Group Membership Type Recertification Policy

The group membership recertification policy is used to certify group membership, including person resources for RBAC membership, group account, nested groups, and any type of direct assignment. For the recertification, an audit is created, which generates business requests that are sent for approval. The engine bundles the recertification items into business requests based on the object itself. Therefore in this case the group is the bundle for the business request and its members are items.

The possible decisions are generally set to certify or revoke the member. However, these possible decisions are configurable. This configuration is described under decision configuration at the end of this page. In this post, we will create a group membership type recertification policy and add a target to it.

Note: For the recertification to work in EmpowerID, certain prerequisites must exist.

Create a Group Membership Type Recertification Policy

1. Log in to the EmpowerID web application as an auditor or other person with the ability to configure audits.

2. On the navbar, expand Compliance and select Recertification.

3. On the Recertification page, select the Recertification Policies tab.
   
   

   Open

   

    

4. Then click + icon to create a new Recertification Policy

5. The policy details page opens up.

6. Select policy type as ‘Group Membership.’ Enter any name, display name, and description.

7. Click on Save.
   
   

   Open

   

   
   Add the target type “Location” to the policy created

8. Click on the '+' icon at the bottom of the policy details page to add the target.

9. The attestation policy target section opens up.

10. Under the type dropdown, select ‘Location.’

11. Under the select a location dropdown, search for a location and select it.

12. Click on Save.
    
    

    
    Add the target type “Group” to the policy created

13. Click on the '+' icon at the bottom of the policy details page to add the target

14. The attestation policy target section opens up.

15. Under the type dropdown, select ‘Group.’

16. Under the enter, a group name to search dropdown, search for a group, and select it.

17. Click on Save.
    
    

    
    Add the target type “Management Role” to the policy created

18. Click on the '+' icon at the bottom of the policy details page to add the target

19. The attestation policy target section opens up.

20. Under the type dropdown, select ‘Management Role.’

21. Under the enter a management role name dropdown, please search for a management role and select it.

22. Click on Save.
    
    

    
    Add the target type “Set Group” to the policy created

23. Click on the '+' icon at the bottom of the policy details page to add the target

24. The attestation policy target section opens up.

25. Under the type dropdown, select ‘Set Group.’

26. Under the enter a query-based collection name to search dropdown, please search for a query and select it.

27. Click on Save.

     

28. The group membership recertification policy type with various target types is created as below.
    
    

     

Decision Configuration

The possible decisions for group membership recertification policy type are configurable. For configuring them we need to take the following steps.

1. Log in to the EmpowerID web application

2. On the navbar, expand IT Shop and select Approval Flow Policies.

3. On the Approval Flow Policies page, select the Item Type Actions tab.

4. Then search for Recertify Users as Members of a Group.

5. Click on the Recertify Users as Members of a Group and scroll down to select Decisions for Approval Flow Steps.
   
   

    

6. Click on the + icon to add more approval decision if needed.

7. As shown in the above screenshot, what happens when the approval decision is taken as
   Certify - Process Group Membership Cert fulfillment work flow is started. Note that this is configurable.
   Revoke - Process Group Membership Cert fulfillment work flow is started. Note that this is configurable.
   
   

8. You can also edit or change the workflows that should execute as per an approval decision. Just click on the edit icon on the above image.
   
   

    

9. To see how the business requests generated are grouped for approval, we need to open the approval step selected by right click and open in new window. Here the approval step is group owner approval as shown in the image above. In this case it is bundled as per two rule type (global resource owner) as shown in the image below. Therefore, based on what is configured in approval step the business requests generated will be routed to for approval.
   
   

    

10. Workflow used: When you edit the Item Type Actions named Recertify Users as Members of a Group, you would be able to see the fulfillment workflow. For this policy type the fulfillment workflow is selected is Recertification fulfillment as shown in the image below. For the fulfillment the selected workflow is run. This workflow assignment is configurable as well. You can delete it and select another workflow if needed.
    
    

Next Steps

• Audit with Group Membership Recertification Policy