Recertification Process Architecture

This diagram describes the Recertification Architecture. Detailed information about each process is described below the diagram.


  1. Per the configured schedule, EmpowerID creates a new Recertification Campaign from the existing recertification template.

  2. The Recertification Campaign uses the Recertification Policy to handle tasks:

    1. It automatically sends recertification tasks and notifications to line managers or direct reports.

    2. The campaign automatically closes on the end date of the audit and flags any unresolved tasks as revoked.

  3. Tasks are completed either by Line Managers, or automatically by RBAC:

    1. Line managers certify the management roles for their direct reports.

    2. RBAC processes remove assignments from management roles.

  4. Any management roles certified as revoked are unassigned from the direct report. No quality check is required.

  5. Any group removals resulting from the revoking of the access management role are placed in the Group Membership Queue.

  6. The Group Membership Queue processes the group removals and generates fulfillment tasks for the owners of the groups.

  7. Tasks are placed on the group owners' task lists and email notifications are sent out to the group owners informing them of the new tasks.

  8. The group owners remove the access in the native systems that correspond to the groups that were revoked.

  9. Following group owner approval of the revoke tasks, the fulfillment report is updated with the final status of the revocation tasks.

  10. The recertification fulfillment report can be searched, sorted, and exported to evaluate the final resolution of all recertification tasks.