Modules - Recertification (IdM 15+) [rec]

The Recertification module in Identity Management (IdM) gives the ability to perform regularly scheduled, or individual recertification requests of assigned permissions in IdM. The recertification requests will initiate an approval process at the end of which, the permissions are either retained (recertified) or removed as no longer needed. This increases the overall security level provided by the IdM, since it prevents accumulation of unnecessary permissions on individuals over time.

The module allows administrators (or others to):

• Run recertification tasks on identities or roles
• Schedule regular recertification tasks for a given organizational structure
• Schedule regular recertification tasks for roles, run periodically since last assignment or recertification
• Configure the approval process and workflow used in the recertification process

TODO doplnit správně

"Compatible with the product" means that this is the recommended product version

• Features of the recertification module - This section provides an overview of all operations that can be performed with technical accounts within IdM
• Installation – Describes the installation process and basic configuration of the Recertification module.
• Getting Started – Includes the initial steps required for the user to start working with the module.
• Regular recertifications - Describes how the to schedule regular recertification events
• Types of Users - Provides a brief overview of the different user roles involved in working with the Technical Accounts module. It outlines each role’s responsibilities, permissions, and how they interact with technical accounts within the system.

• Recertification request entity cotains information about a single recertification - this usually consists of recertifying multiple IdmIdentityRole (identity to role) relationships.
• Recertifications list is an agenda, that the administrator can use to keep track of ongoing or completed recertifications, as well as the status of their approval tasks.
• Recertify user bulk action is used to run a recertification per identity, triggered from the identities agenda
• Recertify role bulk action is used to run a recertification per role definition, triggered from the roles agenda
• Recertification event approval process and related approval task type is used to configure the approval workflow for recertifications
• Scheduled task: Regularly scheduled assigned role recertification according to the given interval is used to schedule regular, per-role recertifications that run periodically from role assignment date or last recertification date
• Scheduled task: Recertification of users' assigned roles is used to recertify roles for identities in a given organizational structure with a fixed period (e.g. every 365 days)
• Secheduled task: Remove roles after forced recertification's end is a system task, that is automatically scheduled daily and removes roles where recertification has expired and is set to "hard" recertification

This section describes the installation process of the Technical Accounts module, including its activation, required prerequisites, access rights configuration, and integration with target systems. It serves as a starting point for administrators when introducing the module into the IdM environment.

The recertification module needs the "Role assignment recertification" approval process configured. To configure it, first create an approval workflow, as described in WF Engine documentation. Then in the Settings > Approval Processes page, select CREATE to make a new approval process and configure it like in the example (of course, with your workflow).

If your IdM is in production with users requesting roles and being assigned manual roles, there are probably already plenty opportunities to run a recertification.

To start a recertification on users, navigate to the "Users" agenda, select the users you wish to run recertification on and using the bulk action menu, select the "Recertificate assigned roles" action:A modal dialog with recertification options will appear:

• Recertificate assigned roles only allows you to restrict the recertification only to certain roles, default is that all manually assigned roles are recertified.
• Due date is the date by which the recertification will expire and all remaining recertification tasks will be closed.
• Hard recertification means, that if the recertification expires, all unapproved tasks will be rejected and the roles removed automatically.
• Description can be used to add audit notes to the recertification, but also to provide instructions or information to approvers. The description is visible in the approval tasks.

When you are satisfied with the properties, you can click "Execute" to trigger the recertification. To see the recertifications in progress, navigate to Roles > Recertification agenda:The "Recertificate assigned roles" bulk action that we used in this example has created a recertification request for each of the selected users, each recertification request will then contain their assigned roles as items (see items column in the screenshot)

You can use filters in this agenda to quickly find the relevant recertification requests based on the entity being recertified, date created or state. By clicking on the magnifying glass, you can see a detail of each recertification request, as well as it's items:The detail page shows all the properties of the recertification request as well as the state of each of the recertification items.

You can see the relevant approval tasks for this recertification by using the show tasks for this request button, or individually for each item, by using the magnifying glass next to the approval status. When all approval tasks are resolved (approved, or rejected), the recertification will change state to ExecutedAny roles that had been rejected will be removed from the user, in our example, basicRole2 was not approved and thus is removed from the user.

Process to recertify a role is quite similar, but instead of the users agenda, trigger the recertification bulk action from the Roles agenda.

The recertification created this way has the exact same life-cycle as recertifications triggered from the users agenda, the only exception being that here a recertification item will be a user.

There are two options to schedule regular recertifications, both using scheduled tasks:

• Recertification of users’ assigned roles is used for running user recertification (equivalent to the bulk action in the user agenda) with a fixed interval (e.g. 365 days) and restrict the run only to a certain organizational unit. Full documentation for this scheduled task is here: https://wiki.czechidm.com/tutorial/adm/module_recertification#lrt_for_regular_identity_recertification
• Regularly scheduled assigned role recertification according to the given interval is a new scheduled task that allows for more sophisticated scheduling of recertifications for roles.

This scheduled task's purpose is to schedule regular recertifications in such a way, that the approvers are not swarmed by hundreds of approval tasks at the same date every year, but rather the recertification requests are spread out throughout time. The principle is that the recertifications are scheduled at an "anniversary" of role assignement. For simplicity, let's say we have users Bob and Alice:

1. Bob has role A assigned since April 1st this year
2. Alice has role A assigned since June 1st this year
3. Charlie has role A assigned since April 15th, but two years ago.
4. The admin schedules the Regularly scheduled assigned role recertification according to the given interval task on Dec 1st with a period of 365 days

What happens is:

1. Charlie gets a recertification triggered immediately, since his role has been assigned for more than 365 days. He will then get a recertification event on every Dec 1st.
2. Bob will get recertified on April 1st, when his role assignment has reached 365 days
3. Alice will get recertified on June 1st.

This is different to the Recertification of users’ assigned roles scheduled task. If we use that one in the same example:

1. Charlie, Bob and Alice will all three immediately get recertified and then will receive the same recertification on Dec 1st every year.

In both cases, the same recertification workflow is used (and the same as in individual recertifications).

To configure the scheduled task, you use the properties below:

• Interval is the interval between recertifications (see example above for explanation)
• Role catalogues catalogue to recertify with these parameters
• Hard recertification defines if the created recertifications will be hard or not
• Recertification deadline defines how many days the recertification will last - sets the due date for each recertification created by the scheduled task
• Description this description will be visible in the recertifications created by the scheduled task and in related approval tasks.

There 3 types of users considered in the recertification module:

• Admin - triggers the recertification events, or configures the regular runs
• Approver - approves parts of the recertification as defined in the workflow, these are typically role approvers/guarantors or managers
• User - the regular user, who's permissions are being recertified

The following section describes how to configure permissions for the Recertification module. All listed evaluators are available only after the module (idm-rec) is deployed. We recommend configuring them either in the main userRole or in specific roles related to the Technical Accounts module.

TODO add correct evaluators

• @since 2.1.0
• An evaluator that defines the relationship between a role guarantor and a technical account.
• Its use allows the role guarantor to view technical accounts that have been assigned the role they are responsible for.

zde doplnit běžný troubleshooting, aktuálně nedokážu vyhodnotit

The Troubleshooting section provides solutions to common issues that may arise when working with the Technical Accounts module. It helps identify errors, understand their causes, and suggests steps to resolve them.