Skip to main content
Skip table of contents

Role Recertification

Definition

Role Recertification is the process of reviewing Role Assignments to verify their compliance. This process is implemented in Memority using Role Recertification Policies that can trigger a workflow on a regular basis or when needed.

The details about the widget allowing to view the recertifications of an Object are described in this page.

Modes

On the fly mode

If the property recertificationPeriod is provided in the policy, it will activate the “On the fly” recertification mode.

In this mode the policy will trigger the recertification workflow for every Role Assignment where their last recertification date (for this policy) is prior to the current date minus the period.

For instance if we have a Role Assignment last recertified on April 1st with a recertification period of one month, a new recertification workflow will be triggered on May 1st. For another Role Assignment in the same scope with a last recertification of April 23 the next workflow will only be triggered on May 23.

If a Role Assignment was never recertified, the reference date will be the assignation date of the Role Assignment.

Campaign mode

If the property campaignExecutionPlan is provided, it will activate the “Campaign” mode (it is possible to have both the “On the fly” and “Campaign” mode activated on the same policy but it is not particularly advised since it would be hard to distinguish a recertification done by the “On the fly” process from the “Campaign” one as they would share the same policy id).

In this mode a recertification is triggered on a regular basis defined by the execution plan. Unlike the “On the fly” mode, the recertification is always triggered on a fixed interval.

When a policy is set in “Campaign” mode, a new job will be created and visible in:

  • "System" → "Jobs"

Ad hoc mode

An “Ad hoc” recertification is launched manually through the Groovy API. It is a non recurring recertification campaign that will be mostly useful to include some additional objects in a more global recertification campaign launched either through the “Campaign” or “On the fly” mode.

Recertification metadata

The recertification metadata of a Role Assignment are stored in the Role Assigment metadata.recertifications property. This is a List containing the last recertification executions. The metadata retention period is configurable through the bum.role-assignments.recertification Setting (default 3 years)

When a Role Assignment matches the scope of an Role Recertification Policy and if the condition for recertification are met, the workflow provided in the policy configuration will be triggered. This will add a Recertification Metadata entry with a PENDING status . After completion, the entry status will be updated with the final status and approver names comments.

The statuses of recertification are:

  • PENDING: when the workflow has started but has not been processed yet by a candidate

  • CERTIFIED: when the workflow is approved

  • REFUSED: when the workflow is cancelled or refused

The recertification metadata can be retrieved using the Identity APIs, or the dedicated Role Assignment APIs

URL

Description

GET /myTenant/api/idm/identities/egbert.faro.14?projection=attributes&attributes=roles

Get all Role Assignments of an identity, with their recertification metadata.

Example of payload:

JSON 
{

    "kind": "IDENTITY",
    "id": "egbert.faro.14",
    "type": "internal"
    "roles": [
        {
            "id": "2e73142f-11a5-4efe-9298-02e95b2f336a",
            "role": "RRTH81425",
            "roleVersion": 1,
            "status": "ASSIGNED",
            "certificationStatus": "REFUSED",
            "manualProvisioningStatus": "NOT_APPLICABLE",
            "source": "MANUAL",
            "parentAssignment": null,
            "roleBinding": null,
            "policy": null,
            "policyMode": null,
            "policySynchronized": false,
            "policyVersion": null,
            "enabledFrom": null,
            "enabledUntil": null,
            "dimensions": {},
            "comment": null,
            "metadata": {
                "requester": "AA0000",
                "copiedFrom": null,
                "approvers": [],
                "recertifications": [
                    {
                        "requester": "system@@bum",
                        "mode": "CAMPAIGN",
                        "recertificationPolicyId": "certificationPolicy-internal-medium",
                        "campaignExecutionId": "7cd09393-6c1b-440a-a28c-d1bf515a2bd1",
                        "outcome": "REFUSED",
                        "comments": [
                            {
                                "approver": "AA0000",
                                "date": "2023-06-06T12:55:41.160Z",
                                "approved": false,
                                "comment": "Je retire"
                            }
                        ],
                        "startedAt": "2023-06-01T10:00:00.227Z",
                        "finishedAt": "2023-06-06T12:55:41.512Z"
                    }
                ]
            },
            "createdAt": "2023-05-22T10:22:43.838Z",
            "assignedAt": "2023-05-22T10:22:43.838Z",
            "deletedAt": null,
            "recertifiedAt": "2023-06-06T12:55:43.448Z",
            "frozenUntil": null,
            "_processedTags": null
        },
        //...
    ]
    //...
}

GET /myTenant/api/idm/identities/egbert.faro.14/role-assignments/9918da12-0f49-11ee-be56-0242ac120002

Get a single Role Assignment with its recertification metadata.

