Creating an account recertification policy

As an administrator, you can create an account recertification policy to use with one or more services or access instances. For example, you might create a recertification policy that specifies that managers must recertify their employee accounts every 60 days.

Before you begin

Depending on how your system administrator customized your system, you might not have access to this task. To obtain access to this task or to have someone complete it for you, contact your system administrator.

Before you create a recertification policy, one or more service instances must exist.

Procedure

  1. From the navigation tree, select Manage Policies > Manage Recertification Policies.
  2. On the Recertification Policies page, in the Recertification Policies table, click Create.
  3. On the Manage Recertification Policies page, on the General page, complete these steps:
    1. Type a name for the recertification policy.
    2. Optional: Type a description for the recertification policy.
    3. Select the status of the policy, enabled or disabled.
    4. Select the business unit to which the policy applies
    5. Select the scope of the business unit that you selected.
    6. Click Next.
  4. On the Target Type page, select Accounts, and then click Next.
  5. On the Service Target page, add one or more specific services to associate with the policy, and then click Next.
  6. To add one or more services:
    1. Click Add.
    2. On the Services page, type your search criteria, and then click Search.
    3. In the Services table, select one or more services.
    4. Click OK.
  7. On the Schedule page, select the schedule type and evaluation frequency, and then click Next.
  8. On the Policy page, select either simple or advanced configuration mode, and then click Next. If you choose the advanced mode, use the workflow designer to configure the policy.
    Note: On the Policy page, you can also specify the following options:
    • Who approves recertification
    • The action, such as suspend or delete, that occurs when a participant declines to recertify an account
    • An optional recipient who receives the rejection email, which can be configured to none, such as a manager, who is notified when recertification is declined
    • A value for the number of days in which the participant must respond to the recertification request
    • An action, such as reject or approve, that occurs when the recertification response interval expires
    • A user type to specify the scope of the recertification policy to apply only to people of a certain type on the specified policy schedule
      Note: The user type option includes a performance penalty for using options other than all. If the person or business partner (bp) person type is chosen, IBM Verify Identity Governance still retrieves all accounts from the LDAP server. IBM Verify Identity Governance then iterates through the accounts, does an LDAP search to look up owners of the accounts, and determines if the owner is of the type person or bp person. If your user population is large, doing two searches per account can be expensive.
  9. On the Recertification E-mail page, select an email template, and click Next.
  10. On the Rejection E-mail page, select a rejection email template, and click Finish.
  11. On the Success page, click Close.