The increasing number of apps and systems, across both the cloud and on-premise, can make it a challenge to effectively manage group memberships. As security groups often grant administrative access to organizational IT systems and resources, it is important that the membership of those groups be transparent to group owners, administrators, and other security stakeholders. EmpowerID brings intelligence and in-depth visibility to managing your groups through reporting and dashboards. You can quickly see how many groups your organization has within each system, who belongs to them, and the amount of access those groups grant their members. While this information is immediate and auditable, it can be overlooked. To help you stay on top of your groups, EmpowerID includes a “Continuous Group Membership Recertification” feature that you can enable for each of your connected systems. When enabled, EmpowerID generates recertification tasks for each member of a specified security group whose membership has not been certified within the last “X” number of days. Tasks are sent to the appropriate stakeholders, where they can be reviewed and approved or rejected as needed. If recertification is rejected, EmpowerID removes each rejected account from the group. If recertification is approved, EmpowerID stamps the approved group memberships with the approval date and recycles those memberships for recertification again at the specified date. This ensures that your group membership always remains what it should be. Figure 1 below shows this process from a high level.
Components of Continuous Group Membership Recertification
The Continuous Group Membership Recertification feature of EmpowerID includes the components shown in the below table.
Component | Description |
---|---|
Account Store | When you connect EmpowerID to an external system or application, EmpowerID creates an account store for that system. Account stores have properties and settings that allow you to specify how you want EmpowerID to manage the user and group information in that system. For Continuous Group Membership Reconciliation, the relevant settings include:
|
Permanent Workflow – Continuous Group Membership Recertification | A permanent workflow is a workflow that when enabled runs once every X minutes to process X amount of objects targeted by the workflow. The default settings for the Continuous Group Membership permanent workflow is to process 1000 group memberships every 10 minutes. These settings can be edited as needed. |
Request Workflow – Continuous Recertification | In the EmpowerID model, users never directly interact with a workflow; rather, they interact with what is known as a request workflow. A request workflow is one of the resource types registered in the EmpowerID Identity Warehouse that is related to resource acquisition and management. A specific request workflow is an Identity Warehouse resource record corresponding to an EmpowerID workflow that is used to control who may interact with the workflow. Request workflows often have configurable workflow parameters that pass input data to the workflow to process as it executes its code. In the case of the Continuous Certification workflow, these parameters include the following:
|