Creating Audit Recertification Policies
Recertification policies are policies that you add to audits to generate recertification review tasks for the access assignments given to people, roles, groups and Query-Based collections. Once you create an Recertification policy, you then scope the policy by adding targets, such as a specific Business Role and Location or group, to it.
EmpowerID provides a number of Recertification policies that you can use out of the box. Each of theses policies creates snapshots of data for a particular resource type. You can use these policies as a starting point or create your own.
Policy | Usage |
---|---|
Access for Active People (Logged in Last 90 Days) | For certifying the EmpowerID access assignments for all people who logged in during the last 90 days. |
All Access Assignments for Shared Folders flagged as Audit | For certifying shared folder access. |
Certify Access Assignments for Resource Mailboxes | For certifying access to resource mailboxes. |
Direct Reports Recertification - All People Logged in Last 90 Days | For managers to recertify any direct reports who have logged in within the last 90 days. |
Mailbox Permissions | For certifying mailbox permissions. |
Management Role Access | For certifying the access granted to Management Roles. |
Person Access Summary for People Logged in Last 90 Days | For certifying the access of all people who have logged in within the last 90 days. |
Person Direct Entitlements | For managers to certify or revoke the access of their direct reports. |
SharePoint Group Access Assignments | All EmpowerID access assignments for SharePoint groups. |
To create a Recertification Policy
- Log in to the EmpowerID Web application as an auditor or other person with the ability to configure audits.
- From the navigation sidebar, expand For Auditors and click Audit Configuration.
- From the Audit Configuration page, click the Actions tab and then click Create Recertification Policy.
- In the Policy Details form that appears, select the appropriate policy type from the Policy Type drop-down. When selecting policy types, you have the following options:
- Assignee Granted Security — This Recertification policy type creates a snapshot of the Access Level Assignments and Management Role assignments granted to an assignee as an actor.
- Direct Reports — This Recertification policy type creates a snapshot of who reports to whom.
- Exchange Mailbox Permissions — This Recertification policy type creates a snapshot of who currently has what type of access to a given Exchange mailbox.
- Folder Permissions — This Recertification policy type creates a snapshot of who currently has what type of access to a given Windows folder.
- Group Membership — This Recertification policy type creates a snapshot of who currently has membership in a given group.
- Person Access Summary — This Recertification policy type creates a snapshot of all of the access assignments currently granted to a Person, and includes the following:
- All RBAC assignments, including direct, relative, and by location assignments
- Business Role and Location assignments
- Any group memberships, including those on their accounts and those granted through RBAC
- Any Management Role memberships
- Account and group ownership
- Any native permissions, such as NTFS permissions for shared folders and Exchange mailbox permissions/acls
- Person Direct Entitlements — This Recertification policy type snapshots the current access granted to people and creates recertification tasks for the managers of each person targeted by the policy.
- Management Role Membership — This Recertification policy type creates a snapshot of current assignees of a Management Role.
- Resource Granted Security — This Recertification policy type creates a snapshot of who currently has access to any given resource object for which the policy is created.
- In our example, we are selecting Person Direct Entitlements.
- Type the appropriate information for the Recertification policy in the Name, Display Name and Description fields.
- Select Enabled to enable the policy.
- Click Save.
After EmpowerID creates the policy, a Target grid appears on the Policy Details page. This grid allows you to add and remove Recertification targets to and from the policy. Recertification targets allow you to scope the Recertification policy to the specific IT objects you want to audit and can include multiple EmpowerID Actor types, including individual resources, people, roles, locations, groups and Query-based Collections (SetGroups). This is demonstrated in the Adding Targets to Policies topic.