A challenge with the re-certification process is to determine which application IdM or Identity Governance has the authority? Or who has the authority IT that builds the role model in IdM or the business, the auditors, the management and IT-Security that reviews the rights according to business risks and internal and/or external regulations?

Today it is not possible in IdM to remove an entitlement that has been granted indirectly through a role. On the other hand, if the business, auditors, management or IT-security during a review removes such a right even IdM has to obey.

The problem occurs when a reviewer removes an entitlement in Identity Governance, the entitlement will not be removed by IdM if the entitlement is a part of a role in IdM even though the Identity Governance/IdM integration has been setup.