Anthropic-Cybersecurity-Skills/skills/performing-access-recertification-with-saviynt/references/workflows.md

Access Recertification with Saviynt - Workflows

Campaign Execution Workflow

WEEK 1: PREPARATION
    ├── Review and update certifier assignments
    ├── Verify identity data freshness (HR sync)
    ├── Validate entitlement data accuracy
    ├── Configure campaign template
    └── Schedule campaign launch

WEEK 2: LAUNCH AND REVIEW
    ├── Launch campaign (auto-notifications sent)
    ├── Certifiers receive email with review link
    ├── Certifiers review each line item:
    │   ├── Check user's current role
    │   ├── Review risk score
    │   ├── Check last access date
    │   ├── Compare with peer group
    │   └── Make certify/revoke decision
    └── Day 7: First reminder sent

WEEK 3: FOLLOW-UP
    ├── Day 10: Second reminder sent
    ├── Day 13: Final reminder (escalation warning)
    ├── Security team contacts non-responsive certifiers
    └── Campaign manager reviews progress dashboard

WEEK 4: CLOSE AND REMEDIATE
    ├── Day 14: Campaign due date
    ├── Day 15: Auto-revoke for non-certified items (if configured)
    ├── Revocation tasks created automatically
    ├── Remediation tickets sent to provisioning team
    ├── Access removed from target systems
    └── Campaign report generated for compliance

Certifier Decision Workflow

Certifier opens Saviynt certification inbox
    │
    ├── For each user-entitlement pair:
    │
    │   ├── Review Context:
    │   │   ├── User's name, title, department
    │   │   ├── Entitlement name and application
    │   │   ├── Risk score (1-10)
    │   │   ├── Last access: 3 days ago / 180 days ago / Never
    │   │   ├── Peer analysis: 85% of peers have this access
    │   │   └── SoD violation: None / Conflict detected
    │   │
    │   ├── Decision Logic:
    │   │   ├── Active user + Used recently + Peers have it → CERTIFY
    │   │   ├── Active user + Not used in 90+ days → INVESTIGATE
    │   │   ├── User changed department → LIKELY REVOKE
    │   │   ├── SoD violation detected → REVOKE or ESCALATE
    │   │   └── Cannot determine → DELEGATE to app owner
    │   │
    │   └── Record decision with justification
    │
    └── Submit all decisions

Event-Based Certification Workflow

User attribute changes in HR system (e.g., department transfer)
    │
    ├── Saviynt detects change via HR connector sync
    │
    ├── User update rule triggers micro-certification:
    │   ├── Scope: All entitlements for this user
    │   ├── Certifier: New manager
    │   └── Due date: 7 days
    │
    ├── New manager reviews all access:
    │   ├── Certify access relevant to new role
    │   ├── Revoke access specific to old role
    │   └── Request new access if needed
    │
    └── Remediation executes for revoked items

Remediation Tracking Workflow

Campaign completes with revoked items
    │
    ├── Saviynt creates provisioning tasks for each revocation
    │
    ├── For each revoked entitlement:
    │   ├── Create deprovisioning request
    │   ├── Route to target system connector
    │   ├── Execute removal (API/connector)
    │   ├── Verify removal succeeded
    │   └── Update audit log
    │
    ├── If automated removal fails:
    │   ├── Create manual remediation ticket (ServiceNow)
    │   ├── Assign to application admin
    │   ├── Track SLA compliance
    │   └── Escalate if overdue
    │
    └── Post-remediation verification:
        ├── Re-scan target systems
        ├── Confirm revoked access no longer present
        └── Archive compliance evidence