Versions Compared

Old Version 6

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Recertification policies are policies that you add to audits to generate recertification review tasks for the access assignments given to people, roles, groups and Query-Based collections. Once you create an a Recertification policy, you then scope the policy by adding targets to it, such as a specific Business Role and Location or group, to itGroup.

Tipinfo

EmpowerID provides a number of Recertification policies that you can use out of the box. Each of theses policies creates snapshots of data for a particular resource type. You can use these policies as a starting point or create your own.

...

  • Access for Active People (Logged in Last 90 Days)

...

  • For certifying the EmpowerID access assignments for all people who logged in during the last 90 days.

  • All Access Assignments for Shared Folders flagged as Audit

...

  •  — For certifying shared folder access.

  • Certify Access Assignments for Resource Mailboxes

...

  •  — For certifying access to resource mailboxes.

  • Direct Reports Recertification - All People Logged in Last 90 Days

...

  •  — For managers to recertify any direct reports who have logged in within the last 90 days.

  • Mailbox Permissions

...

  •  — For certifying mailbox permissions.

  • Management Role Access

...

  •  — For certifying the access granted to Management Roles

...

  • Person Access Summary for People Logged in Last 90 Days

...

  •  — For certifying the access of all people who have logged in within the last 90 days.

  • Person Direct Entitlements

...

  •  — For managers to certify or revoke the access of their direct reports.

  • SharePoint Group Access Assignments

...

  •  — All EmpowerID access assignments for SharePoint groups.

...

Create a Recertification Policy

  1. Log in to the EmpowerID Web application as an auditor or other person with the ability to configure audits.

  2. From

    On the

    navigation sidebar

    navbar,

    expand 

    expand Compliance

     

    Management and

    click 

    click Audit Configuration.

  3. From the Audit Configuration page, click the Actions tab and then click 

    On the Actions tab, click Create Recertification Policy.

    Image RemovedImage Added


  4. In the

     

    Policy Details

     

    form that appears,

    select

    click the

    appropriate policy type from the 

    Policy Type

     drop

    drop-down

    . When selecting policy types, you have

    and select from the following options to create a snapshot of the policy type's data:

    Type the appropriate information for the Recertification policy in the Name, Display Name and Description 

    • Assignee Granted Security

      — This Recertification policy type creates a snapshot of the

       — Access Level Assignments and Management Role assignments granted to an assignee as an actor

      .

    • Direct Reports

      — This Recertification policy type creates a snapshot of

       — who reports to whom

      .

    • Exchange Mailbox Permissions

      — This Recertification policy type creates a snapshot of

       — who currently has what type of access to a given Exchange mailbox

      .

    • Folder Permissions

      — This Recertification policy type creates a snapshot of

       — who currently has what type of access to a given Windows folder

      .

    • Group Membership

      — This Recertification policy type creates a snapshot of

       — who currently has membership in a given group

      .

    • Management Role Membership

      — This Recertification policy type creates a snapshot of

       — current assignees of a Management Role

      .

    • Person Access Summary

      — This Recertification policy type creates a snapshot of all of the

       — all access assignments currently granted to a Person,

      and includes the following

      including:

      • All RBAC assignments, including direct, relative, and by-location assignments

      • Business Role and Location assignments

      • Any group memberships, including those on their accounts and those granted through RBAC

      • Any Management Role memberships

      • Account and group ownership

      • Any native permissions, such as NTFS permissions for shared folders and Exchange mailbox permissions

        /acls

        or ACLs

    • Person Direct Entitlements

      — This Recertification policy type snapshots the

       — current access granted to people

      and

      (also creates recertification tasks for the managers of each person targeted by the policy

      .

      )

    • Resource Granted Security

      — This Recertification policy type creates a snapshot of

       — who currently has access to any given resource object for which the policy is created

      .
  5. In our example, we are selecting Person Direct Entitlements.

  7. Fill in the Name, Display Name and Description fields.

  8. Select Enabled

     

    to enable the policy.

  9. Click

     

    Save. 

    Image Added


After EmpowerID creates the policy,

...

a Target

...

grid appears on the Policy Details page. This grid allows you to add and remove Recertification targets to and from the policy. Recertification targets allow you to scope the Recertification policy to the specific IT objects you want to audit

...

. They can include multiple EmpowerID Actor types, including individual resources, people, roles, locations, groups and Query-based Collections (SetGroups). This is demonstrated in

...

the Adding Targets to Recertification Policies

...

topic.


...

Next Steps

Add a target to the recertification policy

Create an audit

Add recertification policy to an audit