Recertification policy results
Depending on the user response, a recertification policy can mark an account, access, group membership, or role membership as recertified. The recertification policy can also suspend or delete the resource or membership.
Recertification states for accounts and accesses
After an activity is completed, an account or access can be in one of the following states:Audit records are created for each of these actions. The records can be read with the Recertification Change History report. Recertification status for accounts and access entitlements can also be seen with the Account Recertification Status or Access Recertification Status pages.
- Active
- The account or access target is marked as recertified, and no further action is taken. It is not suspended or deleted. If approved, the target remains active, and the entry of the owner is updated.
- Marked
- The workflow marks the account or access as not certified and issues a rejection notification. The contents of the rejection notification are configured in the policy definition.
- Suspended
- The workflow suspends the account or access and issues suspension notifications. Suspended is not an option for access recertifications because an access cannot be suspended.
- Deleted
- The workflow deletes the target type and issues rejection notifications.
Recertification states for group membership and role membership
After a recertification activity is completed, a role membership or group membership can be in one of the following states:
- Active
- The membership is marked as recertified, and no further action is taken.
- Marked
- The membership is marked as not certified, and a rejection notification is sent according to the policy configuration.
- Removed
- The user is removed from the role, or the account is removed from the group. A rejection notice is sent according to the policy configuration.
Overrides
We can use recertification override tasks to update the recertification status of specific targets without re-evaluating an entire recertification policy.
The Account Recertification Status task allows authorized users to manually mark accounts on a service as Recertified. The task applies to owned accounts that are not already recertified. Overriding the recertification status of a suspended account changes the recertification status of the account to Recertified, but it does not restore the account. Authorization for the task is governed by the Recertification Override ACI operation on the service protection category.
To override the recertification status of accounts on a service, navigate to Manage Services > Select a Service. Click the icon next to the service name and select Account Recertification Status to get to the status page. On the status page, select the accounts to override and click the Recertify button. You must enter a justification before recertifying. The justification that you provide for the override is recorded in the audit record and is included in the Recertification Change History report.
The Access Recertification Status task allows authorized users to manually mark accesses on a service as Recertified. The task applies to accesses that are not already recertified. Authorization for the task is governed by the Recertification Override ACI operation on the service group protection category.
To override the recertification status of accesses on a service, navigate to Manage Groups > Select a Service. Select the service and click OK. Then, click the icon next to the group for the accesses and select Access Recertification Status to get to the status page. On the status page, select the accesses and click the Recertify button. You must enter a justification before recertifying. The justification that you provide for the override is recorded in the audit record and is included in the Recertification Change History report.
The Recertify task allows system administrators to trigger a user recertification activity for a specific user and policy.
Parent topic: Recertification policies