Example of payload:

JSON 
{
    "id": "2e73142f-11a5-4efe-9298-02e95b2f336a",
    "role": "RRTH81425",
    "roleVersion": 1,
    "status": "ASSIGNED",
    "certificationStatus": "REFUSED",
    "manualProvisioningStatus": "NOT_APPLICABLE",
    "source": "MANUAL",
    "parentAssignment": null,
    "roleBinding": null,
    "policy": null,
    "policyMode": null,
    "policySynchronized": false,
    "policyVersion": null,
    "enabledFrom": null,
    "enabledUntil": null,
    "dimensions": {},
    "comment": null,
    "metadata": {
        "requester": "AA0000",
        "copiedFrom": null,
        "approvers": [],
        "recertifications": [
            {
                "requester": "system@@bum",
                "mode": "CAMPAIGN",
                "recertificationPolicyId": "certificationPolicy-internal-medium",
                "campaignExecutionId": "7cd09393-6c1b-440a-a28c-d1bf515a2bd1",
                "outcome": "REFUSED",
                "comments": [
                    {
                        "approver": "AA0000",
                        "date": "2023-06-06T12:55:41.160Z",
                        "approved": false,
                        "comment": "Je retire"
                    }
                ],
                "startedAt": "2023-06-01T10:00:00.227Z",
                "finishedAt": "2023-06-06T12:55:41.512Z"
            }
        ]
    },
    "createdAt": "2023-05-22T10:22:43.838Z",
    "assignedAt": "2023-05-22T10:22:43.838Z",
    "deletedAt": null,
    "recertifiedAt": "2023-06-06T12:55:43.448Z",
    "frozenUntil": null,
    "_processedTags": null
}

Recertification Actions

When a recertification Workflow is started, the Role Assignment certificationStatus attribute is set to PENDING.

When a recertification Workflow finishes successfully, the Role Assignment certificationStatus attribute is set to CERTIFIED, and the recertifiedAt is set to the current date.

When a recertification Workflow is refused or cancelled, the Role Assignment certificationStatus attribute is set to REFUSED, and the recertifiedAt is set to the current date.

When a recertification Workflow is refused with an errorEventRef equal to DELETE, the Role Assignment is also set to DELETED.

XML 
<endEvent id="recertificationRefused_delete">
    <errorEventDefinition errorRef="DELETE"/>
</endEvent>

Do note use errorRef="DELETE" with Role Assignments that were assigned by an EDIT Role Assignment Policy, as cannot be deleted.

Groovy API

The Groovy API for Role Assignment recertifications allows to launch “Ad hoc” recertification and to get an estimate on the next recertification date.

The Groovy API is only available in “Action” rules

API variable

API methods

Usage

API_RECERTIFICATION

JAVA 
public interface ApiRecertification {

    /**
     * Estimates the next recertification date of a given Role Assignment
     *
     * @param identityId       the Identity id
     * @param roleAssignmentId the Role Assignment id
     * @return the estimated next recertification date, or <code>null</code> if the Role Assignment is not subject to
     * campaign or on the fly recertification
     */
    Instant estimateNextRecertificationDate(String identityId, String roleAssignmentId);
}
GROOVY 
def nextRecertForPolicy = API_RECERTIFICATION.estimateNextRecertificationDate("john.doe", "9918da12-0f49-11ee-be56-0242ac120002");

API_RECERTIFICATION_CAMPAIGN

JAVA 
public interface ApiRecertificationCampaign {

    /**
     * Launches an ad hoc recertification campaign for given Identities and Roles
     *
     * @param name        the campaign name (mandatory)
     * @param description the campaign description
     * @param identityIds  the Identities to re-certify (mandatory)
     * @param roleIds       the Roles to re-certify (mandatory)
     * @return the campaign execution id
     */
    String launchAdHocRecertificationCampaign(String name,
                                              String description,
                                              List<String> identityIds,
                                              List<String> roleIds);
}
GROOVY 
def campaignId = API_RECERTIFICATION_CAMPAIGN.launchAdHocRecertificationCampaign("Ad hoc campaign", "Description", ["john.doe", "jane.doe"], ["sensitiveRole1", "sensitiveRole2"]);

Reporting

There are multiple builtin Mongo collections provisionned for the reporting of Object Recertifications:

  • Collections for storing the campaigns information

  • Collections for storing Role Assignments documents (with their recertification metadata) with a reference to the Identity.

Details about how to Synchronize recertifications with the Mongo connector can be found in the Reporting Object Configurations page.

Read Next

Role Recertification Policies — Role Recertification is the process of reviewing Role Assiggnments to verify their compliance. This process is implemented in Memority using Role Recertification Policies that can trigger a workflow on a regular basis or when needed.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close