Creating Recertification Policy
A Recertification Policy outlines an organization's procedures for regularly reviewing and verifying users' access rights. The policy includes information on the type of rights, data about the access rights of which people will be evaluated, and how the reviews align with the organization's policies and regulations. A recertification audit can have multiple recertification policies associated with it.
Procedure
-
Log in to the EmpowerID.
-
Navigate to the Recertification Section:
- Expand Compliance in the navbar and select Recertification.
- Select the Recertification Policies tab and then click the + icon.
This opens the Recertification Policy Details form.
-
Complete the Form Fields:
- Review and fill in the form fields as described below.
- Verify the accuracy of all entered information.
- Click Save to create the policy.
Form Field Reference
| Field | Required | Description |
|---|---|---|
| Policy Type | U+2714 | Select the appropriate type for the policy. See Recertification Policy Types for more details. |
| Name | U+2714 | Enter a unique name for internal reference. |
| Display Name | U+2714 | Enter a user-friendly name that will appear in the interface. |
| Enabled | Check this box to activate the policy after saving. Leave unchecked if you're still configuring. | |
| Description | As needed, provide information about the policy's purpose, scope, and intended function. | |
| Choose Status to Close the Item | U+2714 | Specifies the action for recertification items after the audit ends (see Status options below). |
| Override Approval Policy | Optionally specify an alternative approval workflow that overrides the default process. |
Status Options
The Choose Status to Close the Item field determines the action taken for access rights after the recertification process completes:
- Approve: Confirms the reviewed access as valid. The access rights remain as they are.
- Certify: Verifies that the reviewed access is appropriate, retaining existing rights.
- Convert to JIT: This revokes existing access but establishes eligibility for pre-approved, just-in-time access. Future requests for the same access will be automatically granted without further approval.
- Delete: Permanently removes access from the system.
- Disable: Deactivates the access without removing it from the system.
- Do Nothing: No action is taken; recertification items remain unchanged.
- Revoke: Removes the current access permissions.
Select a status based on organizational compliance policies and recertification goals. The default setting is Do Nothing.
After Creation: Managing Policies
Once the policy is created, a view page will appear where you can configure the recertification targets and item type scope (data**)**. The Recertification Policy is not considered complete until the target and scope are configured. Completing this step ensures the policy is fully functional and ready for implementation.