10.8:documentation:modules_rec

Modules - Recertification [rec]

Role recertification module approves assigned user roles again.

When user has a lot of assigned roles for a long time, we want to check these assigned roles periodicaly (in a half year interval for security reasons), if some assigned role has to be already removed. Currently valid manual direct assigned roles are checked - only manual roles can be assigned and stay assigend, after user is changed some way (e.g. user contract is exluded, work position was changed).

CzechIdM version >= 9.7.0 is required.
  • Recertification action - recertification action (bulk action) creates recertification requests. Action can be executed from user or role table.
  • Recertification request - recertification request is created for single user contract or role (by recertification type, see below) an contains items.
  • Recertification item - single assigned role, which schould be apporoved in recertification request. Item = assigned user role can be approved (~recertificated) or removed.

Recertification type defines, who can approve role recertification request and define request content:

  • Approve by user contract manager (CONTRACT) - recertification request is created for each user contract included in recerrrtification action. Managers defined by user contract can approve this request.
  • Approve by role guarantee (ROLE) - recertification request is created for each role included in recerrrtification action. Role guarantees defined by user or by role can approve this request.
When no approver is found for given request, then recertification is blocked after creation - apporovers have to be configured properly by the recertification type and then recertification action can be executed again.
  • #1760: Move tab from identity detail to roles tab.
  • #1759: Run recertification action again.