You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Configure the JIT Recertification Flow Item

Owned by Dev Raj Gautam
Last updated: Aug 05, 2024 by Patrick Parker
5 min read

Overview of JIT “Mover” Recertification Flow Item

The Just-In-Time (JIT) Recertification Flow is an efficient tool designed to assist administrators in managing resource access during role changes within a team. This flow becomes particularly relevant when a team member transitions to a new role, necessitating a review of their access assignments to resources linked to their previous position.

The Challenges with Old Methods

Traditionally, employee role changes required full audits to reevaluate their access permissions. However, this approach could present a risk in that an audit of an employee's access might not be scheduled to occur in a timely manner. Additionally, the number of employee transfers and role changes occurring at any given time could be significant for large organizations. In these cases, running full organizational audits is impractical, resource-intensive, and time-consuming, slowing down operational efficiency.

Automating Recertification with JIT

The JIT Recertification Flow offers a modern solution by automatically initiating a business request for resource recertification. This approach obviates the need for a full-scale audit. The automation is managed by a specific recertification policy, which provides a detailed framework for the process.

Advantages of Using JIT Recertification Flow

Using JIT Recertification Flow provides multiple benefits:

  • Enhanced Security: Timely review and revocation or update of access permissions minimize security risks.

  • Operational Efficiency: Automating the process expedites recertification, thus contributing to increased operational efficiency.

Real-world Use Cases

Consider a situation where an employee from the Marketing Department moves to a role in Human Resources. With JIT Recertification Flow in place, as soon as the role change is registered in the system, a business request for recertification is automatically initiated. The system would follow the guidelines set out in the recertification policy to determine which permissions should be reviewed, altered, or revoked.

Key Information

When choosing a recertification policy, it's important to ensure that it applies to all resources, not just a single one. For example, if a policy only targets a particular person, it's ineffective because the event won't generate a recertification for another person in the same flow event. It is crucial to have a policy that applies to all resources for effective recertification. The target of the policy tied to the recertification flow item must include all possible resources. Typically, special recertification policies are created for the JIT recertification flow item, which is usually shipped with the product and should not be included in other normal audits. If you want to change the default policy, please make sure you meet the requirements discussed here.

Recertification Policy: Recertification policies determine the type of access information that needs to be reviewed and validated for each user. Read More

Target: Recertification targets configure who/what to recertify. Targets are added to the policy. Read More

Item Scope Type: Item Type Scope will determine which data/access the policy will recertify. Targets are added to the policy. Read More

How to Configure JIT Recertification Flow Item

To customize the JIT recertification flow item, kindly follow the instructions given below. However, it is important to consider the information provided in the Key Information section before making any changes.

  1. Please Log in to EmpowerID with the necessary permissions.

  2. On the navbar, expand Low Code /No Code Workflow and No Code Flows.

  3. Click on the Flow Items Activities tab to view a list of flow item activities in the system.

     

  4. Type "Just in Time Person Access Summary Recertification" in the search box and click search. Then, click on the icon to view the details of the recertification flow item.

     

  5. As you look into the details view, you'll notice additional information such as the Item Type Action, Scope Type, and Threshold. It's important to note that the action type for this particular flow item is Just-in-Time Person Access Summary Recertification, which we'll explore further. To customize the flow item to match your needs, please make sure to provide appropriate values considering the form fields outlined below for your reference.

     

  6. Click on the Item Type Actions tab to view the item type actions.

     

  7. Type "Just in Time Person Access Summary Recertification" in the search box and click search. Click on the icon to open the details for the item type action.

     

  8. You can find details of the Item Type action, including fulfillment workflows and approval policy. The default workflow for the Approval Fulfillment WF is FWPersonJITRecertification. You can customize the approval policy and fulfillment workflows to suit your requirements. Ensure that they fulfill their intended purpose. Details regarding the form fields are outlined below for your reference.

     

  9. Click on the FWPersonJITRecertification, which opens the ViewOne page for the workflow. View One pages are designed to facilitate the viewing and managing of the corresponding objects in EmpowerID.

     

  10. Locate the Request Workflow Parameters tab and click on the icon.

     

  11. Provide the appropriate value for the Target Attestion Policy ID, which is the recertification policy ID, and click on Save. When assigning a new value to the recertification policy, it is important to ensure that you have either created a new policy or used a shipping policy type that applies to all resources for effective recertification. Additionally, the policy tied to the recertification flow item must include all possible resources as its target. Please take into consideration the key information mentioned earlier.