Overview of Recertification
Recertification validates that users have appropriate access rights aligned with their current roles and responsibilities. Over time, as users change roles, projects conclude, or contractors transition out of the organization, access often remains in place longer than intended. Periodic validation ensures that access continues to reflect legitimate business need.
Organizations implement recertification to satisfy compliance requirements, reduce security risk, and maintain operational integrity. In EmpowerID, recertification is implemented as a structured lifecycle built on configurable policies, scheduled audits, approval flows, and fulfillment workflows. These components separate governance design from execution, allowing administrators to define reusable review models that run consistently over time.
What Recertification Addresses
As organizations grow and systems proliferate, user access accumulates across directories, applications, and platforms. Without structured review, three categories of risk emerge.
Compliance Gaps Many regulatory frameworks require documented evidence that access rights are reviewed at defined intervals by appropriate personnel. Without systematic recertification, organizations cannot demonstrate who reviewed access, what was reviewed, or what actions were taken.
Security Risk from Privilege Creep Users who move from one department to another may retain access from prior roles. Contractors may retain active accounts after engagements end. Recertification identifies and removes access that is no longer required.
Operational and Segregation of Duties Risk Users may accumulate conflicting permissions over time, such as the ability to both initiate and approve transactions. Recertification provides a formal mechanism to detect and remediate these conditions.
The Recertification Lifecycle
EmpowerID separates recertification into configuration and execution phases. The lifecycle progresses through four distinct stages.
Figure 1: The recertification lifecycle showing the progression from configuration through fulfillment. Each phase has a distinct purpose and produces specific outputs that feed the next phase.
Configuration
Administrators define what will be reviewed and how decisions are routed.
Recertification policies determine the scope of review. A policy might target specific Active Directory organizational units, privileged account containers, management roles, or defined populations. Policy types—such as Account Validity, Group Membership, and Person Validity—determine what access is being validated and what decisions are available to reviewers.
Recertification audits link to one or more policies and define when reviews occur. Each audit has a start date, due date, and configuration for handling unreviewed items. Audits can run once or function as recurring templates that automatically generate new review cycles.
Approval flows determine who reviews each item. Resolver logic routes review tasks to managers, group owners, role managers, or other responsible parties according to organizational governance rules.
At this stage, administrators are defining governance intent. No access data has yet been collected.
Compilation
When an audit reaches its start date, EmpowerID compiles the review.
The system collects a point-in-time snapshot of access assignments across connected systems based on the configured policy scope. This snapshot represents the dataset against which all review decisions are made for that audit cycle.
From this snapshot, the system generates Business Request Items—discrete access decisions requiring validation. Items are grouped and routed according to the configured approval flow.
Decisions are based on the snapshot rather than continuously changing live data, ensuring the review remains consistent and auditable.
Review
Approvers access their assigned Business Request Items through the My Tasks interface.
Depending on policy type, available decisions may include Certify, Revoke, Disable, or Delete. Each decision is recorded with reviewer identity, timestamp, and outcome, producing a complete audit trail.
If organizational relationships change during the review period, the system can refresh approver assignments to maintain accurate routing.
Fulfillment
Fulfillment applies review decisions to connected systems.
Certified access remains in place with the validation recorded for audit purposes. Revoked or otherwise rejected access triggers automated workflows that remove group memberships, disable accounts, or delete assignments as appropriate.
If items remain unreviewed after the due date, the audit configuration determines whether they are automatically closed with a predefined decision or cancelled with no change but with an audit record of the incomplete review.
Scheduled and Continuous Approaches
EmpowerID supports two complementary recertification models.
Scheduled audits provide comprehensive, point-in-time reviews of all in-scope access. Organizations typically use scheduled audits to satisfy regulatory requirements for periodic validation and to generate formal audit evidence.
Continuous group membership recertification monitors designated high-risk groups between scheduled audits. When group memberships exceed defined validity thresholds, review tasks are generated automatically. This approach is commonly used for privileged or administrative access where prolonged membership warrants additional scrutiny.
Next Steps
For additional conceptual and reference information:
Recertification Architecture and Process Flow explains the technical architecture including all server jobs, permanent workflows, and detailed component interactions.
About Recertification Policy Types provides comprehensive reference for all eleven policy types including grouping logic, available decisions, and when to use each type.
Understanding Continuous Group Membership Change Recertifications covers real-time monitoring of group memberships including configuration requirements and validity periods.
Understanding Fulfillment and Rejection Workflows details how review decisions are enforced in connected systems.
For step-by-step configuration procedures, see the articles under Recertification Tasks.