Often recertification audits generate a huge amount of data and different types of business requests during the Audit. You mightn’t want to recertify all those types and all the data every time. Adding the scope to a policy gives the flexibility to define what data to collect based on various Item Types provided by EmpowerID. Adding an Item Type Scope to the Recertification Policy enables users to configure what data should be collected for recertification. E.g., suppose you want to recertify a person’s group membership in High-Security Groups only and not other groups. In that case, you can add an Item Type and choose the Set Group that returns the High-Security Groups.
Always Add Item Type to the Policy: We now follow inclusive configurations to simplify the recertification policies. Audits will only collect the data based on the Item Types added to the policies. If there is an Audit with a policy with no Item Type, the Audit won’t generate any data or business requests. Previously the policies supported exclusive configuration, which means the scope of data to collect was predefined, and users were allowed only to exclude types and data.
Item Type Support in Recertification Policies: Not all policy support configuring item types, and the types differ based on the Policy. Please find more information about policy type and supported items below in Supported Item Type.
How to add Item Type Scope
Item type scope can be added after you have created a recertification policy.
Navigate to Compliance → Recertification and select the Recertification Policies tab.
To find the Recertification Policy, you can type the name in the search textbox and click on the search button to search.
Click on the link provided in the Display Name column to open the View One page.
Scroll to the bottom of the page and locate the Item Type Scope (Data), and click on the ➕ Add button to add a new Item Type.
Provide the values and click on Save to create the Item Type.
Select the appropriate Item Type. Item types differ based on the kind of Recertification Policy. Please find more information about policy type and supported items below in Supported Item Type.
Select the scope type, which will limit the scope of the item type by All, Direct, Location, or SetGroup. The scope type determines Where/Which Data of the selected Item Type to collect in the Audit.
One recertification policy can have multiple Item Types. Please follow the same procedure to add other Item Types to the recertification policy.
Supported Item Type
The supported item types for the policy types are listed here, along with their description.
Policy Type | Supported Item Type | Description |
---|---|---|
Business Role And Location Membership | Group Business Role and Location direct member | Add this type to include all groups that are directly assigned to Business Roles and Locations. The scope doesn’t include any groups that inherited the membership from Management Role or OrgZone. |
Management Role Business Role and Location direct member | This Item Type includes all Management Roles assigned directly to a Management Role, Business Role, and Location. This Item Type doesn’t include any Management Roles that is inherited. | |
Person Business Role and Location direct member | Add this type to include persons who were directly assigned to Business Roles and Locations. The scope doesn’t include any member who inherited the membership from Management Role or location. | |
Set Group Business Role and Location direct member | This Item Type includes all Set Group assigned directly to the Business Role and Location. | |
Direct Reports | Direct Reports | Add this type to include all direct reports. |
Group Membership | Account Group direct member | This Item Type includes all accounts that were directly assigned to a Group. |
Business Role and Location Group direct member | Add this type to include Business role and Location that were directly assigned to a Group. | |
Group direct member | This Item Type Includes all Groups that were assigned to another group directly. | |
Management Role Definition Group direct member | Add this type to include all Management Role Definition that were directly assigned to a Group | |
Management Role Group direct member | Add this type to include all Management Role that were directly assigned to the Group. | |
Person Group direct member | Add this type to include all Person that were directly assigned to the Group. | |
Set Group Group direct member | This Item Type includes all Set Group that were directly assigned to the Group. | |
Group Owner | Account Group native owner | Add this type to include all accounts that were directly assigned as Group Native Owner. |
Management Role Access Assignment | Management Role Access Assignment | This Item Type Includes all the current members of a management role, including people, group, and business role and location. |
Management Role Membership | Business Role and Location Management Role direct member | Add this type to include all Business Roles and Locations that were directly assigned to a Managment Role. |
Group Management Role direct member | This Item Type Includes all Groups directly assigned to the Management Role. | |
Person Management Role direct member | Add this type to include all Person directly assigned to the Management Role. | |
Set Group Management Role direct member | This Item Type includes all Set Group directly assigned to the Management Role. | |
Person Access Summary | Direct Business Role Location | Add this type to include all person directly assigned to the Business Role or Location. |
Group Membership | Add this type to include all person directly added to any Group. | |
Group Ownership | Add this type to include all person directly added as a Group Owner. | |
Management Role Membership | Add this type to include all person directly added to a Management Role. | |
Person Account Ownership | Add this type to include all person who were directly assigned account. | |
Person Direct RBAC Delegation | Add this type to include person who were granted direct RBAC delegation. | |
Person Location RBAC Delegation | Add this type to include person who were granted direct Location RBAC delegation. | |
Person Relative RBAC Delegation | Add this type to include person who were granted Relative RBAC delegation. |