As an
administrator, you can create an access recertification
policy for use with one or more access instances.
Before you begin
Depending on how your system administrator customized your system, you might not
have access to this task. To obtain access to this task or to have someone complete it for you,
contact your system administrator.
About this task
Before you create a recertification policy, an access
instance must exist.
Procedure
- From the navigation
tree, select .
- On the Recertification
Policies page,
in the Recertification Policies table, click Create.
- On the Manage
Recertification Policies page,
on the General page, complete these steps:
- Type a name for the recertification policy.
- Optional: Type a description for
the recertification
policy.
- Select the status of the policy,
enabled or disabled.
- Select the business
unit to which the policy applies
- Select
the scope of the business unit that you selected.
- Click Next.
-
On the Target Type page, select Access,
and then click Next.
- On the Access Target page, add one
or more specific accesses to associate with the policy, and then click Next.
- To add one or more accesses,
complete these steps:
- Click Add.
- On the Accesses page, type your
search criteria, and then click Search.
- In the Accesses table,
select
one or more accesses.
- Click OK.
- On the Schedule page, select the schedule
type and evaluation frequency, and then click Next.
- On the Policy page,
select the configuration
mode, and then click Next. If you choose the
advanced mode, use the workflow designer to configure the policy.
Note: On the
Policy page, you can also
specify the following options:
- Who approves recertification
- The action, such as suspend or delete, that occurs when a participant
declines to recertify an access
- An optional recipient who
receives the rejection email, which
can be configured to
none
), such as a manager, who
is notified when recertification is declined
- A value for the
number of days in which the participant must respond
to the recertification request
- An action, such as reject or
approve, that occurs when the recertification
response interval expires
- A user type to specify the scope
of the recertification policy
to apply only to people of a certain type on the specified policy
schedule
Note: The user type option includes a performance penalty
for using options other than all
. If the person
or business partner (bp) type is chosen, IBM Verify Identity Governance still retrieves
all accounts from the LDAP server. IBM Verify Identity Governance then iterates
through the accounts, does an LDAP search to look up the owners of
the accounts, and determines if the owner is of the type person
or bp
person
. If your user population is large, doing two searches
per account can be expensive.
- On the Recertification E-mail page,
select an e-mail template, and then click Next.
- On the Rejection E-mail page, select
a rejection e-mail template, and then click Finish.
- On the Success page,
click Close.