You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Continuous Group Membership Change Recertifications

The increasing number of apps and systems, across both the cloud and on-premise, can make it a challenge to effectively manage group memberships. As security groups often grant administrative access to organizational IT systems and resources, it is important that the membership of those groups be transparent to group owners, administrators, and other security stakeholders. EmpowerID brings intelligence and in-depth visibility to managing your groups through reporting and dashboards. You can quickly see how many groups your organization has within each system, who belongs to them, and the amount of access those groups grant their members. While this information is immediate and auditable, it can be overlooked. To help you stay on top of your groups, EmpowerID includes a “Continuous Group Membership Recertification” feature that you can enable for each of your connected systems. When enabled, EmpowerID generates recertification tasks for each member of a specified security group whose membership has not been certified within the last “X” number of days. Tasks are sent to the appropriate stakeholders, where they can be reviewed and approved or rejected as needed. If recertification is rejected, EmpowerID removes each rejected account from the group. If recertification is approved, EmpowerID stamps the approved group memberships with the approval date and recycles those memberships for recertification again at the specified date. This ensures that your group membership always remains what it should be. Figure 1 below shows this process from a high level.

Figure 1: High-level overview of Continuous Group Recertification Process

 

Components of Continuous Group Membership Recertification

The Continuous Group Membership Recertification feature of EmpowerID includes the components shown in the below table.

Component

Description

Component

Description

Account Store

When you connect EmpowerID to an external system or application, EmpowerID creates an account store for that system. Account stores have properties and settings that allow you to specify how you want EmpowerID to manage the user and group information in that system. For Continuous Group Membership Reconciliation, the relevant settings include:

  • Recertify External Group Membership Additions as Detected

    • This specifies whether external group memberships should be recertified. If set to true, EmpowerID creates recertification tasks for those groups.

  • SetGroup Of Groups to Monitor for Real-Time Recertification

    • This specifies the SetGroup containing the groups in the account store to be included in recertification. When set, this allows you to target a specific subset of security groups. If a SetGroup is not specified and recertification is enabled for the account store, EmpowerID creates Recertification tasks for all security groups in the account store.

Permanent Workflow – Continuous Group Membership Recertification

A permanent workflow is a workflow that when enabled runs once every X minutes to process X amount of objects targeted by the workflow. The default settings for the Continuous Group Membership permanent workflow is to process 1000 group memberships every 10 minutes. These settings can be edited as needed.

Request Workflow – Continuous Recertification

In the EmpowerID model, users never directly interact with a workflow; rather, they interact with what is known as a request workflow. A request workflow is one of the resource types registered in the EmpowerID Identity Warehouse that is related to resource acquisition and management. A specific request workflow is an Identity Warehouse resource record corresponding to an EmpowerID workflow that is used to control who may interact with the workflow. Request workflows often have configurable workflow parameters that pass input data to the workflow to process as it executes its code. In the case of the Continuous Certification workflow, these parameters include the following:

  • Days

    • Integer that specifies the number of days after which new Recertification tasks are created for previously certified group memberships. The default setting is 10 days.

  • BusinessRequestTypeID

    • Business Request Type for the Business Requests generated for group changes.

  • BusinessRequestItemTypeActionID - the Business Request Item Type Action of the group membership recertification items.