Contact us
Memority

Episode 4 - Recertifications

Memority offers an extremely powerful role model for managing delegated administration capabilities in the Memority portal, access to applications, hardware allocations or any other link between an identity and a resource.

In previous episodes


Inepisode 1,episode 2 andepisode 3 of this series, we saw how roles are defined, the assignment rules that can be proposed (or not) to users, and the dimensions. In this final episode, we'll look at how role assignments can be maintained over time through recertification.

Once you've :

- modeled your roles to suit the needs of your organization and the resources you require

- defined your organizations and managed your publications

- added your manual and automatic assignment rules

- simplified your role management and user experience with dimensions

... you now have an operational role model - congratulations!


Now that our administrators and users can use roles, we need to monitor their use. In addition to Memority's reporting capabilities, which provide different views of assignments and their dimensions, we can set up recertification of these assignments to ensure that they always remain current.


Triggering recertification

The purpose of recertification is to ask a manager to recertify a role assignment for a user, i.e. to indicate whether the user still needs this role to do his or her job, or whether it can be withdrawn. This is an important notion of informational hygiene, like the management of orphan accounts. It ensures that a user always has the least privilege, and avoids an accumulation of roles as the user's life progresses.

Role recertification must therefore be triggered on a regular basis in order to ensure a clean-up operation. There are several ways of triggering recertification.


Generally speaking, you should always start with the recertification perimeter, which is the junction of an identity perimeter (all internals, all identities in the Accounting organization or all company managers) and a role perimeter (all manually assigned roles, application roles, roles tagged as sensitive).


It is possible to define as many perimeters as required, and then trigger recertifications with deadlines defined according to the sensitivity of the perimeter.

Recertification perimeters

Once a perimeter has been defined, recertification can be triggered in "campaign" mode at a set date or at regular intervals. In this case, all recertifications are launched for the given scope, which can lead to bottlenecks for those responsible for carrying out validations.


However, it is also possible to trigger recertifications in "on-the-fly" mode, in order to smooth out the actions to be carried out. In this mode, all recertifications within the perimeter are not triggered at the same time, but in a unitary fashion according to the specified deadline and the date of role assignment for a user. For example, if you specify that a role is to be recertified every 6 months, recertification will be triggered for user A on July 25 if the role was assigned on January 25, and for user B on September 25 if the role was assigned on March 25.


The result of recertification

Recertification triggers a Memority workflow to request validation from a defined manager. Memority workflows are fully configurable, and approvers are defined by their role according to their management scope (see article 2 in our series!). It is therefore possible to request validation directly from the identity manager or the application manager for a given role.


The approval function is configured directly in the workflow to display information useful to the user's decision, such as the identity's attributes, its other assigned roles, the role's recertification history or the dimensions :


  • Accept recertification: acceptance is recorded, and the user can continue to enjoy the benefits of his assignment without any problems.
  • Refuse recertification: the refusal is recorded on the assignment, but the user remains assigned. This makes it possible to tag refused assignments and apply a particular process to them, such as a grace period or notification to the user to justify the assignment.
  • Remove assignment: the role is directly removed from the user, who no longer has access to it.
  • Delegate approval: if delegation has been enabled in the workflow configuration used for recertification, the approver can delegate the task to another administrator, according to a predefined scope.

Thanks to these different solutions, it is possible to finely manage the results of a recertification to secure without necessarily blocking users.


Thank you for following our series dedicated to role models!


If you missed the previous episodes, click here:


- Episode 1: Digital identity, a matter of trust

- Episode 2: Publication and assignment

- Episode 3: Dimensions

Published by

Alexandre Pallueau

Role model

Recent articles

Memority certifiée AirCyber Gold

Calendrier

December 1, 2025

Le 30 octobre dernier, nous avons obtenu la certification AirCyber Gold, délivrée par BoostAeroSpace à la suite d’un audit réalisé par Advens, le Maturity Assessor que nous avons sélectionné.

Read the article
FlècheFlèche

Memority lève 13M€
auprès de Tikehau Capital

Calendrier

May 20, 2025

Memority lève 13 M€ auprès de Tikehau Capital pour devenir un acteur européen clé de la gestion des accès et des identités numériques.

Read the article
FlècheFlèche

Identités numériques : un levier clé pour NIS2 et DORA

Calendrier

April 30, 2024

NIS2 et DORA redéfinissent les exigences de cybersécurité et de résilience numérique en Europe. Un double cadre réglementaire qui pousse les organisations à renforcer leur gouvernance et leurs contrôles d’accès.

Read the article
FlècheFlèche
FlècheSee all articles
FlècheFlèche
Episode 4: Recertifications - Memority