Identity Cloud

Certify data using access reviews

Access reviews are the final step of certifying access for users.

After you kick off the data review process in a campaign, the data defined for review is sent to the end users you define in the template.

The process of end users certifying the data assigned to them is called an access review.

Notes on access reviews:

  • When an end user is designated as a reviewer from a campaign, it displays under Inbox > Access Reviews or in the Dashboard landing page.

  • An end user who has an access review is considered a reviewer of the certification, also called a certifier.

  • An access review consists of one or more line items or records to review and certify.

  • You define the certifiers when you create a template and kick off a campaign. A reviewer can also be added through forwarding or reassignment by certifiers and administrators.

  • Multiple certifiers can be assigned to review the same data.

  • Certifiers can change the decision a previous certifier made for a line item; however, changes cannot be made to a campaign after a decision is set and the campaign is signed off (completed). Additional changes require remediation through another campaign.

    For example, if one certifier decides to certify the access for a line item, but another certifier decides to revoke access for it after, then the last certifiers decision is the decision that prevails.

  • For more information on how access reviews display to certifiers in the end-user UI, refer to access reviews.

As there are various features that become enabled or disabled for end user access reviews depending on the configurations in the template, the following is a table to quick links in this page.

Details
Item Description

View access review tasks

A landing screen that shows access reviews that are assigned to an end user.

This includes an explanation of the access review landing page columns.

View individual access review line items

The screen where end users complete the access review of the line items for a campaign.

A line item is a record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line item.

This includes:

  • Access review task columns: A description of the columns that display when end users certify items.

  • High-level reviewer steps: An overview of potential steps to take when reviewing items. Since there are various combinations of configurations you can make in the template, this process is subject to change.

Filter and group items

Filter campaign items that display data in different ways.

Customize table columns

Rearrange or hide the table columns.

Add comment

Provide a comment on a line item in the access review.

Use cases include:

  • Justification for why a decision was made.

  • Rationale for reassigning the item.

  • Rationale for forwarding the item.

  • To view/respond to a comment left by another reviewer.

Make a decision (certify)

Make a decision to either certify access, revoke access, or provide an exception to access for a specified duration (you must enable the configurations in the template).

View other certifiers

View other reviewers assigned to a line item in the access review.

Reassign an item[1]

An end user can reassign an item that is assigned to them and define the permissions of the new assignee.

There are two ways to reassign a line item:

Forward an item[1]

Remove prior reviewers and assign the line item to another individual(s). Full permissions on the item are given to the forwarded individual(s).

There are two ways to forward a line item:

Bulk certify items[1]

Perform a bulk line item certification. Not recommended for every campaign as this will bypass much needed manual oversight on each item.

View access review tasks

To view the access review tasks, from the Identity Cloud End User UI, click Inbox > Access Reviews.

The landing screen on Access Reviews is a view of the active campaigns that have a task assigned to an end user.

To view campaigns that have a specific status, such as Closed or Canceled, click the Status drop-down and filter the status.

To view additional tasks, click the caret icons at the bottom of the table.
Campaign statuses to filter
Status Description

Active

The campaign is in progress. In the Status column, this includes the In-progress, Expiring and Overdue states.

  • In-progress: The campaign is in progress and active.

  • Expiring: The campaign is in process and expires in two days or less. The template defines the deadline; however, you can update the deadline at any time.

  • Overdue: The campaign is past the expiration date but in process. Tasks still require completion. Identity Governance sets this status when you select one of the following settings in the template:

    • When to Certify > When certification expires > Close open items > Reassign.

    • Do nothing.

      The template defines the deadline; however, you can update the deadline at any time.

Expired

The campaign expired. Identity Cloud triggers this status when and end user selects When to Certify > When certification expires > Close open items > immediately in the template.

Completed

The campaign finished as expected with no issues.

Access reviews landing page columns

The campaigns listed on the landing page of the Access Reviews tab consists of a table with various columns.

Field Description

Name

The name of the campaign. This name is generated from the template.

Deadline

The date in which the campaign must be completed.

Status

The state the campaign is in. Refer to Campaign statuses to filter for more information.

Progress

The percent complete of the campaign.

To view the percentage and number of items that are complete, hover over the progress icon.
To filter a column, click the up/down icon.

To view additional features, such as forwarding a certifier’s items to another person or end users assigned to a role, click to the right of the table.

View individual access review line items

For an end user to review the line items they need to certify, click an access review (campaign).

The top section of the screen shows information about the access review including:

  • The Status metric shows the percentage of items to complete, as well as a numeric value of items that are complete versus the total amount of items.

  • The Decisions pie chart is shows the number of records certified versus revoked.

  • The Deadline is the campaign completion date. Click the View campaign details to view additional information such as the description of the campaign and the campaign owner.

Access review task columns

The following columns can change depending on the certification type and configuration options in the template.

The columns in the line items table are:

Field Description

User

The user in Identity Cloud.

