In many organizations, policies stipulate what entitlements users should or should not have. The most common form of policies are segregation of duties -- sets of entitlements that should not be concurrently held by the same user. Other policies may be more complex -- for example, only users with characteristic X may be assigned entitlement Y.
Where there are many users, many systems and applications and many policies, enforcement can be difficult and many users may be in violation of policies, in most cases due to accumulation of entitlements over a long time, as their responsibilities within the organization evolved.
To comply with security policies and various regulations, most organizations must find and either remove policy violations or at least approve them as reasonable exceptions.
Where policies are programmed into the system, Access Certifier can be used to find and either correct or approve violations. In other cases, Access Certifier invites business users to apply their contextual knowledge to accept or reject individual entitlements.