A Recertification Policy outlines the procedures an organization follows to review and verify access rights for employees regularly. The policy includes information on who is responsible for conducting the reviews, the specific access rights that will be evaluated, and how the reviews align with the organization's policies and regulations. A recertification audit can have multiple recertification policies associated with it.
We can create recertification policies of different types in the EmpowerID system, which are reusable. For example, we want to certify external partners and members of certain high-risk management roles in an audit. These items are specified in one or more recertification policies and later added to the same audit.
Recertification Overview and Recertification Policy Types docs provide more conceptual information about the policy and audit.
Please follow the instructions below to create a recertification policy.
Create a Recertification Policy
Log in to the EmpowerID.
On the navbar, expand Compliance and select Recertification.
On the Recertification page, select the Recertification Policies tab. Click the + icon to create a new recertification policy.
In the Policy Details form that appears, provide the necessary details and click Save,
Click the Policy Type drop-down and select from the options. EmpowerID provides different policy types that define data snapshots for a particular resource type. More information about the policy types is covered here in the doc Recertification Policy Types.
Fill in the Name, Display Name, and Description fields.
Select Enabled to enable the policy.
Select the appropriate option for Open Item Decision When Audit Is Closed to specify the default decision to make on business requests that are still open (decision pending), but the audit is closed. Suppose an Audit is closed with business request items that have been generated but awaiting a decision. The fulfillment engine will automatically close the items with the selected decision in this option.
Approve: Selecting the decision as "Approve" for an open business request item means that the access being reviewed is valid. The access rights will be granted or retained as they are currently.
Certify: Selecting the decision as "Certify" for an open business request item means that the reviewed access is certified. The access rights will be granted or retained as they are currently.
Convert to JIT: Selecting the decision as "Convert to JIT" for an open business request item in a recertification policy means that the current access will be revoked, but eligibility for the same access will be added as pre-approved. This means that if the user requests the same access from the IAM (Identity and Access Management) shop, it will be granted immediately without needing additional approvals because it has been pre-approved.
Do Nothing: Selecting the decision as "Do Nothing" for an open business request item in a recertification policy means no action will be taken, and the items will remain open.
Revoke: Selecting the decision as "Revoke" for an open business request item in a recertification policy means that the current access will be revoked.
Workflow For Audit Item Close: In scenarios where custom actions need to be performed in external systems when an audit is closed, you can configure the “Workflow for Audit Item Close.” This feature only works when the "Open Item Decision When Audit Is Closed" is set to a value other than "Do Nothing," the fulfillment workflow will apply the default decision provided in the policy and execute the selected workflow. Providing a value for this is optional.
After EmpowerID creates the policy, the view one page appears where you can configure Targets of the Recertification and Item Type Scope (Data). A Recertification Policy is only complete once you add the target and scope.