# Recertification

# What is the Recertification process?

## <span data-sheets-root="1">What is the Recertification process?</span>

<span data-sheets-root="1">Recertification is a business process consisting of a periodic assessment carried out internally by a company to verify that it continues to comply with the standards of a regulation, management system or its own internal processes, ensuring that its processes, knowledge, assets and data are kept up to date, with the highest possible quality and avoiding problems and information leaks. </span>

<span data-sheets-root="1">Each company decides which assets require greater focus and therefore greater control. This control can come from implementing workflows to control which people can perform which actions, who has authorisation over which data, or simply who is responsible for each asset.</span>

<span data-sheets-root="1">Recertification is a manual, guided, or automated process to ensure that all individuals have the appropriate responsibility for their assets, and that users of those assets also have the correct access to them.</span>

<span data-sheets-root="1">In summary, recertification is a control and updating mechanism for maintaining valid permits and certifications, adapting to changing standards and ensuring the competence or necessity of the right granted. </span>

# Introduction to the Recertification addon

## What is the Recertification addon?

The **Recertification addon** provides the functionality to <span style="text-decoration: underline;">review access rights</span> to make sure the <span style="text-decoration: underline;">users have access only to what they need</span>.

This Soffid's functionality increases security, mitigates access risk, reduces review times, reduce the cost and also becomes the process auditable and compliant.

Recertification allows you to <span style="text-decoration: underline;">take immediate action to correct inconsistent or unauthorized permissions</span> to prevent unwarranted access. These changes will be applied **in real time with our provisioning** solution in the source systems.

### Concepts

Soffid uses three different concepts:

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>**Recertification policies**: the first step is to define and configure the different recertification processes based on the type and scope of the recertification process and the users involved in it.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>**Recertification campaign**: once we have the policies, we can create recertification campaigns for each of them, identifying the groups and information systems in which to search for roles or accounts to recertify.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3. </span>**Recertification to do**: this is the list of pending recertification campaigns along with the internal tasks that still need to be completed.

# How to install Recertification addon in Soffid

## Installation

### Introduction

To use an addon in Soffid, you must download and install it in the Console. There are two ways to do this.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span> The first option is to use the **Soffid 4 marketplace**. You can download and upload it directly from the [Licence and plugin](https://bookstack.soffid.com/books/soffid-4-reference-guide/page/license-and-plugin "License and plugin") page.

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>The second option is to download the file from the Soffid **download** page and then **upload** it to the Console.

### Soffid 4 marketplace

<p class="callout success">Soffid 4 allows you to install and update plugins through the new Addons marketplace feature.</p>

<p class="callout warning">To access the marketplace, you must have a valid token to use Soffid and have configured the Console via https. Please check the [License and plugin](https://bookstack.soffid.com/books/soffid-4-reference-guide/page/license-and-plugin#bkmrk-actions "License and plugin") page.</p>

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1.</span> Please **log in** to IAM Console.

<p class="callout info">You need to be an **administrator** user of the Soffid console or a user with permission to upload addons.</p>

<p class="callout info">It is recommended to upload the addons to the **master**, this is the way to maintain updated all, master and tenants if there are.</p>

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.</span> In the Soffid console, please **go to** the [License and plugin](https://bookstack.soffid.com/books/soffid-4-reference-guide/page/license-and-plugin "License and plugin") page.

`Main Menu > <span class="link" id="bkmrk-configuration">Configuration</span> > Global Settings > License and plugin`

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3.</span> Then, click the add button "**Add new**" button, open the "Soffid Addons" secction and select the "Instlla addon" option, Soffild will upload the addon file.

<details id="bkmrk-image-2"><summary>Image</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-08/scaled-1680-/zT1zIAZQODssapPc-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-08/zT1zIAZQODssapPc-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-08/scaled-1680-/3uHXtG1pAm5kUzIA-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-08/3uHXtG1pAm5kUzIA-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-08/scaled-1680-/uw0ef7PG97IxCUUu-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-08/uw0ef7PG97IxCUUu-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-08/scaled-1680-/SnyiSzFTnWhDKIWL-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-08/SnyiSzFTnWhDKIWL-image.png)

</details><span style="color: #a6d100; font-weight: bold; font-size: 18px;">4.</span> Finally, when the addon is installed, the Consola has to be **restarted**, a popup will be displayed to perform this action, you can choose to do it now or later.

