Recertification policies contain procedures for ensuring that users affirm that they have a genuine, continuous need for a particular resource or membership. The frequency with which users must validate their requirement for a resource or membership is defined by a recertification policy.
EmpowerID recertification policies have the following types.
Recertification Policy Type | Description |
|---|---|
Account validity recertification is a method of determining whether or not accounts are still required. Certain actions must be made if the accounts are no longer required. In other words, an account validity recertification policy is to certify whether an account should exist or not. In the account validity recertification process, a responsible person (manager, responsible party, or other designated person) checks the account of the users and decides whether this account should continue to exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then the audit is compiled, which generates business requests that are sent for approval. In the case of account validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable. For more details on how to create an account validity recertification policy visit the account validity recertification page. | |
The business role and location membership recertification process validates whether the membership of a business role and location is still required for a valid business purpose. Certain actions must be made if the membership is no longer required. In other words, the business role and location membership recertification policy is to certify whether a membership should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the business role and location is the bundle for the business requests and its members are items. The possible decisions for the business requests are generally set to certify or revoke the business role and location membership. However, these decisions are configurable. For more details on how to create a business role and location membership recertification policy visit business role and location membership page. | |
The group membership recertification process validates whether the membership of a group is still required for a valid business purpose. Certain actions must be made if the membership is no longer required. In other words, group membership recertification policy is to certify whether a membership should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the group is the bundle for the business requests and its members are items. The possible decisions are generally set to certify or revoke the group membership. However, these decisions are configurable. For more details on how to create a group membership recertification policy visit group membership recertification page. | |
The group validity recertification is a method of determining whether or not groups are still required. Certain actions must be made if the groups are no longer required. In other words, group validity recertification policy is to certify whether an groups should exist or not. In the group validity recertification process, a responsible person (group owner, responsible party, or other designated person) checks the group and decides whether this group should continue to exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. In case of group validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions are generally set to certify, disable or delete. However, these decisions are configurable. For more details on how to create an group validity recertification policy visit group validity recertification page.
| |
Group Owner | This policy type allows recertification of the inventoried native owners for groups as assigned in their external systems (e.g. Azure Teams owners). |
The management role access assignment recertification process validates whether the access granted to a management role is still required for a valid business purpose. Certain actions must be made if the access is no longer required. In other words, management role access recertification policy is to certify whether an access granted should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the management role is the bundle for the business request and the access already granted are items. For more details on how to create a management role access assignment type recertification policy visit management role access assignement page. | |
The management role membership recertification process validates whether the membership of a management role is still required for a valid business purpose. Certain actions must be made if the membership is no longer required. In other words, management role membership recertification policy is to certify whether a membership should exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the management role is the bundle for the business requests and its members are items. The possible decisions are generally set to certify or revoke the management role membership. However, these decisions are configurable. For more details on how to create a management role membership recertification policy visit management role membership page. | |
The management role validity recertification is a method of determining whether or not management roles are still required. Certain actions must be made if the management roles are no longer required. In other words, management role validity recertification policy is to certify whether a management role should exist or not. In the management role validity recertification process, a responsible person (owner, responsible party, or other designated person) checks the management role and decides whether this management role should continue to exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. In case of management role validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable. For more details on how to create a management role validity recertification policy visit management role validity recertification page. | |
The person validity recertification is a method of determining whether or not the person is still required. Certain actions must be made if the persons are no longer required. In other words, person validity recertification policy is to certify whether a person should exist or not. In the person validity recertification process, a responsible person (manager, responsible party, or other designated person) checks the person and decides whether this person should continue to exist or not. For the recertification, a recertification policy is created, a recertification audit is created, the recertification policy is added to the audit, then audit is compiled, which generates business requests that are sent for approval. In case of person validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable. For more details on how to create a person validity recertification policy visit person validity recertification page. |
Each Recertification policy is targeted or scoped to apply only to specific people, roles, or resources using EmpowerID query-based collections. These are comprised of sets, which are SQL queries primarily or code-based queries in some cases. These sets are re-evaluated by the EmpowerID engine on a scheduled basis and can group collections of people. They can be based on questions written against the EmpowerID identity warehouse or external systems in a customer's environment.
Note: EmpowerID also supports real-time risk-based recertification of group membership changes as they are detected. This feature can be enabled on a per Account Store basis and is targeted to monitor only those groups defined in a Query-Based Collection per Account Store.