What is Recertification?
Recertification is part of HelloID's governance functionality. It gives your organisation a structured, repeatable process to review individually granted licences and access rights, ensuring they remain necessary, appropriate, and compliant with current policy.
Did you know? Around 80% of all issued accounts and entitlements are managed automatically through provisioning. Recertification addresses the remaining 20% that fall outside automated control.
Why Does Access Recertification Matter?
An IAM platform such as HelloID manages a broad range of products across your IT environment. These include:
Application permissions and software licences
Access to project folders and shared drives
Mailboxes and distribution groups
Role-specific and department-specific entitlements
For organisations with hundreds of employees and dozens of applications, manual tracking is not sufficient. HelloID manages accounts and access rights through two complementary approaches.
Provisioning | Service Automation | |
|---|---|---|
What it covers | Role-based account and rights delivery | Individual, supplementary access requests |
How it stays current | Automatically updated when roles or systems change | Requires periodic manual review |
Example | Sales employee receives CRM access upon joining | Employee requests temporary access to a project mailbox |
Risk of drift | Low | High without recertification |
Rights managed through Provisioning stay current automatically. When someone changes role or a system is replaced, access is adjusted without manual intervention.
Rights issued through Service Automation do not follow the same pattern. They are often granted for an indefinite period and, without active review, remain in place long after they are needed. This is the gap that recertification closes.
How Does Recertification Work?
Recertification effectively repeats the original approval process for any previously granted right. Here is how it works in practice:
A staff member previously requested access to a project mailbox via the self-service portal.
The request was approved by both their manager and the mailbox owner.
HelloID added the user to the relevant Active Directory or Entra ID group.
At a defined interval, recertification triggers a new review of that access.
Both the manager and the mailbox owner receive an online approval request.
Based on their decision, the user either retains access or the right is revoked automatically.
Recertification Campaigns in HelloID
Recertifications are organised and executed as campaigns. Each campaign targets a specific set of users or products for review. HelloID supports two campaign types.
System campaigns
System campaigns automatically identify access rights that conflict with current policy, without requiring manual selection. Common findings include:
Users holding multiple versions of the same product unnecessarily
Users who have changed role or department but retain old group memberships
Conflicting products granted to the same user
Custom campaigns
Custom campaigns allow a defined scope to be set using one or more filters. Examples include:
All users in a specific department or with a particular role
Products above a defined price threshold or risk classification
All users with access to privacy-sensitive data
Once a campaign runs, an iteration is created. The campaign insights view shows all users and products within scope, enabling reviewers to assess and act efficiently.
Role | Campaign use case |
|---|---|
Security officer | Review all users holding high-risk applications |
Department manager | Audit licence costs across their team |
HR manager | Identify who can access sensitive HR data |
IT manager | Focus on users of expensive or restricted software |
A separate system campaign covers any users or products not included in other campaigns, ensuring nothing is overlooked.
What Recertification Achieves
Remain in control Individually issued products carry the risk of a once-granted, always-granted situation. Recertification provides a structured mechanism to verify regularly that every granted right is still necessary and consistent with current guidelines.
Reduce administrative overhead Reviewing access rights introduces additional tasks for managers and product owners. To limit this burden, recertification supports bulk processing and includes automated notifications, keeping the review process as straightforward as possible.
Maintain compliance Regulations, privacy guidelines, and information security standards require organisations to know which products are used to process data, and to verify that those products remain compliant. Recertification ensures non-compliant software is identified and decommissioned promptly.
Full Control Over All Access Rights
The goal of recertification is straightforward: at any point in time, every user should hold exactly the rights required for their role, nothing more and nothing less.
80% of rights are managed automatically through provisioning and business rules.
20% of individually issued rights are governed through recertification campaigns.
Together, these two mechanisms provide complete coverage across your IT environment.
Learn More About IAM Recertification in HelloID
Recertification is a core component of HelloID's governance functionality. It strengthens account and access management, prevents unnecessary licence accumulation, and supports compliance across the organisation.
To learn more about governance in HelloID, or to explore how recertification enhances your Service Automation module, view our webinar or visit our governance page.