In many organizations, policies stipulate what entitlements users should or should not have. The most common form of policies are segregation of duties -- sets of entitlements that should not be concurrently held by the same user. Other policies may be more complex -- for example, only users with characteristic X may be assigned entitlement Y.

Where there are many users, many systems and applications and many policies, enforcement can be difficult and many users may be in violation of policies, in most cases due to accumulation of entitlements over a long time, as their responsibilities within the organization evolved.

To comply with security policies and various regulations, most organizations must find and either remove policy violations or at least approve them as reasonable exceptions.

• Access Certifier can be used to find users who violate policies such as segregation of duties rules and ask business stake-holders to either approve or correct the violations.
• Access Certifier can also be used to compare actual user entitlements to entitlements predicted by roles assigned to users, again either accepting or correcting any deviations.
• In cases where policies are unwritten -- or at least not defined in any automated system -- Access Certifier nonetheless invites business stake-holders to review user rights and comment on their appropriateness, accepting or rejecting individual entitlements.

Where policies are programmed into the system, Access Certifier can be used to find and either correct or approve violations. In other cases, Access Certifier invites business users to apply their contextual knowledge to accept or reject individual entitlements.