Group-Centric Certification
ID-Certify® can be configured to request reviews of user membership in security groups by each group's owner. Group owners are prompted and reminded to perform these reviews by the ID-Certify workflow engine.
The ID-Certify process for Group-centric certification works as follows:
- ID-Certify periodically (e.g., quarterly or biannually according
to corporate policy) requires group owners to review a list of
users with membership in their groups. Reviews
are performed one group at a time.
- Group owners respond by signing into ID-Certify using their
network or directory login ID and password, to start their
certification process.
- Group owners review group memberships and flag inappropriate ones
for later removal.
- Group owners complete the review process
and provide an electronic signature after reading a statement to
the effect that their access review is complete and they certify
that the remaining group memberships are appropriate.
- After a group owner completes his review and certification,
any proposed changes (deactivated accounts, eliminated
group memberships) are bundled into security change requests and
submitted to the ID-Certify workflow engine. These requests will
normally require further authorization, for instance from each user's
manager.
- In environments with large numbers of groups, it is helpful
to draw data about group ownership from existing sources. ID-Certify
can pull group owner data from target systems, such as Active
Directory. This makes it straightforward to configure group-centric
certification across thousands of individual groups.
- It should be noted that group-centric certification is appropriate to groups with modest numbers of users, such that the group owner recognizes the users personally and has some idea of what access rights are appropriate for each one. Larger groups are better served by Org-centric certification.