<details id="bkmrk-image-3"><summary>Image</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-09/scaled-1680-/SrBNuFbSm6g6boI8-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-09/SrBNuFbSm6g6boI8-image.png)

</details><span style="color: #a6d100; font-weight: bold; font-size: 18px;">5.</span> Once the Soffid console has restarted, you can **check** if the plugin was correctly uploaded on the "License and plugins" page.

`Main Menu > <span class="link" id="bkmrk-configuration-1">Configuration</span> > Global Settings > License and plugin`

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">6.</span> Now, you can **configure** the addon.

### Download an upload

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>You could **download** the addon at the following link [http://www.soffid.com/download/enterprise/](http://www.soffid.com/download/enterprise/) if you have a Soffid user with authorization, or in the following [http://download.soffid.com/download/](http://download.soffid.com/download/) by registering.

The addons are in the Addon seccion.

<details id="bkmrk-image"><summary>Image</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-09/scaled-1680-/dUXAMGDA0M6XJe3A-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-09/dUXAMGDA0M6XJe3A-image.png)

</details><span style="color: #a6d100; font-weight: bold; font-size: 18px;">2.</span> Once the addon is downloaded, please **log in** to IAM Console.

<p class="callout info">You need to be an **administrator** user of the Soffid console or a user with permission to upload addons.</p>

<p class="callout info">It is recommended to upload the addons to the **master**, this is the way to maintain updated all, master and tenants if there are.</p>

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3.</span> In the Soffid console, please **go to** the [License and plugin](https://bookstack.soffid.com/books/soffid-4-reference-guide/page/license-and-plugin "License and plugin") page.

Soffid 3:

`Main Menu > Administration > <span class="link" id="bkmrk-configuration-2">Configuration</span> > Global Settings > Plugins`

Soffid 4:

 `Main Menu > <span class="link" id="bkmrk-configuration-3">Configuration</span> > Global Settings > License and plugin`

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">4.</span> Then, click the add button "**Upload**" and pick the file and click the "Select" button and Soffild will upload the addon file.

<details id="bkmrk-image-1"><summary>Image</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-12/scaled-1680-/oSwSvpyjPfmRtugF-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-12/oSwSvpyjPfmRtugF-image.png)

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-12/scaled-1680-/1B3zySXyg11fM02e-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-12/1B3zySXyg11fM02e-image.png)

</details><span style="color: #a6d100; font-weight: bold; font-size: 18px;">5.</span> Finally, when the addon is installed, the Consola has to be **restarted**, a popup will be displayed to perform this action, you can choose to do it now or later.

<details id="bkmrk-image-4"><summary>Image</summary>

[![image.png](https://bookstack.soffid.com/uploads/images/gallery/2025-09/scaled-1680-/SrBNuFbSm6g6boI8-image.png)](https://bookstack.soffid.com/uploads/images/gallery/2025-09/SrBNuFbSm6g6boI8-image.png)

</details><span style="color: #a6d100; font-weight: bold; font-size: 18px;">6.</span> Once the Soffid console has restarted, you can **check** if the plugin was correctly uploaded on the "License and plugins" page.

`Main Menu > <span class="link" id="bkmrk-configuration-4">Configuration</span> > Global Settings > License and plugin`

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">7.</span> Now, you can **configure** the addon.

# Recertification policies

## Description

<p class="callout success">Soffid allows you to establish some policies to define the scope of the recertification process.</p>

#### Menu option

`Main Menu > Administration > Configuration > Security settings > Recertification policies`

## Screen overview

[![image-1653572713094.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1653572713094.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1653572713094.png)

