Skip to main content

Understanding Recertification Policy Types

EmpowerID offers several types of recertification policies for configuring specific access recertification requirements for users. These policies determine the type of access information that needs to be reviewed and validated for each user. Each policy type groups business request items differently and offers specific decision options appropriate for the type of access being reviewed.

Key Information

Responsible Party and Fallback Assignee: In access recertification, the responsible party is responsible for managing and maintaining IT resources. This role can be reported on and used during the termination/leaver process to maintain and transfer governance oversight. It can also be included in compliance and recertification policies. The fallback assignee is specified when an audit is created and serves as the default assignee for recertification requests for that specific audit.

Custom Decisions: If the default decisions provided by EmpowerID are not sufficient, you can configure additional decisions for business requests.

Business Request Generation: Depending on the policy configuration, business requests may be generated automatically or require manual administrator approval before creation.

note

Understanding how items are grouped for review helps you know what to expect when you receive recertification tasks and how your review responsibilities are organized.

Policy Types

Account Validity

Purpose: The Account Validity recertification policy collects and presents information about accounts owned by users, making it easier for auditors to review and determine which accounts are still necessary and should be certified. This policy ensures that only valid accounts exist in an organization in compliance with regulatory requirements.

How Items Are Grouped: The recertification engine groups items based on the Responsible Party assigned to each account. If no Responsible Party is assigned, the engine attempts to set the account's manager as the Responsible Party. In cases where an account has neither a Responsible Party nor a manager, the engine groups accounts based on the Fallback Group By Assignee.

Available Decisions: During the recertification process, auditors can make decisions such as certify, disable, or delete the business requests.

Benefits: Organizations can verify that user accounts are still required and actively being used, helping eliminate redundant or outdated accounts that could pose security risks.

Business Role and Location Membership

Purpose: This policy certifies a user's access or membership to specific Business Roles and Locations. Auditors review membership information to determine whether a person's membership is still necessary and should be certified.

How Items Are Grouped: The recertification engine groups items based on the target Business Role and Location. These objects serve as the bundles for requests, with the members of the Business Role and Location being the items requiring recertification.

Available Decisions: Auditors can certify or revoke business role and location memberships.

Benefits: Organizations can verify that individuals continue to require access to specific Business Roles and Locations, eliminating access for those who no longer need it and reducing unauthorized access risk.

Direct Reports

Purpose: This policy collects and presents information about managers and their direct reports, making it easier for auditors to review and determine if the reporting structure is correct and should be certified. The policy ensures each user reports to the appropriate person in compliance with regulatory requirements.

How Items Are Grouped: The recertification engine bundles items based on the manager object itself. Managers serve as the bundles for business requests, with users reporting to the managers as individual items requiring recertification.

Available Decisions: Standard certification and rejection decisions are available for reporting relationships.

Group Membership

Purpose: This policy certifies a user's membership in specific groups. Auditors review membership information to determine whether a person's membership is still necessary and should be certified, ensuring only valid individuals are group members.

How Items Are Grouped: The recertification engine bundles items based on the group object itself. The group serves as the business request bundle, while its members are the items bundled into the request.

Available Decisions: Auditors typically can certify or revoke group memberships.

Group Owner

Purpose: This policy collects and presents access information to recertify whether an account should continue serving as a group owner. It allows recertification of native owners for groups as assigned in external systems, such as Azure Teams owners.

How Items Are Grouped: The recertification engine bundles items based on the group owner object. The group owner serves as the bundle for business requests, with groups owned by the group owner as individual items requiring recertification.

Available Decisions: Standard ownership certification and revocation decisions are available.

Group Validity

Purpose: This policy determines whether a group is still necessary and should continue to exist. Auditors review membership information to determine whether the group's existence is valid in terms of compliance and should be certified, ensuring only valid groups continue to exist.

How Items Are Grouped: The recertification engine groups items based on the Responsible Party assigned to each group. If a group has no Responsible Party assigned, the engine groups items by Fallback Group By Assignee.

Available Decisions: Auditors can certify, disable, or delete groups during the recertification process.

Management Role Access Assignment

Purpose: This policy collects and presents access information to recertify whether current Resource Roles assigned to a Management Role are still necessary. Auditors review information to determine whether people's access to resources through their Management Role assignment complies with organization policies.

How Items Are Grouped: The recertification engine groups items based on the Management Role object itself. The Management Role serves as the bundle for business requests, with Resource Roles assigned to the Management Role as individual items requiring recertification.

Available Decisions: Standard certification and revocation decisions are available for resource role assignments.

Management Role Membership

Purpose: This policy certifies a user's membership in specific Management Roles. Auditors review membership information to determine whether a person's membership is still necessary and should be certified, ensuring only valid individuals are Management Role members.

How Items Are Grouped: The recertification engine bundles items based on the Management Role object itself. The Management Role serves as the bundle for business requests, with its members as the items requiring recertification.

Available Decisions: Auditors can typically certify or revoke management role memberships.

Benefits: Organizations can verify that individuals continue to require Management Role membership, eliminating membership for those who no longer need it and reducing unauthorized access risk.

Management Role Validity

Purpose: This policy collects and presents information about Management Roles to determine whether they are still necessary and should continue to exist. Auditors review information to determine whether the Management Role's existence is valid in terms of compliance and should be certified.

How Items Are Grouped: The recertification engine groups items based on the Responsible Party assigned to each Management Role. If no responsible party is assigned, the engine groups items by Fallback Group By Assignee.

Available Decisions: Auditors can certify, disable, or delete Management Roles during the recertification process.

Benefits: Organizations can verify that only necessary Management Roles continue to exist, reducing the risk of outdated or redundant roles.

Person Access Summary

Purpose: This policy recertifies a person's access to all access assignments currently granted to them. Auditors review the person's access, level of access, and any special privileges or permissions to certify them, ensuring individuals only have necessary permissions.

How Items Are Grouped: The recertification engine bundles items based on the person object itself. The person serves as the business request bundle, with each access assignment as individual business request items.

What Gets Recertified:

  • All RBAC assignments, including direct, relative, and by-location assignments
  • Direct Business Role and Location assignments
  • Group memberships, including those of their accounts and those granted by RBAC assignments
  • Management Role memberships
  • Account and group ownership

Available Decisions: Auditors can typically certify, disable, or delete access assignments.

Person Validity

Purpose: This policy collects and presents information about person objects in EmpowerID to determine whether they are still necessary and should continue to exist. Auditors review information to determine whether the person's existence is valid in terms of compliance and should be certified, ensuring the person has appropriate access to IT resources.

How Items Are Grouped: The recertification engine groups items based on the Responsible Party assigned to each person. If no Responsible Party is assigned, the engine attempts to set the person's Manager as the Responsible Party. When neither Responsible Party nor Manager is assigned, the engine groups person objects based on the Fallback Assignee.

Available Decisions: Auditors can typically certify, disable, or delete person objects.

Benefits: Organizations can verify that only necessary persons continue to exist in EmpowerID.

Understanding Your Review Responsibilities

When configuring recertification audits, administrators consider both the type of access that needs to be reviewed and how items should be grouped for reviewers. Each policy type uses different grouping logic that affects workload distribution and reviewer assignments. Understanding the business request grouping information for each policy type helps ensure efficient audit workflows that align with organizational structure and compliance requirements.