- Invite managers and resource owners to perform review.
- One-off / scheduled / event-triggered
- Review lists and either certify or ask to revoke:
- Users -- does this person still work here?
- Manager -- has this person been transferred?
- Roles, accounts, groups -- entitlement still needed?
- SoD, RBAC approved exceptions -- can compliance be restored?
- Remediation in certification triggers workflow requests.