Creating Recertification Policies

Recertification policies are policies that you add to audits to generate recertification review tasks for the access assignments given to people, roles, groups and Query-Based collections. Once you create a Recertification policy, you then scope the policy by adding targets to it, such as a specific Business Role and Location or Group.

EmpowerID provides a number of Recertification policies that you can use out of the box. Each of theses policies creates snapshots of data for a particular resource type. You can use these policies as a starting point or create your own.


  • Access for Active People (Logged in Last 90 Days) — For certifying the EmpowerID access assignments for all people who logged in during the last 90 days.
  • All Access Assignments for Shared Folders flagged as Audit — For certifying shared folder access.
  • Certify Access Assignments for Resource Mailboxes — For certifying access to resource mailboxes.
  • Direct Reports Recertification - All People Logged in Last 90 Days — For managers to recertify any direct reports who have logged in within the last 90 days.
  • Mailbox Permissions — For certifying mailbox permissions.
  • Management Role Access — For certifying the access granted to Management Roles
  • Person Access Summary for People Logged in Last 90 Days — For certifying the access of all people who have logged in within the last 90 days.
  • Person Direct Entitlements — For managers to certify or revoke the access of their direct reports.
  • SharePoint Group Access Assignments — All EmpowerID access assignments for SharePoint groups.

To create a Recertification Policy

  1. Log in to the EmpowerID Web application as an auditor or other person with the ability to configure audits.
  2. In the Navigation Sidebar, expand Compliance Management and click Audit Configuration.
  3. On the Actions tab, click Create Recertification Policy.

  4. In the Policy Details form that appears, click the Policy Type drop-down and select the appropriate policy type. 

    • Assignee Granted Security — Access Level Assignments and Management Role assignments granted to an assignee as an actor
    • Direct Reports — who reports to whom
    • Exchange Mailbox Permissions — who currently has what type of access to a given Exchange mailbox
    • Folder Permissions — who currently has what type of access to a given Windows folder
    • Group Membership — who currently has membership in a given group
    • Management Role Membership — current assignees of a Management Role
    • Person Access Summary — all access assignments currently granted to a Person, including:
      • All RBAC assignments, including direct, relative, and by-location assignments
      • Business Role and Location assignments
      • Any group memberships, including those on their accounts and those granted through RBAC
      • Any Management Role memberships
      • Account and group ownership
      • Any native permissions, such as NTFS permissions for shared folders and Exchange mailbox permissions or ACLs

    • Person Direct Entitlements — current access granted to people (also creates recertification tasks for the managers of each person targeted by the policy)
    • Resource Granted Security — who currently has access to any given resource object for which the policy is created

  5. This example selects Person Direct Entitlements.
  6. Fill in the Name, Display Name and Description fields.
  7. Select Enabled to enable the policy.
  8. Click Save

After EmpowerID creates the policy, a Target grid appears on the Policy Details page. This grid allows you to add and remove Recertification targets to and from the policy. Recertification targets allow you to scope the Recertification policy to the specific IT objects you want to audit. They can include multiple EmpowerID Actor types, including individual resources, people, roles, locations, groups and Query-based Collections (SetGroups). This is demonstrated in the Adding Targets to Recertification Policies topic.