Skip to main content

Recertification Architecture and Components

1. Recertification Policies

Administrators must establish policies to identify what will be recertified within the process.

  • Recertification Policy with parameters such as Name, Friendly Name, Description as well as option to configure Approval Policy override.
    • Target(s) added the policy: Specify who or what will be recertified (e.g., groups, people).
    • Item Type Scopes added to the policy: determine what data (e.g. type of assignment and scope) will be recertified (e.g., group memberships of the person in location: Germany), group membership assigned to the account in OU=Privileged Accounts).
    • Choose status to close the item – may be configured if tasks are meant to be auto-completed with predefined decision after Due Date specified in the audit. The decision that is being configured here must be appropriate for given recertification policy type, e.g. Revoke for membership and assignments, Disable or Delete for Account Validity.

2. Audit (template)

  • Audit must be configured as one-time audit or a template with the following attributes:

    • Name
    • Friendly Name - used as part of the naming convention to generate business request description that is visible to end users in MyTask
      • Naming convention is implemented as follows: Audit.FriendlyName + ' ' + ResourceTypeFriendlyName + ResourceFriendlyName, e.g. Recertification – SAP Role Membership for Group: SAPtestRole (SAP Single Role) (SapRfcSystem)
      • If audit is created as a template, the date when recertification is initiated is being added the business request description, e.g. Recertification – SAP Role Membership 2024.09.29 for Group: SAPtestRole (SAP Single Role) (SapRfcSystem)
    • Description
    • Location – it can used for delegated administration and restricting visibility for administrators, e.g. if audit is assigned to location: Germany, you may later on create a role for administrators that would allow them to see and manage audit only in this specific locations. If audit will be managed globally by the same group of administrators, e.g. All Access, it can be set to: Default Organization
    • Enabled – must be set to true for audit to compile and start. If set to false, audit will not compile and/or start.
    • Start date
    • Due date – shown on the approval task to the end users. It may be also shown in email notification. After this date, tasks may be auto-closed with predefined decision, is
    • Is Template – allows to set up the audit as template in order to re-create it based on the defined schedule
      • Enable Audit Creation On Schedule – like 'Enabled', must be set to true for audit to compile and start after the date specified in the schedule and Audit Next Creation date. If set to false, audit will not compile and/or start.
      • Audit Next Creation date – determines when the next audit will be created from template
      • Audit Duration In Days – defines duration of the audit. System will use it to determine the Due Date for given instance of the audit.
      • Audit Creation Schedule – determines how frequently system will attempt to initiate new audit.

  • Recertification policy or policies associated with the audit (template)

    • This configuration is used to determine what will be recertified within specific audit instance. Based on the recertification policy, system creates snapshot of the data on the Start Date of the Audit.
    • Each audit must have at least 1 policy assigned
    • Audit may have multiple policies assigned and they may be of different types, e.g. single audit instance can recertify both Account Validity and Person Validity.

3. Business Request Item Type Actions

  • Each Item Type Scope that is being configured within Recertification Policy is linked to a specific Business Request Item Type Action
  • Business Request Item Type Action determines:
    • Fulfillment workflow that will be used to complete the task based on the approver's decision
    • Default approval flow (if configured and not overridden by )
    • Decision that are shown to the approver (e.g. Certify, Revoke, Disable).

4. Approval Flow and Steps

  • Recertification task may use either shippable or custom approval flow policies and steps
  • Approval Flow policy may be configured either within:
    • Recertification Policy – in this case it applies only for approvals tasks generated due to this specific recertification policy
    • Business Request Item Type Action – in this case approval flow configuration will apply for all recertification polices that are using this specific Business Request Item Type Action, unless override on recertification policy has been configured.
  • If custom approval step is created, it must be appropriate for given item type scope, e.g. for Group membership in a Group (nested group membership) recertification, approval step with Target Line Manager approver resolver rule cannot be used, because group does not have a line manager.
    • For each custom approval step, Decisions for Approval Flow Steps must be configured on Business Request Item Type Action in order to display appropriate decisions to the approver.

5. Email notifications

As part of the recertification process, e-mail notifications may be sent in 3 different ways, specified below. Each method is independent and configured separately. All, 1 or none of the methods might apply, depending on the configuration.

