Recertification Architecture and Process Flow

Recertification in EmpowerID ensures user access rights are regularly validated to align with roles and compliance standards. The system separates configuration from execution—administrators establish policies and audits that define what to review and when, while server jobs and permanent workflows execute the recertification process automatically.

This article explains how recertification components interact, how server jobs execute the process, and how the system flows from policy creation through decision fulfillment.

Process Flow

The following diagram illustrates the recertification workflow from administrator configuration through automated execution and fulfillment.

Figure 1: The recertification workflow from policy creation through fulfillment. Administrators configure policies and audits (blue). The compiler job creates snapshots and generates Business Request Items (green/yellow). Processing jobs prepare requests for review (green box). Approvers make decisions (purple). Fulfillment workflows execute decisions in connected systems (purple).

Administrators create recertification policies that define scope through targets and item type scopes. Audits link to policies and define timing. When an audit's start date arrives, the Attestation Policy Compiler job creates a point-in-time snapshot of access data and generates Business Request Items. Processing jobs assign approvers and prepare requests for review. Approvers make certification decisions through My Tasks. Fulfillment workflows execute those decisions in connected systems.

Configuration Components

The recertification system uses five component types that administrators configure to define governance intent.

Recertification Policies define what access is reviewed. Policies use targets to specify who or what is recertified and item type scopes to specify what data is collected. Policies can override default approval flows and specify decisions for unreviewed items.

Recertification Audits operationalize policies by defining when reviews occur. Audits link to one or more policies and specify start dates and due dates. Audits can run once or function as recurring templates that automatically generate new instances on a configured schedule.

Business Request Item Type Actions determine how review tasks behave. Each item type scope links to an action that specifies fulfillment workflows, default approval flows, and available decisions for approvers.

Approval Flows and Steps determine how review tasks route to approvers. Flows can be configured at the policy level or item type action level. Resolver logic within approval steps assigns tasks based on organizational relationships such as management hierarchy, group ownership, or role ownership.

Email Notifications inform approvers about pending tasks. Three independent notification methods are available—individual task notifications through the Business Request Notification engine, consolidated daily digest emails through Notification Report Subscriptions, and manual administrator-triggered Advanced Audit Email notifications.

Execution Jobs

Seven server jobs execute recurring operations that drive the recertification process. These jobs run on configured schedules and process recertification activities continuously.

Attestation Policy Compiler executes when an audit's start date arrives. This job collects access data based on linked recertification policies, creates a point-in-time snapshot of current access assignments, and generates Business Request Items. Each item represents a discrete access assignment requiring validation. The job assigns items to approvers based on configured approval flows.

Business Request Notification Inbox Claim Job processes notification events. When Business Request Items are created or decisions are made, notification events are added to an inbox queue. This job claims those events and initiates the notification process according to configured notification policies.

Business Request Notification Inbox Drop Processor executes email delivery. This job processes claimed notification events and sends emails based on configured templates and recipient resolution rules.

Notification Report Subscription Compiler generates consolidated daily digest emails. This job compiles all pending approval tasks including recertification tasks into summary emails sent to subscribed users. This reduces email volume compared to individual task notifications.

Business Request Approvers Refresher maintains current approver assignments throughout the review period. When organizational changes occur—an employee changes managers, a group owner changes, or a role manager is updated—this job reassigns pending tasks to the new appropriate approvers.

Business Request Fulfillment Job executes workflows after approvers make decisions. When an approver certifies access, this job runs the approval fulfillment workflow to record the decision. When an approver revokes access, this job runs the rejection fulfillment workflow to remove permissions from connected systems.

Permanent Workflow Job maintains continuous operation of permanent workflows used in recertification, ensuring workflows remain running and process their operations on schedule.

Permanent Workflows

The Create Scheduled Certification Audit permanent workflow provides continuous automated operations for recurring audit creation.

