As an
administrator, you can create an account recertification
policy to use with one or more services or access instances. For example,
you might create a recertification policy that specifies that managers
must recertify their employee accounts every 60 days.
Before you begin
Depending on how your system administrator customized your system, you might not
have access to this task. To obtain access to this task or to have someone complete it for you,
contact your system administrator.
Before
you create a recertification policy, one or more service instances
must exist.
Procedure
- From the navigation tree,
select .
- On the Recertification
Policies page,
in the Recertification Policies table, click Create.
- On the Manage
Recertification Policies page,
on the General page, complete these steps:
- Type a name for the recertification policy.
- Optional: Type a description for
the recertification
policy.
- Select the status of the policy,
enabled or disabled.
- Select the business
unit to which the policy applies
- Select
the scope of the business unit that you selected.
- Click Next.
- On the Target Type page, select Accounts,
and then click Next.
- On the Service Target page, add one
or more specific services to associate with the policy, and then click Next.
- To add one or more services:
- Click Add.
- On the Services page,
type your
search criteria, and then click Search.
- In the Services table, select one or more
services.
- Click OK.
- On the Schedule page, select the schedule
type and evaluation frequency, and then click Next.
- On the Policy page,
select either
simple or advanced configuration mode, and then click Next.
If you choose the advanced mode, use the workflow designer to configure
the policy.
Note: On the
Policy page,
you can also specify the following options:
- Who approves recertification
- The action, such as suspend or delete, that occurs when a participant
declines to recertify an account
- An optional recipient who
receives the rejection email, which
can be configured to
none
, such as a manager, who
is notified when recertification is declined
- A value for the
number of days in which the participant must respond
to the recertification request
- An action, such as reject or
approve, that occurs when the recertification
response interval expires
- A user type to specify the scope
of the recertification policy
to apply only to people of a certain type on the specified policy
schedule
Note: The user type option includes a performance penalty
for using options other than all
. If the person
or business partner (bp) person type is chosen, IBM Verify Identity Governance still retrieves
all accounts from the LDAP server. IBM Verify Identity Governance then iterates
through the accounts, does an LDAP search to look up owners of the
accounts, and determines if the owner is of the type person
or bp
person
. If your user population is large, doing two searches
per account can be expensive.
- On the Recertification E-mail page,
select an email template, and click Next.
- On the Rejection E-mail page,
select
a rejection email template, and click Finish.
- On the Success page,
click Close.