You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Continuous Group Membership Change Recertifications

In today's digital age, the growing number of apps and systems can make managing group memberships complex. This is especially challenging for security groups, which provide administrative access to IT systems and resources. For these groups, maintaining transparency in terms of who has access and who grants this access is vital for all security stakeholders.

To address this challenge, EmpowerID offers an advanced solution. Its sophisticated reporting and dashboard features provide comprehensive visibility into group management. These tools allow organizations to easily track the number of groups within each system, identify the members of each group, and understand the level of access granted to each member.

However, while this information is readily available and auditable, it can occasionally be overlooked. To help organizations stay on top of their group management, EmpowerID provides a feature known as "Continuous Group Membership Recertification."

In EmpowerID, if SetGroup is not specified, and recertification is enabled for the account store, Recertification tasks are automatically generated for all security groups in that account store.

When enabled for a connected system, this feature generates recertification tasks for members of a specified security group whose membership has not been certified within a certain timeframe. These tasks are then sent to the relevant stakeholders for review and can be approved or rejected based on the organization's requirements.

If recertification is rejected, EmpowerID promptly removes the rejected account from the group. On the other hand, if the recertification is approved, EmpowerID records the approval date and schedules the next recertification accordingly.

By providing these features, EmpowerID ensures that your group memberships are always accurately managed and up-to-date, enhancing your organization's overall security and efficiency.

 

A high-level overview of Continuous Group Recertification Process

 

Components of Continuous Group Membership Recertification

The Continuous Group Membership Recertification feature of EmpowerID includes the components shown in the table below.

Component

Description

Component

Description

Account Store

When you connect EmpowerID to an external system or application, EmpowerID creates an account store for that system. Account stores have properties and settings that allow you to specify how you want EmpowerID to manage the user and group information in that system. For Continuous Group Membership Reconciliation, the relevant settings include:

  • Recertify External Group Membership Additions as Detected

    • This specifies whether external group memberships should be recertified. If set to true, EmpowerID creates recertification tasks for those groups.

  • SetGroup Of Groups to Monitor for Real-Time Recertification

    • This specifies the SetGroup containing the groups in the account store to be included in recertification. When set, this allows you to target a specific subset of security groups. If a SetGroup is not specified and recertification is enabled for the account store, EmpowerID creates Recertification tasks for all security groups in the account store.

Permanent Workflow – Continuous Group Membership Recertification

A permanent workflow is a workflow that when enabled runs once every X minutes to process X amount of objects targeted by the workflow. The default settings for the Continuous Group Membership permanent workflow is to process 1000 group memberships every 10 minutes. These settings can be edited as needed.

Request Workflow – Continuous Recertification

In the EmpowerID model, users never directly interact with a workflow; rather, they interact with what is known as a request workflow. A request workflow is one of the resource types registered in the EmpowerID Identity Warehouse that is related to resource acquisition and management. A specific request workflow is an Identity Warehouse resource record corresponding to an EmpowerID workflow that is used to control who may interact with the workflow. Request workflows often have configurable workflow parameters that pass input data to the workflow to process as it executes its code. In the case of the Continuous Certification workflow, these parameters include the following:

  • Days

    • Integer that specifies the number of days after which new Recertification tasks are created for previously certified group memberships. The default setting is 10 days.

  • BusinessRequestTypeID

    • Business Request Type for the Business Requests generated for group changes.

  • BusinessRequestItemTypeActionID - the Business Request Item Type Action of the group membership recertification items.

Â