Skip to main content
Skip table of contents

Role Recertification Policies

Definition

Role Recertification is the process of reviewing Role Assignments to verify their compliance. This process is implemented in Memority using Role Recertification Policies that can trigger a workflow on a regular basis or when needed.

The details about the widget allowing to view the recertifications of an Object are described in this page.

Configuration

You can access the Recertification Policy configuration :

  • by clicking on "Portal" â†’ “Recertification Policies”

  • by clicking on "System" â†’ "Configurations" → "Recertification Policies" and perform an import/export.

Properties

Property name

Type

Mandatory

Description

Modifiable after creation

id

String

YES

The id is the unique identifier of the Role Recertification Policy

It is case sensitive and no special characters (except - or _) are allowed.

NO

name

String

YES

The Object Recertification Policy name.

The name may be different from the identifier.Must be at least 4 characters long.

YES

active

Boolean

YES

Allow to toggle activation of the policy

YES

identityScope

StaticObjectScope

YES

The Scope of the policy. It will apply to all Role Assignments:

  • matching roleAssignmentScope

  • belonging to an identity matching roleAssignmentScope

  • that are currently in ASSIGNED status

  • That are modifiable, i.e. neither frozen nor assigned by a STRICT Role Assignment Policy

YES

roleAssignmentScope

SimpleObjectScope

YES

recertificationPeriod

String

NO

A period duration in ISO 8601 format.

If provided, the “On the fly” recertification mode will be activated with this period.

YES

campaignExecutionPlan

ExecutionPlan

NO

If provided, the “Campaign” recertification mode will be activated with the provided schedule (see “Campaign” recertification below)

YES

workflowStrategy

WorkflowStrategy

YES

Provide the workflow to be triggered for the recertification

YES

Policy Scopes (identityScope + roleAssignmentScope) must be distinct. If a Role Assignment matches several policies, the behavior will not be deterministic.

Example

Recertification Policy Example
XML 
<ctdbum:RecertificationPolicy id="fa037d3a-8cc7-4ceb-aaf1-2d883f9e4c3e"
                              xmlns:ctd="http://www.memority.com/citadel/1_0"
                              xmlns:ctdbum="http://www.memority.com/citadel/bum/1_0"
                              xmlns:ctdcore="http://www.memority.com/citadel/core/1_0"
                              xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0"
                              xmlns:ctdrule="http://www.memority.com/citadel/rule/1_0"
                              xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0"
                              xmlns:kit="http://www.memority.com/toolkit/1_0"
                              xmlns:rule="http://www.memority.com/toolkit/rule/1_0" xmlns:search="http://www.memority.com/toolkit/search-expression/1_0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
   <name>My Recertification Policy </name>
   <description>Recertification Policy</description>
   <active>true</active>
   <identityScope type="EXPRESSION" objectKind="IDENTITY">
      <searchExpression>
         <search:Prop op="NOT_EQUALS" name="id">
            <value script="false">CEO</value>
         </search:Prop>
      </searchExpression>
      <objectTypes>
         <objectType>employee</objectType>
      </objectTypes>
   </identityScope>
   <roleAssignmentScope type="EXPRESSION">
      <searchExpression>
         <search:Prop op="EQUALS" name="role.critical">
            <value script="false">true</value>
         </search:Prop>
      </searchExpression>
   </roleAssignmentScope>
   <recertificationPeriod>P6M</recertificationPeriod>
   <campaignExecutionPlan>
      <scheduleType>INTERVAL</scheduleType>
      <interval>1</interval>
      <intervalUnit>YEARS</intervalUnit>
   </campaignExecutionPlan>
   <workflowStrategy xsi:type="ctdbum:NoneRoleWorkflowStrategyType">
      <readOnlyDimensionTags>
         <tag>readTag</tag>
      </readOnlyDimensionTags>
      <readWriteDimensionTags>
         <tag>readWriteTag</tag>
      </readWriteDimensionTags>
   </workflowStrategy>
</ctdbum:RecertificationPolicy>

Read Next

Business Policies — A Business Policy allows to configure how to trigger actions on Object Types through a Feature with an optional configured Workflow.
Object Policies — An Object Policy is an Identity Management Service Policy allowing to execute arbitrary actions on Managed Objects, either on a scheduled basis, or in reaction to an Object Operation.
Deduplication Policies — A Deduplication Policy describes how duplicates should be searched for when creating a managed object.
Feature Access Policies — A Feature Access Policy is composed of a right which encompasses several Features.
Manual Provisioning Policies — A Manual Provisioning Policy allows to define that manual provisioning or deprovisioning Workflow is launched when the Role assignment status changes.
Object Lifecycle Policies — An Object Lifecycle Policy allows to configure rules, on all Object Types, that will alter an Object attribute directly when certain lifecycle events occur.
Password Policies — A Password Policy determines how passwords should be composed and which rules apply to their lifecycle.
Role Request Policies — A Role Request Policy allows to define if a Role can be requested, for whom, by whom, and using which Workflow.
Workflow Administration Policies — A Workflow Administration Policy is composed of a right which encompasses several Features.
Memority MFA Account Policies — A Memority MFA Policy allows to configure how multi factor authentication should be applied to a population of user
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close