Skip to main content
Skip table of contents

Role Recertification Policies

Definition

Role Recertification is the process of reviewing Role Assignments to verify their compliance. This process is implemented in Memority using Role Recertification Policies that can trigger a workflow on a regular basis or when needed.

The details about the widget allowing to view the recertifications of an Object are described in this page.

Configuration

You can access the Recertification Policy configuration :

  • by clicking on "Portal" â†’ “Recertification Policies”

  • by clicking on "System" â†’ "Configurations" → "Recertification Policies" and perform an import/export.

Properties

Property name

Type

Mandatory

Description

Modifiable after creation

id

String

YES

The id is the unique identifier of the Role Recertification Policy

It is case sensitive and no special characters (except - or _) are allowed.

NO

name

String

YES

The Object Recertification Policy name.

The name may be different from the identifier.Must be at least 4 characters long.

YES

active

Boolean

YES

Allow to toggle activation of the policy

YES

identityScope

StaticObjectScope

YES

The Scope of the policy. It will apply to all Role Assignments:

  • matching roleAssignmentScope

  • belonging to an identity matching roleAssignmentScope

  • that are currently in ASSIGNED status

  • That are modifiable, i.e. neither frozen nor assigned by a STRICT Role Assignment Policy

YES

roleAssignmentScope

SimpleObjectScope

YES

recertificationPeriod

String

NO

A period duration in ISO 8601 format.

If provided, the “On the fly” recertification mode will be activated with this period.

YES

campaignExecutionPlan

ExecutionPlan

NO

If provided, the “Campaign” recertification mode will be activated with the provided schedule (see “Campaign” recertification below)

YES

workflowStrategy

WorkflowStrategy

YES

Provide the workflow to be triggered for the recertification

YES

Policy Scopes (identityScope + roleAssignmentScope) must be distinct. If a Role Assignment matches several policies, the behavior will not be deterministic.

Example

Recertification Policy Example
XML
<ctdbum:RecertificationPolicy id="fa037d3a-8cc7-4ceb-aaf1-2d883f9e4c3e"
                              xmlns:ctd="http://www.memority.com/citadel/1_0"
                              xmlns:ctdbum="http://www.memority.com/citadel/bum/1_0"
                              xmlns:ctdcore="http://www.memority.com/citadel/core/1_0"
                              xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0"
                              xmlns:ctdrule="http://www.memority.com/citadel/rule/1_0"
                              xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0"
                              xmlns:kit="http://www.memority.com/toolkit/1_0"
                              xmlns:rule="http://www.memority.com/toolkit/rule/1_0" xmlns:search="http://www.memority.com/toolkit/search-expression/1_0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
   <name>My Recertification Policy </name>
   <description>Recertification Policy</description>
   <active>true</active>
   <identityScope type="EXPRESSION" objectKind="IDENTITY">
      <searchExpression>
         <search:Prop op="NOT_EQUALS" name="id">
            <value script="false">CEO</value>
         </search:Prop>
      </searchExpression>
      <objectTypes>
         <objectType>employee</objectType>
      </objectTypes>
   </identityScope>
   <roleAssignmentScope type="EXPRESSION">
      <searchExpression>
         <search:Prop op="EQUALS" name="role.critical">
            <value script="false">true</value>
         </search:Prop>
      </searchExpression>
   </roleAssignmentScope>
   <recertificationPeriod>P6M</recertificationPeriod>
   <campaignExecutionPlan>
      <scheduleType>INTERVAL</scheduleType>
      <interval>1</interval>
      <intervalUnit>YEARS</intervalUnit>
   </campaignExecutionPlan>
   <workflowStrategy xsi:type="ctdbum:NoneRoleWorkflowStrategyType">
      <readOnlyDimensionTags>
         <tag>readTag</tag>
      </readOnlyDimensionTags>
      <readWriteDimensionTags>
         <tag>readWriteTag</tag>
      </readWriteDimensionTags>
   </workflowStrategy>
</ctdbum:RecertificationPolicy>

Read Next

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.