The present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for performing context aware recertification.
In the computing systems of most organizations today, identity and access management mechanisms are provided for ensuring that the desired users have the appropriate set of access rights to the appropriate set of resources of the computing system, and for ensuring that other users do not have access rights to these resources. People within these organizations often play different roles throughout their employment or association with these organizations. It is important for an organization to ensure that as people switch from one role to another, their entitlements or access rights granted to them in their previous roles are revoked and new entitlements or access rights are granted. The process for revalidating entitlements or access rights granted to a user is known as the recertification process.
Identity management systems today automate some aspects of the recertification process for recertifying user accounts by defining recertification policies and triggering review requests based on the recertification policies defined by the organization. The review request is sent to a designated person in the organization for review. This person logs into the recertification system and is shown a screen such as that depicted in FIG. 1. As shown in FIG. 1, the information provided is general in nature with just the date of the request, the request type, the name of the user for which the request is generated, name of the system submitting the request, the account/access for which recertification is requested, the date by which the recertification is required, and an instruction summary. The information may further include instruction details which consist of a reviewer action to either approve or reject the recertification request, and reviewer comments if any.
Graphical user interface elements may be provided to the reviewer to allow the reviewer to select whether or not to approve or reject the recertification request and enter comments if any. Once the reviewer selects approve, the status of the recertification is updated as being recertified on the particular date. If the reviewer rejects the recertification request, then the account would either be deleted or suspended depending upon the option set in the recertification policy of the system.
It should be noted that the recertification request sent to the reviewer provides no information regarding the user's actual use of the system for which the recertification is requested. That is, a reviewer of the request is given no information upon which to make the determination as to whether to approve or reject the request other than the user's identity and the account identity. As a result, reviewers often have to make the decision as to whether to approve or deny a recertification request blindly or simply use a “gut feeling” as to whether the recertification should be granted or not.