## Custom attributes

- **Name**: name to identify the policy
- **Type**: list of available recertification types. 
    - **User entitlements**: the recertification process will be conducted to review user access rights.
    - **Role definitions**: the recertification process will be conducted to review the relationship between roles.
    - **Share account entitlements**: the recertification process will be conducted to review access rights to shared accounts.
- **Filter**: this allows you to define a script to identify the grant list to which to apply the recertification process. The [**grant object**](http://www.soffid.org/doc/console/latest/uml/com/soffid/iam/api/RoleAccount.html) *(\*1)* is always available. You can use the Enumeration SoDRisk to compare: 
    - **SOD\_LOW**
    - **SOD\_HIGH**
    - **SOD\_FORBIDDEN**
    - **SOD\_NA**
- **Step 1 expression**: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process in the first level.
- **Step 2 expression**: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the first level of approval.
- **Step 3 expression:** this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the second level of approval.
- **Step 4 expression**: this allows you to define a script to determine who is or are in charge to approve or deny the recertification process after the third level of approval.
- **Mail Template**: this allows you to define a template to send an email to the people in charge to approve or deny. Be in mind, that to work fine, the review process link must be <span style="color: #236fa1;">${url}</span>

<p class="callout info">*(\*1)* **grant object** is a [com.soffid.iam.api.RoleAccount object](http://www.soffid.org/doc/console/latest/uml/com/soffid/iam/api/RoleAccount.html).</p>

## Examples

Some sample scripts for the filters and approval steps are shown below

### Filter

Return all grants with risk.

```shell
return grant.sodRisk != null 
	&& grant.sodRisk != es.caib.seycon.ng.comu.SoDRisk.SOD_NA;
```

### Steps

```shell
account = serviceLocator.getAccountService().findAccountById(grant.accountId);
StringBuffer sb =  new StringBuffer();
for (owner : account.ownerUsers) {
  if (sb.length() > 0)
    sb.append(" ");
  
  sb.append(owner);
}
if (sb.length() > 0) 
  return sb.toString();
else 
  return "admin";
```

```shell
com.soffid.iam.api.Role role = serviceLocator.getApplicationService().findRoleByNameAndSystem(grant.roleName, grant.system);
StringBuffer sb =  new StringBuffer();
List owners = role.getAttributes().get("owner");
if (owners != null) {
	for (owner : account.ownerUsers) {
    	if (sb.length() > 0)
    		sb.append(" ");
        
        sb.append(owner);
	}
}

if (sb.length() == 0) 
	return "admin";
else 
	return sb.toString();
```

#### Mail template

[![image-1653470454738.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1653470454738.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1653470454738.png)



## Actions

####  Recertification policies query

<table border="1" id="bkmrk-add-or-remove-column" style="width: 100%;"><tbody><tr><td style="width: 22.1291%;">**Add new**

</td><td style="width: 77.8709%;">Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.

</td></tr><tr><td style="width: 22.1291%;">**Delete**</td><td style="width: 77.8709%;">Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 22.1291%;">**Import**</td><td style="width: 77.8709%;">Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

</td></tr><tr><td style="width: 22.1291%;">**Download CSV file**

</td><td style="width: 77.8709%;">Allows you to download a CSV file with the basic information of all Recertification policies.

</td></tr><tr><td style="width: 22.1291%;">**Add or remove columns**

</td><td style="width: 77.8709%;"> Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user.

</td></tr></tbody></table>

####  Recertification policies details

<table border="1" id="bkmrk-apply-changes-allows" style="width: 100%; height: 231.111px;"><tbody><tr style="height: 80.1667px;"><td style="width: 20.8025%; height: 80.1667px;">**Apply changes**</td><td style="width: 79.3211%; height: 80.1667px;">Allows you to **save** the data of a new policy or to update the data of a specific policy **and quit**. To save the data it will be mandatory to fill in the required fields.

</td></tr><tr style="height: 35.3889px;"><td style="width: 20.8025%; height: 35.3889px;">**Save**

</td><td style="width: 79.3211%; height: 35.3889px;">Allows you to **save** the data of a new policy or to update the data of a specific policy. To save the data it will be mandatory to fill in the required fields.

</td></tr><tr style="height: 80.1667px;"><td style="width: 20.8025%; height: 80.1667px;">**Delete**

</td><td style="width: 79.3211%; height: 80.1667px;">Allows you to remove a specific policy. You can choose that option on the hamburger icon.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr><tr style="height: 35.3889px;"><td style="width: 20.8025%; height: 35.3889px;">**Undo**

</td><td style="width: 79.3211%; height: 35.3889px;">Allows you to quit without applying any changes.

