Skip to main content

Overview of Recertification

Recertification is a critical process to periodically review and validate user access rights, ensuring they align with roles, policies, and regulatory standards. Administrators play a vital role in configuring and executing this process.

Key Objectives

  • Compliance: Meet industry and regulatory requirements
  • Security: Identify and mitigate unauthorized access
  • Operational Integrity: Detect and address risky access combinations

Frequency of Recertification

Recertification schedules vary by industry, typically occurring annually, semi-annually, quarterly or on demand.

Features

EmpowerID automates Recertification processes by offering capabilities to:

  • Define recertification policies and their scopes
  • Schedule and execute recertification audits
  • Monitor and manage decisions

Core Features

  1. Automated Data Collection: Capture real-time snapshots of access data
  2. Audit Trails: Maintain records of snapshots, decisions, and actions
  3. Task Management: Create Business Request Items for auditors to review
  4. Reporting and Analytics: Gain insights into access trends and compliance metrics

What are Recertification Policies?

Recertification policies are one of the key elements in configuration of the recertification that define what is being recertified (the scope of recertification). EmpowerID administrators can create reusable policies tailored to specific needs, such as verifying external partner identities or assessing high-risk management roles during audits. EmpowerID offers several types of Recertification policies for configuring the specific access recertification requirements for users. These policies determine the type of access information that needs to be reviewed and validated for each user. For example, the Group Membership policy focuses on recertifying a user's group membership, while the Group Validity policy verifies the ongoing validity of a group. Each recertification policy has Recertification Policies are mapped to Recertification Audits – through this configuration EmpowerID system identifies what will be the scope of each audit and generate recertification tasks.

Recertification policies generate review tasks for access assignments given to people, roles, groups, and query-based collections. Policies can be scoped by adding targets such as specific business roles, locations, or groups.

EmpowerID provides several out-of-the-box recertification policies, including: • Account Validity • Group Membership • Native Group Owner • Group Validity • Management Role Access Assignment • Management Role Membership • Management Role Validity • Person Access Summary • Person Validity • Business Role and Location Membership • Direct Reports

Recertification Policy Targets and Scope

You are adding Target(s) to a policy to configure who/what to recertify, e.g. all Active Directory groups in OU=APAC. On the other hand, Item Type Scope will determine which data/access to recertify, e.g. account memberships for user accounts in OU=PriviligedAccounts. You can add multiple targets to a recertification policy, e.g. multiple resources directly, by location or using set groups. You can also add multiple item types scopes, using one of the following methods:

  • All
  • By Location (e.g. OU= PriviligedAccounts)
  • Set Group
  • Direct (e.g. specific accounts)

A Recertification Policy can have multiple scope types and objects of the same scope type.

What are Recertification Audits?

Recertification Audits are systematic reviews of user access rights to ensure they comply with organizational policies and regulatory standards. These audits collect data based on established recertification policies, which is then sent to authorized reviewers, such as managers or data owners, for validation. Auditors address discrepancies, ensuring access rights remain appropriate and compliant.

EmpowerID streamlines this process by generating business request and business request items for each access review, presented as tasks to approvers and auditors. Audit data captures a snapshot of access rights at the time of review, with a detailed audit trail maintained for transparency and accountability.

While recertification policies define the rules and procedures for access reviews, audits are the practical implementation of those policies. EmpowerID allows organizations to automate and schedule audits periodically—quarterly, monthly, weekly, daily, or on demand—ensuring consistent compliance and efficient access management. You can configure audits to run on schedule using the "IsTemplate" option. This allows you to create an audit as a template, which can then be configured to run at specific intervals or on specific dates. This allows for the audit process to be automated and ensures that the audit is conducted on a regular basis.