  1. Notifications sent through Business Request Notification engine
  • By default, system will use shippable notification policies that apply for any Business Request and Business Request Item. System will send email notification to workflow participants specified within the policy and using the email template specified in the policy
  • If this method is used, e-mail notification may be generated for each single tasks.
  • If custom notification policies are created, it allows to configure more specific email template, e.g. with additional information related to recertification, help links, etc.
  1. Notifications sent through Notification Report Subscriptions (a.k.a. Daily Digest)
  • Recertification tasks will be included in the e-mail notification send as Daily Digest notifications, such as:
    • Report on all pending to do tasks for subscriber
    • Report on open or recently closed requests for subscriber or initiated by subscriber
  • This way, approver receives single, consolidated e-mail informing about pending approval tasks, which include also recertification tasks.
  • E-mail template that is used for 'Daily Digest' is used globally, for any tasks, therefore it is meant to be general
  1. Advanced Audit Email E-mail notification can be sent through workflow request submitted by administrator or any other person with appropriate access
  • Person with sufficient privileges, e.g. Recertification Administrator or All Access, can trigger the e-mail notification at any time using the notification workflow
  • Each audit participant receive 1 e-mail, each time administrator triggers the notification
  • Workflow can notify one of the following participant types:
    • All Audit Participants (approvers and people being recertified within particular audit)
    • Anyone with unfinished tasks (people who have not completed their approval task yet related to the particular audit)
    • Managers of People With Unfinished Tasks (direct line manager of people who have not completed their approval task yet related to the particular audit)

6. MyTasks and approver permissions

As one of the prerequisites, MyTasks must be deployed and configured and approvers must be given sufficient permissions to perform approval tasks, e.g. UI-MyTasks-Participant-Limited. See https://dotnetworkflow.jira.com/wiki/spaces/EAGV24R2/pages/3390587178/Management+Roles+Needed+to+Access+to+My+Tasks for further information.

MyTasks and approver permissions

As one of the prerequisites, MyTasks must be deployed and configured and approvers must be given sufficient permissions to perform approval tasks, e.g. UI-MyTasks-Participant-Limited. See https://dotnetworkflow.jira.com/wiki/spaces/EAGV24R2/pages/3390587178/Management+Roles+Needed+to+Access+to+My+Tasks for further information.

Relevant jobs and permanent workflow

The following jobs are relevant for recertification features:

Job NamePurpose
Attestation Policy CompilerEvaluates recertification policies, compiles audit and creates Attestation Review tasks.
Business Request Approvers RefresherClaims and refreshes BusinessRequest and BusinessRequestItems due for approvers refresh and due for escalation.
Business Request Fulfillment JobFulfills claimed Business Request Item after approvals every ReprocessInterval + 120 seconds by initiating workflow to do fulfillment. If it is locked by server without getting processed it will be claimed again based on ReclaimByDate (set to +1 hour on each claim). It would fulfill the business request item generated due to an audit based on approver's decision.
Business Request Notification Inbox Claim JobJob to claim entries in Business Request Notification Inbox and send notification emails for all business request, also these for recertification. Needed to send notification through Business Request Notification engine for individual approval tasks in the audit.
Business Request Notification Inbox Drop ProcessorJob to process events from Business Request Notification Event Drop Inbox for all requests, including these generated due to an audit. Needed to send notification through Business Request Notification engine for individual approval tasks in the audit
Permanent Workflow JobThis is a Job hosted by the EmpowerID Worker Role Windows service that ensures permanent workflows are kept in a continuously running state. The parameters for the loop are set for each workflow added to the Permanent Workflow job, this includes also Permanent workflows relevant for recertification.
Notification Report Subscription CompilerJob to claim notification report subscriptions on a scheduled basis and calls the RunReport method on the subscription. Needed to send notification through Notification Report Subscriptions (a.k.a. Daily Digest).

The following permanent workflows are relevant for recertification features:

Permanent Workflow NamePurpose
Create Scheduled Certification AuditCreates audit based on audit template on Audit Next Creation date
Close Revoke Recertification Unreview Task After Audit Due DateWorkflow closes any tasks that remain unreviewed beyond the recertification due date. It closes the task with decision specified in Choose status to close the item parameter of recertification policy.