</td></tr></tbody></table>

---

[*https://download.soffid.com/doc/console/latest/uml/es/caib/seycon/ng/comu/SoDRisk.html*](https://download.soffid.com/doc/console/latest/uml/es/caib/seycon/ng/comu/SoDRisk.html)

# Recertification campaigns

## Description

<p class="callout success">Soffid allows you to define new campaigns to review the users' access rights and to assign who has to recertify or revoke their entitlements.</p>

You can create a campaign related to a previously defined recertification policy. Depending on the policy type selected, you will have to fill in some required information to create a new campaign.

To create a new campaign, will be mandatory that one or more accounts for recertification exist.

When a campaign is created, the initial status will be <span style="color: #3598db;">**Preparation**</span>. This status will change to <span style="color: #3598db;">**Active**</span> automatically. The <span style="color: #3598db;">**Finished**</span> status will be when the proper users approve or deny the recertifications

#### Menu option

`Main Menu > Administration > Resources > Recertification campaigns`

## Screen overview

[![image-1653636505476.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1653636505476.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1653636505476.png)

## Custom attributes

#### Basic

- **Name**: name to identify the campaign.
- **Template**: select the policy that will be applied. That has to be defined previously on the [Recertification policies page](https://bookstack.soffid.com/books/recertification/page/recertification-policies "Recertification policies").
- **Groups**: list of user groups where the campaign will be applied. You can choose one or more.
- **Information Systems**: list of information systems where the campaign will be applied. You can choose one or more.

#### Others

- **Start date**: date and time when the campaign started. This field is generated automatically.
- **Finish date**: date and time when the campaign finished. This field is generated automatically.
- **Status**: recertification campaign process status. Three statuses are available: 
    - **Preparation**: it is the first status when the campaign is created.
    - **Active**: it is the status when the recertification campaign is ready to be applied.
    - **Finished**: it is the status when the recertification campaign ends.
- **Groups**: users groups list to which the campaign will be applied. 
    - **Group name**
    - **Status**
    - **% done**
- **Applications:** application list to which the campaign will be applied. 
    - **Application name**
    - **Status**
    - **% done**
- **Group members:** list of users who belong to the selected group. 
    - **Active**
    - **User**
    - **Creation date**
    - **Status**
    - **Step 1**
    - **Step 2**
    - **Step 3**
    - **Step 4**



## Actions

####  Recertification campaigns query

<table border="1" id="bkmrk-add-or-remove-column" style="width: 100%;"><tbody><tr><td style="width: 22.1291%;">**Add new**

</td><td style="width: 77.8709%;">Allows you to add a new Recertification policy. You can choose that option on the hamburger menu or click the add button (+).

To add a new it is necessary to fill in the required fields.

</td></tr><tr><td style="width: 22.1291%;">**Delete**</td><td style="width: 77.8709%;">Allows you to remove one or moreRecertification policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 22.1291%;">**Import**</td><td style="width: 77.8709%;">Allows you to upload a CSV file with the Recertification policies to add or update the attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and click the Import button.

</td></tr><tr><td style="width: 22.1291%;">**Download CSV file**

</td><td style="width: 77.8709%;">Allows you to download a CSV file with the basic information of all Recertification policies.

</td></tr><tr><td style="width: 22.1291%;">**Add or remove columns**

</td><td style="width: 77.8709%;"> Allows you to show and hide columns in the table. You can also set the order in which the columns will be displayed. The selected columns and order will be saved for the next time Soffid displays the page to the user.

</td></tr></tbody></table>

####  Recertification campaigns details

<table border="1" id="bkmrk-apply-changes-allows" style="width: 100%; height: 288.962px;"><tbody><tr style="height: 35.4px;"><td style="width: 20.8025%; height: 35.4px;">**Click group**</td><td style="width: 79.3211%; height: 35.4px;">By clicking a record group, Soffid will display the group members' list.

</td></tr><tr><td style="width: 20.8025%;">**Show details**</td><td style="width: 79.3211%;">Displays a detailed list with the recertification data for each user to recertificate.

</td></tr><tr><td style="width: 20.8025%;">**Delete**</td><td style="width: 79.3211%;">Allows you to delete a recertification campaign. You can select this option on the hamburger menu.

It is not allowed to delete a recertification process once it has been started.

