You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Recertification Policy Types

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

EmpowerID provides various policy types for recertification audits that determine the type of access recertification to be performed. The policy outlines the information to be evaluated regarding individuals' rights and access rights. During the recertification process, EmpowerID generates business requests that ask auditors to recertify the access. Each access is a business request item that needs to be certified, and the way the items are bundled into a single request depends on the policy type.

Type

Purpose

Business Requests & Decesions

Account Validity

Account Validity recertification policy is a method of determining whether a user accounts is still required and must be certified. The Account Validity recertification policy collects all access of the user's account and presents it to a responsible person (manager, responsible party, or other designated person) to decide whether this account should continue to exist.

The recertification engine in EmpowerID bundles the recertification items into business requests based on the responsible party assigned to each item. If an item being recertified has no responsible party, it is bundled into one business request based on the fall-back assignee.

The possible decisions for the business requests for generated during the recertification process are typically set as certify, disable, or delete.

Business Role and Location Membership

The business role and location membership recertification policy checks if a user's access to a specific business role and location is still needed for valid business reasons. This information is reviewed and approved by the responsible person.

The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the business role and location are the bundles for the business requests, and its members are items.

Direct Reports

The Direct Reports recertification policy collects access data to validate if the managers and their direct reports are still required for a valid business purpose. The information is presented to responsible certify whether a direct report for a particular manager should exist or not.

Group Membership

The group membership recertification policy collects access data to validate whether the membership of a group for a user is still required for a valid business purpose. This information is reviewed and approved by the responsible person who decide certify whether membership should exist or not.

The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the group is the bundle for the business requests, and its members are items.

The possible decisions are generally set to certify or revoke the group membership.

Group Owner

The Group Owner membership recertification policy collects access data to validate whether an account as a group owner is still required for a valid business purpose. This information is reviewed and approved by the responsible person during an Audit who certifies whether an account should own a group.

Group Validity

The Group validity recertification policy collects access data to determine whether or not groups are still required. Auditors make a decision about whether a group should exist.

In the case of group validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee. The possible decisions are generally set to certify, disable or delete.

Management Role Access Assignment

The management role access assignment recertification policy collects data to certify if a management role is still required for valid business purpose. In other words, the management role access recertification policy is to certify whether an access grant should exist.

The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the management role is the bundle for the business request, and the access already granted is items.

Management Role Membership

The management role membership recertification policy generates recertification data to certify whether a user’s membership of a management role is still required for a valid business purpose.

The engine bundles the recertification items into business requests based on the object itself. Therefore, in this case, the management role is the bundle for the business requests, and its members are items.

Management Role Validity

In the management role validity recertification policy , a responsible person (owner, responsible party, or other designated person) checks the management role and decides whether this management role should continue to exist or not.

In the case of management role validity recertification, the recertification engine bundles the recertification items into business requests according to the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee.

The possible decisions for the business requests are generally set as certify, disable or delete.

Person Access Summary

The person access summary policy validates the person with all types of access assignments currently granted to a Person. Simply, this policy is to certify if a person should have the access that the person currently possesses.

The person access summary recertifies

  • All RBAC assignments, including direct, relative, and by-location assignments

  • Direct Business Role and Location assignments

  • Any group memberships, including those on their accounts and those granted through RBAC

  • Any Management Role memberships

  • Account and group ownership

Person Validity

The person validity recertification is a method of determining whether or not the person is still required. Certain actions must be made if the persons are no longer required. In other words, the person validity recertification policy is to certify whether a person should exist or not.

In case of person validity recertification, the recertification engine bundles the recertification items into business requests as per the responsible party assigned. For any item being recertified where its responsible party is null, it bundles them into one business request as per the fall-back assignee.

The possible decisions for the business requests are generally set as certify, disable or delete. However, these decisions are configurable.

EmpowerID also supports real-time risk-based recertification of group membership changes as they are detected. This feature can be enabled per Account Store basis and is targeted to monitor only those groups defined in a Query-Based Collection per Account Store. More information is provided in the doc Continuous Group Membership Change Recertifications

  • No labels