This helps in eliminating membership to those who no longer require it, reducing the risk of unauthorized access. | In the case of the Management Role Membership policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, in this case the management role policy, the Management Role is the bundle for the business requests, and its members are the items. The possible decisions are generally Possible decisions for auditors during the recertification process are typically set to certify or revoke the management role membership. | |||
Management Role Validity | The management role membership recertification policy generates recertification data to certify whether a management role is still required for a valid business purpose. In the case of Management Role Validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is not assigned, it bundles them into one business request as per the fallback assignee. The possible decisions for the business requests are generally set as certify, disable or deleteManagement Role Validity policy is designed to collect and present information about a Management Role to determine whether it is still necessary and should continue to exist. Auditors review the information provided by this policy to determine whether the Management Role's existence is valid in terms of compliance and should be certified. By using the Management Role Validity policy, organizations can verify that only necessary Management Roles continue to exist, reducing the risk of outdated or redundant Management Roles.
| The Recertification engine groups recertification items into a business request based on the Responsible Party assigned to each management role. If the management role has no responsible party assigned, the engine groups the management role items by Fallback Group By Assignee. During the recertification process, auditors have the option to make decisions such as certify, disable, or delete for the recertification items. | |||
Person Access Summary | The Person Access Summary policy is designed to recertify a person access summary policy validates the person with all types of 's access to all access assignments currently granted to a Person. This policy recertifies them. Auditors review the person's access, the level of access granted , and any special privileges or permissions they may have and certify it. This policy helps organizations ensure that individuals only have the necessary permissions. The person access summary policy recertifies:
| In the case of the Management Role Access Assignment policy, the recertification engine bundles the recertification items into business requests based on the object itself. Therefore, in this policy, the Person is the business request bundle, and each access assignment the user has is the business request item. Possible decisions for business requests are typically set as certify, disable, or delete. | |||
Person Validity | The person validity recertification policy determines whether or not the Person object is still required. In other words, the person validity recertification policy certifies whether a Person object should exist in EmpowerID. In case of person validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item recertified whose responsible party is null, it bundles them into one business request as per the fallback assignee. The possible decisions for the business requests are generally Person Validity policy is designed to collect and present information about a person object in EmpowerID to determine whether it is still necessary and should continue to exist. Auditors review the information provided by this policy to determine whether the person's existence is valid in terms of compliance and should be certified. Additionally, the policy helps ensure that the person has appropriate access to IT resources. By using the Person Validity policy, organizations can verify that only necessary persons continue to exist in EmpowerID. | The Recertification engine groups recertification items into a business request based on the Responsible Party assigned to each item or person. If a person has no Responsible Party assigned, the engine attempts to set the person's Manager as the Responsible Party and groups the recertification items accordingly. In cases where neither Responsible Party nor Manager is assigned, the engine groups the person objects into business requests based on the Fallback Assignee. Possible decisions for business requests are typically set as certify, disable, or delete. However, these decisions are configurable. |
| Tip |
|---|
EmpowerID also supports offers a real-time risk-based recertification feature that enables monitoring of group membership changes as they are detectedoccur. This feature can be enabled on a per Account Store basis and is targeted designed to monitor only those groups that are defined in a Query-Based Collection per Account Store. More information is provided in the doc For more detailed information on this feature, please see Continuous Group Membership Change Recertifications. |
...