====== Modules - Recertification [rec] ======

<- .:modules_crt | ^ .:start | Documentation ^ .:modules_sms →

{{tag> recertification role}}

Role recertification module approves assigned user roles **again**.

When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).

{{  .:rect.jpg?nolink&  }}<note tip>CzechIdM version >= 9.7.0 is required.</note>

===== Version =====

^Version^Compatible with product|**Notes** |
|2.2.0|11.X.X|Recertification by guarantee (authorizer), UX improvements|
|4.0.1|14.X.X|Bugfixes|
|4.0.2|14.X.X|Bugfixes|
|14.0.0|14.X.X|Added LRT for regular recertifications|
|15.0.0|15.5.0|See [[.:modules_rec_15#version|Recertification (IdM 15)]]|

===== Terminology =====

  * Recertification **action**  - recertification action (bulk action) creates recertification requests. Action can be executed from user or role table.
  * Recertification **request**  - recertification request is created for single user contract or role (by recertification type, see below) an contains items.
  * Recertification **item**  - single assigned role, which schould be apporoved in recertification request. Item = assigned user role can be approved (~recertificated) or removed.

===== Recertification types =====

Recertification type defines, who can approve role recertification request and define request content:

  - **Approve by user contract manager**  (''CONTRACT'') - recertification request is created for each user contract included in recerrrtification action. Managers defined by user contract can approve this request.
  - **Approve by role guarantee**  (''ROLE'') - recertification request is created for each role included in recerrrtification action. Role guarantees defined by user or by role can approve this request.
<note important>When **no approver**  is found for given request, then **recertification is blocked**  after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.</note>

===== Future improvements =====

- [[https://redmine.czechidm.com/issues/1760|#1760]]: Move tab from identity detail to roles tab. - [[https://redmine.czechidm.com/issues/1759|#1759]]: Run recertification action again.

===== Read More =====

==== Admin guide ====

  * [[.:modules_rec:adm:security|]]
  * [[.:modules_rec:adm:configuration|]]

==== Admin tutorial ====

  * [[:tutorial:adm:module_recertification|]]

==== Devel guide ====

  * [[.:modules_rec:dev:filters|]]