The JIT recertification flow simplifies the process of handling recertification events that occur due to changes in resources or policies without requiring a recertification audit. In some instances, recertification may be necessary, for example, when a person changes departments and their group memberships or management role assignments need to be verified. In such scenarios, previously, the only option was to create an audit, but now, the flow item can trigger the creation of a business request to recertify the resource without the need for a complete audit.
The JIT recertification flow item is tied to a recertification policy that can define which type of data should be certified when the flow item is triggered. To modify the just-in-time (JIT) recertification process, you can configure or change the JIT recertification flow item. This allows you to customize the process by adjusting configurations such as Item Type Action, Recertification Policy, and Approval Fulfillment Workflow. However, it is important to consider the information provided in the Key Information section below before making any changes.
Key Information
When choosing a recertification policy, it's important to ensure that it applies to all resources, not just a single one. For example, if a policy only targets a particular person, it's ineffective because the event won't generate a recertification for another person in the same flow event. It is crucial to have a policy that applies to all resources for effective recertification. The target of the policy tied to the recertification flow item must include all possible resources. Typically, special recertification policies are created for the JIT recertification flow item, which is usually shipped with the product and should not be included in other normal audits. If you want to change the default policy, please make sure you meet the requirements discussed here.
Recertification Policy: Recertification policies determine the type of access information that needs to be reviewed and validated for each user. Read More
Target: Recertification targets configure who/what to recertify. Targets are added to the policy. Read More
Item Scope Type: Item Type Scope will determine which data/access the policy will recertify. Targets are added to the policy. Read More
Configure the JIT Recertification Flow Item
Please Log in to EmpowerID with the necessary permissions.
On the navbar, expand Low Code /No Code Workflow and No Code Flows.
Click on the Flow Items Activities tab to view a list of flow item activities in the system.
Type "Just in Time Person Access Summary Recertification" in the search box and click search. Then, click on the icon to view the details of the recertification flow item.
As you look into the details view, you'll notice additional information such as the Item Type Action, Scope Type, and Threshold. It's important to note that the action type for this particular flow item is Just-in-Time Person Access Summary Recertification, which we'll explore further. To customize the flow item to match your needs, please make sure to provide appropriate values considering the form fields outlined below for your reference.
Fields
Description
Item Type Action
Choose the Item Type Action. Item Type Actions represent actions that can occur against an item.
Scope Type
To specify the resource items that the flow item should target, you need to select a scope. Scopes are boundaries and criteria that help to select resources. For instance, you can define a scope type "all non-RBAC group accounts for person" that selects group accounts associated with a person which are not bound by Role-Based Access Control (RBAC) .
Item Collection Filter
Provide a SQL Where clause to filter the items returned by the scope type. This where clause will be appended to the Item collection Query of the Scope Type.
Threshold Item Count
You can set a threshold to define the limit for the number of business request items to be created. Suppose the number of business request items exceeds the threshold or the specified limit. In that case, the business request item generation will be considered an "Over Threshold Switch" item type request.
Over Threshold Switch to Item
When the number of business items exceeds the previously specified threshold count, the system will create an item based on the "Over Threshold Switch to Item" setting instead of generating business request items. Usually, this item will be a bulk action item, such as deleting all management roles and group memberships or removing all SAP group memberships.
Name
Provide a unique and descriptive identifier for the.
Display Name
Please provide a user-friendly label or "Display Name" that appears in the application's user interface representing the flow item.
Description
Please provide a brief explanation of the flow item.
Fulfillment WF JSON
Please provide a JSON containing custom data to pass on to the fulfillment workflow. This may include information such as ServiceNow ticket numbers or target persons.
Click on the Item Type Actions tab to view the item type actions.
Type "Just in Time Person Access Summary Recertification" in the search box and click search. Click on the icon to open the details for the item type action.
You can find details of the Item Type action, including fulfillment workflows and approval policy. The default workflow for the Approval Fulfillment WF is FWPersonJITRecertification. You can customize the approval policy and fulfillment workflows to suit your requirements. Ensure that they fulfill their intended purpose. Details regarding the form fields are outlined below for your reference.
Fields
Description
Item Type
Please select the Item Type. Item Types are the individual resources that can be requested.
Name
Provide a unique and descriptive identifier for the Item Type.
Display Name
Please provide a user-friendly label or "Display Name" that appears in the application's user interface.
Locale Key Unique Name
Provide the locale key for the name.
Usage Description
Please provide a brief explanation of the item type action.
Locale Key for Description
Provide the locale key name for the description.
Approval Fulfillment WF
Please choose a fulfillment workflow for approval. This workflow will handle all necessary actions once the business request item is approved.
Rejection Fulfillment WF
Please select a workflow to execute when the business request item is not approved.
Fulfillment Delay
Please indicate the delay in hours for the fulfillment workflow to run upon approval or rejection.
Approval Policy
Select the approval policy for the item type. You are defining when there is a JIT recertification Business Request with one or more resource items; approval Flow policies manage the necessary approval steps before granting access.
Category For External ITSM
Please provide the category for external ITSM.
ByPassGlobal Approval
This setting is selected by default, which specifies whether the system should bypass the global approval policy.
Click on the FWPersonJITRecertification, which opens the ViewOne page for the workflow. View One pages are designed to facilitate the viewing and managing of the corresponding objects in EmpowerID.
Locate the Request Workflow Parameters tab and click on the icon.
Provide the appropriate value for the Target Attestion Policy ID, which is the recertification policy ID, and click on Save. When assigning a new value to the recertification policy, it is important to ensure that you have either created a new policy or used a shipping policy type that applies to all resources for effective recertification. Additionally, the policy tied to the recertification flow item must include all possible resources as its target. Please take into consideration the key information mentioned earlier.