Choosing Certifiers
By its nature, access certification implies that one user reviews the security rights assigned to another. To configure access certification, it is therefore important to specify the right person to review any given security entitlement.
Hitachi ID Access Certifier supports a number of strategies for selecting appropriate certifiers for each security entitlement:
- Single Certifier: a single person is invited
to perform a review for a set of privileges.
This certifier will be presented with a list of users
who have been assigned each of the privileges under
consideration.
- Multiple Certifiers: when a certification round
impacts too many users, the population of users whose security
rights must be reviewed can be broken down into segments.
This is done by considering identity attributes such as location,
department or division. A different certifier may be assigned
to each set of users (each segment).
- Resource Owners: resources such as connected
systems and applications, security groups, roles
and SoD policies normally have named owners. An
access certification round can be configured to invite
the owner of each of its constituent entitlements to
review a list of users who possess that entitlement.
- Managers: in some cases, the best person to decide whether a given security entitlement is appropriate for a given user is simply the user's manager. A certification round can be configured so that managers will review the security rights assigned to their direct subordinates.