Skip to main content
Skip table of contents

Object Recertification

Definition

Object Recertification is the process of reviewing Objects to verify their compliance. This process is implemented in Memority using Object Recertification Policies that can trigger a workflow on a regular basis or when needed.

The details about the widget allowing to view the recertifications of an Object are described in this page.

Modes

On the fly mode

If the property recertificationPeriod is provided in the policy, it will activate the “On the fly” recertification mode.

In this mode the policy will trigger the recertification workflow for every objects where their last recertification date (for this policy) is prior to the current date minus the period.

For instance if we have an Identity recertified on April 1st with a recertification period of one month, a new recertification workflow will be triggered on May 1st. For another Identity in the same scope with a last recertification of April 23 the next workflow will only be triggered on May 23.

If the object was never recertified, the reference date will be the creation date of the object. This attribute can be changed by providing a new referenceDateAttribute.

Campaign mode

If the property campaignExecutionPlan is provided, it will activate the “Campaign” mode (it is possible to have both the “On the fly” and “Campaign” mode activated on the same policy but it is not particularly advised since it would be hard to distinguish a recertification done by the “On the fly” process from the “Campaign” one as they would share the same policy id).

In this mode a recertification is triggered on a regular basis defined by the execution plan. Unlike the “On the fly” mode, the recertification is always triggered on a fixed interval.

When a policy is set in “Campaign” mode, a new job will be created and visible in:

  • "System" → "Jobs"

Ad hoc mode

An “Ad hoc” recertification is launched manually through the Groovy API. It is a non recurring recertification campaign that will be mostly useful to include some additional objects in a more global recertification campaign launched either through the “Campaign” or “On the fly” mode.

Recertification metadata

The recertification metadata of an Object are stored in a builtin attribute recertificationMetadata. This is a multivalued attribute whose size is equal to the number of recertification policies that the object match. Each value contains the current recertification status and the history of recertification for one policy.

When an Object matches the scope of an Object Recertification Policy and if the condition for recertification are met, the workflow provided in the policy configuration will be triggered. This will update the builtin attribute recertificationMetadata with a status “PENDING” for the targeted policy. After completion a new entry will be available in the field “recertifications” of the attribute value with the “CERTIFIED” or “REFUSED” status.

The statuses of recertification are:

  • PENDING: when the workflow has started but has not been processed yet by a candidate

  • CERTIFIED: when the workflow is approved

  • REFUSED: when the workflow is cancelled or refused

The recertification metadata can be retrieved by API with a normal search on objects or by using the dedicated API:

URL example

Description

GET: myTenant/api/idm/identities/egbert.faro.14/recertificationMetadata?expression=…

Get the recertifications for the object

Example of payload:

JSON 
[
    {
        "id": "6056634a-3e0f-4246-b2fa-553722df9e0d",
        "objectId": "egbert.faro.14",
        "policyId": "test_object-recertification-policy",
        "status": "PENDING",
        "recertifiedAt": "2023-02-24T13:56:55.584Z",
        "recertifications": [
            {
                "requester": "system@@bum",
                "mode": "ON_THE_FLY",
                "recertificationPolicyId": "test_object-recertification-policy",
                "campaignExecutionId": null,
                "outcome": "CERTIFIED",
                "comments": [
                    {
                        "approver": "john.doe",
                        "date": "2023-02-24T13:56:55.584Z",
                        "approved": true,
                        "comment": "Ok"
                    }
                ],
                "startedAt": "2023-02-23T17:17:25.933Z",
                "finishedAt": "2023-02-24T13:56:55.684Z"
            }
        ]
    }
]

DELETE: myTenant/api/idm/identities/egbert.faro.14/recertificationMetadata/6056634a-3e0f-4246-b2fa-553722df9e0d

Clear the recertifications for a specific entry

Groovy API

The Groovy API for Object recertifications allows to launch “Ad hoc” recertification and to get an estimate on the next recertification date.

The Groovy API is only available in “Action” rules

API variable

API methods

Usage

API_OBJECT_RECERTIFICATION

GROOVY 
/**
     * Estimate the next recertification date for the given policy
     *
     * @param objectId The object id
     * @param policyId The object recertification policy id
     *
     * @return The next estimated date of recertification
     */
    Instant estimateNextRecertificationDate(String objectId, String policyId);

    /**
     * Estimate the next recertification dates by applicable policies for the given object
     *
     * @param objectId The object id
     * @param objectKind The kind of the object
     *
     * @return The next estimated dates of recertification by matched policies
     */
    Map<String, Instant> estimateNextRecertificationDates(String objectId, ObjectKind objectKind);
GROOVY 
def nextRecertForPolicy = API_OBJECT_RECERTIFICATION.estimateNextRecertificationDate("john.doe", "my-policy-id");

def nextRecertsByPolicies = API_OBJECT_RECERTIFICATION.estimateNextRecertificationDates("john.doe", ObjectKind.IDENTITY);

API_OBJECT_RECERTIFICATION_CAMPAIGN

GROOVY 
/**
  * Launch an Ad hoc recertification campaign for the provided object
  * according to the provided recertification policy
  *
  * @param name The name of the ad hoc campaign
  * @param description The description of the campaign
  * @param objectRecertificationPolicyId The policy id
  * @param objectIds A list of object ids in the scope of the policy
  *
  * @return The campaign execution id
*/
String launchAdHocRecertificationCampaign(String name,
                                          String description,
                                          String objectRecertificationPolicyId,
                                          List<String> objectIds);
GROOVY 
def campaignId = API_OBJECT_RECERTIFICATION_CAMPAIGN.launchAdHocRecertificationCampaign("Ad hoc campaign", "Description", "my-policy", ["john.doe", "jane.doe"]);

Reporting

There are multiple builtin Mongo collections provisionned for the reporting of Object Recertifications:

  • Collections for storing the campaigns information (one collection per object kind)

  • Collections for storing the actual recertification metadata documents with a reference to the object (one collection per object kind)

Details about how to Synchronize recertifications with the Mongo connector can be found in the Reporting Object Configurations page.

Read Next

Object Recertification Policies — Object Recertification is the process of reviewing Objects to verify their compliance. This process is implemented in Memority using Object Recertification Policies that can trigger a workflow on a regular basis or when needed.
Object Recertification Widget — Allows to display object recertifications.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close