During recertification, EmpowerID sends requests to managers to certify whether their employees should have access to the resources that they currently have. The managers then recertify or revoke access, and if there are other approval steps, EmpowerID forwards their decisions to the next approver. In inventoried account stores, once the recertification has gone through all of the approval steps, EmpowerID fulfills the decision, updating or revoking access as specified.
However, EmpowerID does not perform inventory on tracking-only account stores directly. Instead, EmpowerID sends the application owner or group owners requests to manually add or remove access for the user accounts and groups. Once the application or group owner fulfills these requests, they mark the requests complete, and in situations where access exists in an external system to which EmpowerID is not connected—these systems must be represented in EmpowerID as tracking-only applications—fulfilling recertification decisions is a manual process that is performed by users delegated that responsibility (generally application or group owners). When this is the case, EmpowerID sends notifications to each owner, assigning them tasks to perform in the external system in accordance with recertification decisions. Once those tasks are complete are completed, EmpowerID updates the account store, user account, and group information within its Identity Warehouse accordingly. We call this process fulfillment.
In the fulfillment process, EmpowerID creates, gets permission for, and tracks the requests and communicates , communicating them to the owner. Once the owner fulfills the requests, EmpowerID updates the tracking-only account store.
...