Contact us
Memority

Episode 4 - Recertifications

Memority offers an extremely powerful role model for managing delegated administration capabilities in the Memority portal, access to applications, hardware allocations or any other link between an identity and a resource.

In previous episodes


Inepisode 1,episode 2 andepisode 3 of this series, we saw how roles are defined, the assignment rules that can be proposed (or not) to users, and the dimensions. In this final episode, we'll look at how role assignments can be maintained over time through recertification.

Once you've :

- modeled your roles to suit the needs of your organization and the resources you require

- defined your organizations and managed your publications

- added your manual and automatic assignment rules

- simplified your role management and user experience with dimensions

... you now have an operational role model - congratulations!


Now that our administrators and users can use roles, we need to monitor their use. In addition to Memority's reporting capabilities, which provide different views of assignments and their dimensions, we can set up recertification of these assignments to ensure that they always remain current.


Triggering recertification

The purpose of recertification is to ask a manager to recertify a role assignment for a user, i.e. to indicate whether the user still needs this role to do his or her job, or whether it can be withdrawn. This is an important notion of informational hygiene, like the management of orphan accounts. It ensures that a user always has the least privilege, and avoids an accumulation of roles as the user's life progresses.

Role recertification must therefore be triggered on a regular basis in order to ensure a clean-up operation. There are several ways of triggering recertification.


Generally speaking, you should always start with the recertification perimeter, which is the junction of an identity perimeter (all internals, all identities in the Accounting organization or all company managers) and a role perimeter (all manually assigned roles, application roles, roles tagged as sensitive).


It is possible to define as many perimeters as required, and then trigger recertifications with deadlines defined according to the sensitivity of the perimeter.

Recertification perimeters

Once a perimeter has been defined, recertification can be triggered in "campaign" mode at a set date or at regular intervals. In this case, all recertifications are launched for the given scope, which can lead to bottlenecks for those responsible for carrying out validations.


However, it is also possible to trigger recertifications in "on-the-fly" mode, in order to smooth out the actions to be carried out. In this mode, all recertifications within the perimeter are not triggered at the same time, but in a unitary fashion according to the specified deadline and the date of role assignment for a user. For example, if you specify that a role is to be recertified every 6 months, recertification will be triggered for user A on July 25 if the role was assigned on January 25, and for user B on September 25 if the role was assigned on March 25.


The result of recertification

Recertification triggers a Memority workflow to request validation from a defined manager. Memority workflows are fully configurable, and approvers are defined by their role according to their management scope (see article 2 in our series!). It is therefore possible to request validation directly from the identity manager or the application manager for a given role.


The approval function is configured directly in the workflow to display information useful to the user's decision, such as the identity's attributes, its other assigned roles, the role's recertification history or the dimensions :


  • Accept recertification: acceptance is recorded, and the user can continue to enjoy the benefits of his assignment without any problems.
  • Refuse recertification: the refusal is recorded on the assignment, but the user remains assigned. This makes it possible to tag refused assignments and apply a particular process to them, such as a grace period or notification to the user to justify the assignment.
  • Remove assignment: the role is directly removed from the user, who no longer has access to it.
  • Delegate approval: if delegation has been enabled in the workflow configuration used for recertification, the approver can delegate the task to another administrator, according to a predefined scope.

Thanks to these different solutions, it is possible to finely manage the results of a recertification to secure without necessarily blocking users.


Thank you for following our series dedicated to role models!


If you missed the previous episodes, click here:


- Episode 1: Digital identity, a matter of trust

- Episode 2: Publication and assignment

- Episode 3: Dimensions

Published by

Alexandre Pallueau

Role model

Alexandre has been an IDaaS specialist at Memority for over 10 years. Through a wide range of client contexts, he has developed sharp expertise that he brings to training, plugin definition and pre-sales, covering the full product lifecycle.

Recent articles

Memority : exercice de crise avec CGI

Crisis management: a real opportunity to raise awareness

Calendrier

April 21, 2026

What if crisis management weren't just for decision-makers? By involving all employees in an immersive simulation, this exercise highlights real-world challenges, builds the right reflexes, and strengthens the collective culture when facing critical situations.

Read the article
FlècheFlèche
Memority fait l'acquisition de Zygon

Memority announces the acquisition of Zygon to accelerate its IAM strategy

Calendrier

March 17, 2026

With the acquisition of Zygon, the company accelerates the deployment of its Identity Factory model, strengthens its identity visibility capabilities, and opens new perspectives for the use of AI.

Read the article
FlècheFlèche

Move to Cloud and AI: rethinking our technological dependencies

Calendrier

January 19, 2026

On May 13, I had the pleasure of taking part in a live broadcast on the theme of "Move to Cloud and AI: how to manage your technological dependencies".

Read the article
FlècheFlèche
FlècheSee all articles
FlècheFlèche