This workflow monitors audit templates and creates new audit instances when the next creation date arrives. The workflow creates instances with calculated start dates and due dates based on template configuration, links all policies from the template, and updates the template's next creation date according to the configured schedule.

This enables fully automated recurring audits. A template configured for quarterly reviews creates new audit instances every 90 days without administrator intervention.

Component Interactions

Understanding how components interact clarifies the execution model.

Configuration Phase: Administrators create policies defining scope through targets and item type scopes. They create audits linking to one or more policies. They configure or select approval flows that route tasks appropriately. They select notification methods.

Snapshot and Generation Phase: When an audit reaches its start date, the Attestation Policy Compiler job executes. The job queries connected systems based on policy configuration and creates a snapshot of current access assignments. From this snapshot, the job generates Business Request Items—one item for each access assignment requiring review.

Assignment Phase: The compiler assigns each Business Request Item to appropriate approvers using the configured approval flow. Approval flow resolver logic evaluates organizational relationships to determine routing. Items are grouped by approver.

Notification Phase: Notification jobs inform approvers based on configured methods. Individual notifications send one email per task. Daily digest notifications consolidate multiple tasks into single summary emails. Administrators can manually trigger notifications at any time.

Review Phase: Approvers access My Tasks to view assigned items. Each item shows the user, the access being reviewed, and available decisions. Approvers select decisions and submit reviews. Throughout the review period, the Approvers Refresher job monitors for organizational changes and updates task assignments when relationships change.

Fulfillment Phase: As approvers make decisions, the Fulfillment Job processes completed items. For certify decisions, the job runs approval fulfillment workflows that record certification and update audit trails. For revoke decisions, the job runs rejection fulfillment workflows that remove permissions from connected systems—deleting group memberships, disabling accounts, or removing role assignments based on policy type.

Closure Phase: When the audit due date passes, unreviewed items remain pending. Administrators must manually close the audit to apply configured decisions to unreviewed items.

Technical Execution Model

The recertification system operates on a snapshot-based model that ensures consistency throughout the review period.

Point-in-Time Snapshots: When compilation occurs, the system captures access state at that moment. All review decisions are made against this fixed snapshot rather than live data. This prevents inconsistencies from access changes during the review period.

Business Request Items as Unit of Work: Each Business Request Item represents a discrete decision point. Items are self-contained with all context needed for review—user identity, access being reviewed, organizational context. Items maintain complete audit trails including reviewer identity, decision timestamp, and fulfillment status.

Asynchronous Job Execution: Jobs run independently on configured schedules. The compiler runs when audits start. Notification jobs process event queues. The refresher runs periodically. The fulfillment job processes decisions as they occur. This asynchronous model allows the system to process large-scale recertification efforts without blocking.

Workflow-Based Fulfillment: Decisions trigger workflows rather than direct system updates. This workflow-based model enables complex fulfillment logic, multi-step approval for certain decisions, audit logging, and error handling. Different policy types can use different fulfillment workflows tailored to their enforcement requirements.

My Tasks Integration

Approvers interact with recertification through the My Tasks interface. My Tasks must be deployed and configured for recertification to function. Approvers require the UI-MyTasks-Participant-Limited management role or equivalent to access approval tasks.

When approvers access My Tasks, they see Business Request Items assigned to them based on approval flow routing. Items are grouped and filterable. Each item displays the access under review and available decisions. Approvers can process items individually or in bulk depending on configuration.

Next Steps

For conceptual foundation and lifecycle overview, see Overview of Recertification.

For comprehensive reference on all policy types including grouping logic and available decisions, see About Recertification Policy Types.

For details on continuous monitoring of group memberships between scheduled audits, see Understanding Continuous Group Membership Change Recertifications.

For information on how decisions are enforced in connected systems, see Understanding Fulfillment and Rejection Workflows.

For configuration guidance including policy scoping strategies, notification management, and audit scheduling, see Best Practices for Administrators.

For step-by-step configuration procedures, see the articles under Recertification Tasks.