Reconciliation/Attestation/Certification

在IAM项目中，特别是OIM产品相关的文档中常常有几个名词让人费解。下面这几段话我以为解释的还算比较清楚。

Reconciliation is the automated version of attestation. It ensures proper  access, but strictly according to policies and without eyeballs. A lot of systems  don’t have this capability, but it’s a great way to ensure that your policies are adhered to. In theor y, reconciliation is an automated process that reviews policies on a scheduled basis and puts back anything that’s out of place. For example, as part of your sales management job, you get access to the forecasting system to review your region’s pipeline. But you want to get an occasional look at the pipelines for the other regions, to see how you stack up, so you fat-finger your way i nto the membership of the other LDAP groups that give you this ability. Reconciliation would come along at noon, see that you’ve got something you’re not supposed to have, send a notification to your boss, and pull your id out of those other groups.

It’s either called attestation, certification, or recertificati on, depending on the phases of the moon. They all mean the same thing. Let’s go with attestation for now . It describes the process by which you periodically review who has access to a particular resource. Point to a resource, produce the list of everybody who can currently access that resource, and decide if they still can. If a user is deemed no longer worthy to access that resource, his access is revoked. If it’s a critical application, defined as processing critical data, indispensabl e to the business, or related to compliance processes, it is reviewed every three to six months. Everything else is reviewed 
perhaps once a year.

Attestation is most often a manual process. An IT guy produces the lists,  sneaker-nets them to all the approvers, who then mark up those lists and hand them b ack in, and finally the IT guy fat-fingers any scribbled-up changes. For example, every name h ighlighted in red loses their access for the designated resource. Anybody highlighted in yellow is somebody whom the approver can’t vouch for, so that user must be rerouted to anot her approver.

Certification (also known as attestation or recertification) is  the periodic review of which users have access to which resources. The process is meant to ensure that users maintain access to only those resources they are entitled to. We will describe this process in detail in Chapter 12. Certification policies as defined in Oracle Identity Analytics adhere to what I’ve said previously about compliance: there are things you do for security, and thi ngs you do because you’re told to. So for applications that have been tagged as compliance-related, you may be certifying more often than once a year. In fact, for Sarbanes-Oxley-related applications, you will be certifying quarterly. Your auditors will provide guidelines on the necessary frequency. When certification is left to your discretion, you should at  least consider an annual review, and definitely more often for resour ces with a lot of turnover. Yes, you normally think of  users as experiencing turnover, but think of the resources whose users are more transient. If you have large, te mporary customer bases, users who register for contests, special offers, or time-sensitive resources, and you don’t automatically expire those users, then you need to review who is still provisioned to those after a certain period.