This diagram describes the Recertification Architecture for PAM recertification. Detailed information about each process is described below the diagram.
- Per the configured schedule, EmpowerID creates a new PAM certification Campaign from the existing PAM recertification template.
- The Recertification Campaign uses the Recertification Policy to handle tasks:
- It automatically sends recertification tasks and notifications to line managers or direct reports with privileged access.
- The campaign automatically closes on the end date of the audit and flags any unresolved tasks as revoked.
- Tasks are completed either by Line Managers, or automatically by RBAC:
- Line managers certify the privileged access management roles for their direct reports using the same process as the annual audit.
- RBAC processes remove any privileged assignments from the privileged management roles.
- Any management roles certified as revoked are unassigned from the direct report. No quality check is required.
- Any privileged group removals resulting from the revoking of the privileged access management role are placed in the Group Membership Queue.
- The Group Membership Queue processes the group removals and generates fulfillment tasks for the owners of the groups.
- Tasks are placed on the group owners' task lists and email notifications are sent out to the group owners informing them of the new tasks.
- The group owners remove the access in the native systems that correspond to the privileged groups that were revoked.
- Following group owner approval of the revoke tasks, the fulfillment report is updated with the final status of the revocation tasks.
- The recertification fulfillment report, which can be searched, sorted, and exported to evaluate the final resolution of all recertification tasks.