Skip to main content

Recertification Overview

Recertification cycles provide a periodic, auditable process for reviewing and re-approving access rights and data product ownership. They ensure that every resource is reviewed within a defined window, keeping your organization compliant and access hygiene up to date.

Why Recertification?

Over time, access grants accumulate and data product ownership drifts. Users change teams, projects end, and responsibilities shift — but the permissions remain. Recertification addresses this by enforcing periodic reviews that verify whether existing access and ownership are still appropriate.

Benefits include:

  • Compliance readiness — Demonstrate to auditors that every resource is reviewed on schedule
  • Access hygiene — Remove stale permissions and outdated ownership assignments
  • Accountability — Every decision is tracked with timestamps and reviewer identity
  • Risk reduction — Surface high-criticality resources that require attention

Key Personas

PersonaRoleWhat They Do
Space AdminCycle OwnerCreates cycles, configures filters and templates, monitors progress
Data StewardReviewerReviews individual audit items — approves or rejects each resource
Compliance OfficerAuditorVerifies that every resource was reviewed within the cycle window

Cycle Types

Recertification supports two cycle types that determine which resources are scanned and reviewed.

Product Cycles

A Product cycle (product) scans all non-archived data products in the space. Each audit item represents a single data product that needs re-certification. Use product cycles for periodic ownership reviews, data catalog hygiene, and classification validation.

Access Cycles

An Access cycle (access) scans all source system roles in the space. Each audit item represents a single source system role (e.g., "analyst_readonly" on Snowflake). Use access cycles for compliance-driven role reviews, least-privilege enforcement, and regulatory requirements such as GDPR or SOX.

Lifecycle

Every recertification cycle moves through a defined set of states:

open → in_review → completed
         ↘ cancelled
StatusMeaning
OpenCycle is active — audit items can be populated or added
In ReviewFrozen for review — reviewers are making approve/reject decisions
CompletedAll items decided — the cycle is read-only
CancelledCycle was aborted before completion

A cancelled cycle can be reopened to resume the review process.

Audit Item Statuses

Each audit item within a cycle tracks the decision for a single resource:

StatusMeaning
PendingAwaiting review
ApprovedResource is re-certified — no action needed
RejectedResource failed review — follow-up action required
ExpiredThe review window passed without a decision

How It Works

The typical recertification flow is:

  1. Create — A Space Admin creates a new cycle, choosing a type and due date
  2. Configure — Optionally set filters (tags, product type, criticality) to scope the review, and define request templates
  3. Populate — The system scans the space and creates audit items for each matching resource
  4. Review — Stewards review each audit item, approving or rejecting resources
  5. Recertify — For items that need formal re-approval, recertification requests are created and routed through the workflow system
  6. Complete — Once all items are decided, the cycle is marked as completed

Integration with Workflows

Cycles can be linked to a workflow definition. When a recertification request is created for an audit item, it is automatically routed through that workflow — enabling multi-step approvals, governance-based routing, and full audit trails.

Integration with Access Requests

Recertification requests are a special type of access request. When an approver approves or rejects a recertification request, the corresponding audit item's status is automatically synchronized. This means the cycle detail page always reflects the current state of each review.

Learn More