</td></tr></tbody></table>

#### Recertification details

<table border="1" id="bkmrk-delegate-by-clicking" style="width: 100%; height: 288.962px;"><tbody><tr style="height: 35.4px;"><td style="width: 20.8025%; height: 35.4px;">**Delegate**</td><td style="width: 79.3211%; height: 35.4px;">Allows you to delegate to another user the recertification by clicking a record group o by selecting one or more records, Soffid will display the group members' list.

</td></tr><tr><td style="width: 20.8025%;">**Back**</td><td style="width: 79.3211%;">Allows you to delegate the operation to approve or deny the process. Once you click the delegate option, Soffid will allow you to select one or more users to delegate the process.

</td></tr></tbody></table>

# Recertifications to do

## Description

<p class="callout success">When a campaign is run, the pending recertifications will be displayed in the Recertifications to-do list of the proper user who has to Accept or Deny the recertification. The user who has to manage the recertification can delegate it as well to another user to manage it.</p>

#### Menu option

`Main Menu > Recertifications to do`

## Screen overview

[![image-1687763668120.png](https://bookstack.soffid.com/uploads/images/gallery/2023-06/scaled-1680-/image-1687763668120.png)](https://bookstack.soffid.com/uploads/images/gallery/2023-06/image-1687763668120.png)

## Custom attributes

#### Recertifications campaign list

- **Name**: name to identify the campaign.
- **Start date**: date and time when the campaign started.

#### Recertifications to do list

- **Group**: group to which recertification applies.
- **User**: user to whom permissions will be assigned or not. If you click the user, Soffid will display a new page with the user data.
- **Entitlement**: the role that you can assign or not to the user. If you click the role, Soffid will display a new page with the role data.
- **Previous endorsement**: status previous endorsement.
- **Pending endorsement**: allows you to select the option to approve or deny.
- **Comments**: this allows you to write a comment.

## Actions

####  Recertifications campaign

<table border="1" id="bkmrk-add-or-remove-column" style="width: 100%;"><tbody><tr><td style="width: 22.1291%;">**Click recertification**

</td><td style="width: 77.8709%;">If you click one campaign record, Soffid will display the recertifications to do list.

</td></tr></tbody></table>

####  Recertifications to do list

<table border="1" id="bkmrk-apply-changes-allows" style="width: 100%; height: 287.712px;"><tbody><tr style="height: 69.55px;"><td style="width: 20.7664%; height: 69.55px;">**<span style="background-color: #ffffff;">Pending endorsement</span>**

</td><td style="width: 79.2336%; height: 69.55px;"><span style="background-color: #ffffff;">In the pending endorsement column, you can approve or deny the recertification for each user who appears on this list. You can approve or deny by clicking on the proper check </span>

- <span style="background-color: #ffffff;">approve -&gt; **<span style="background-color: #2dc26b;">✓ </span>**</span>
- <span style="background-color: #ffffff;">deny -&gt; <span style="background-color: #e03e2d;">X </span></span>




</td></tr><tr><td style="width: 20.7664%; height: 102.6px;">**Apply changes**</td><td style="width: 79.2336%; height: 102.6px;">Allows you to **save** the recertifications accepted and denied. Before applying changes, you need to select for each recertification if you approve or deny it. Also, you can write a comment.

Once you apply changes, the recertifications executed will be removed from the recertifications to do list.

</td></tr><tr><td style="width: 20.7664%; height: 35.4px;">**Back**

</td><td style="width: 79.2336%; height: 35.4px;">Allows you to quit without applying any changes.

</td></tr><tr style="height: 80.1625px;"><td style="width: 20.7664%; height: 80.1625px;">**Delegate**

</td><td style="width: 79.2336%; height: 80.1625px;">Allows you to delegate the operation to approve or deny the process. Once you click the delegate option, Soffid will allow you to select one or more users to delegate the process.

</td></tr><tr><td style="width: 20.7664%;">**Browse user**

</td><td style="width: 79.2336%;">By clicking the user, Soffid will open a new window with the user data.

</td></tr><tr><td style="width: 20.7664%;">**Browse entitlement**

</td><td style="width: 79.2336%;">By clicking the entitlement, Soffid will open a new window with the role data

</td></tr></tbody></table>

# Recertification Examples

Recertification Examples

# User Entitlement



# Role definitions



# Shared account entitlements

<iframe allowfullscreen="allowfullscreen" height="314" src="https://www.youtube.com/embed/F4SWomWhOes" width="560"></iframe>