Application

The onboarded application the user has access to.

Account

The account in the application that correlates to a user in Identity Cloud.

Entitlement

The entitlement in the application the user has granted.

Flags

Information about how access was given. One or more of these flags can display on a line item:

  • sync Reconciliation — Access was granted through a reconciliation process.

  • person_add Request-based - Access was granted through a request.

  • assignment_ind Role-based — Access was granted through a role.

  • date_range Temporal constraints — Access was granted through a role; however, only for a specified period of time.

  • add_circle_outline New access — Access is new and has never been certified.

Comment

Comments that have been made on a record in a campaign. A number above the comment icon indicates the amount of comments left.

Decision

The action taken on a record in a certification.

Options are:

  • Certify access

  • Revoke access

  • Allow an exception: For this to display, you must configure the Additional options section of the template.

To view information about a line item, click on the item under the column. For example, to review a user’s information in Identity Cloud for an identity certification type, click the user’s name and a modal window pops up displaying the information for review. The same is true for each single item in a row.

The following video shows an example:

To view additional line items in the access review, click the caret icon at the bottom of the table.

High-level reviewer steps

The following are typical steps when an end user certifies line items in an access review (campaign):

  1. Click into a record and review information by clicking into each item in the row.

  2. Add a comment if necessary (or mandatory if the campaign requires it).

  3. Make a decision by selecting Certify access, Revoke access, or Allow an exception. The last reviewer on the item to make a decision is the decision that will prevail for the item.

  4. Repeat steps 1-3 for each line item in the table.

  5. Once an end user certifies every record, click Sign-off. Once this takes place, no changes can be made to the campaign as it acts as the final decision on a certification.

    If Allow partial sign-off is enabled in the Additional Options section of the campaign template, then the line items do not have to be completed before the task can be signed off. A gradual fashion can be used whereas a subset of the items can be signed off and the other items can be completed at a later date. For more information on setting these configurations in the template, refer to additional options.

    The following video shows an example:

These steps may vary depending on the configurations made in the template. For example, if bulk actions is enabled, then the certifier has the ability to make a decision for the items in the table at once. Additionally, the task could be reassigned or forwarded.

Subsequent sections display various functions of the certifier process in detail.

Filter and group items

End users can filter and group items to make them more manageable when certifying.

The following video shows an example:

Filter items

Certifiers can manipulate the data presented on an access review.

To filter the items, click on the filter icon in the top right of the line items table. Once selected, there are two ways to filter:

  • By decision: Filter the table by the decision made on a line item, either Certified, Revoked, Exception Allowed, or No Decision.

  • By item attributes: Filter the table by a particular column item, such as a user. Click the item to filter on, then enter the appropriate value in the additional box that is displayed.

Group items

Grouping items aggregates duplicate information.

For example, if a user has four entitlements, the campaign items table displays this as four separate records. In grouping by fields, the entitlements display as a sub-table under a record, reducing the redundancy of reviewing the same record’s information.

To group the items, click the Group By icon above the Filter icon.

When end users select an object to group by, for example, Account, the view of the table changes splitting the screen in half.

If an end user selects multiple items in the What to Certify, such as accounts and entitlements, they can navigate between the various items.

Customize table columns

An end user can modify the columns presented in the line items table.

For example, they may want to display additional user properties.

To customize columns:

  1. Click the view column icon (view_column).

  2. Under Available Columns, click each section and select or deselect the columns to display.

  3. Under Active Columns, rearrange the order of the columns by clicking the drag icon (drag_indicator) and dragging each column to the desired order.

    To delete an Active Column, click the delete icon (delete).
  4. Click Apply.

Add comment

Certifiers can leave a comment in an access review.

The comment could vary in nature due to a number of reasons:

  • A justification for the decision being made.

  • A comment about why the item is being reassigned.

  • A comment about why the item is being forwarded.

  • A comment from another certifier if there are multiple certifier on the line item(s).

An auto-generated comment is created when an item is forwarded or reassigned.

To add a comment:

  1. To get to the comment box either:

    • Click the comment icon box.

    • Click next the item to comment on and click the Add Comment.

  2. Enter the comment.

  3. Click Add Comment.

Once a comment has been made and added to a line item, it cannot be removed.

Make a decision (certify)

A decision is an action a certifier makes on a line item in an access review.

governance user tasks certs decision choices

A certifier can do one of the following:

  • To Certify (keep) access, click the green checkmark icon.

  • To Revoke (deny) access, click the circle-backslash icon. After selecting this, a mandatory comment box displays to the certifier in which they must enter a reason for revoking the line item.

    When the campaign is signed off, if the Process remediation configuration option is enabled in the Additional Options section of the template, then the line item will be removed from the onboarded application.

  • The clock icon is disabled unless you explicitly enable exceptions by marking Allow Exceptions (under Additional Options) as allowed.

    You can also specify the duration for exceptions under Additional Options. For more information, refer to additional options.

A certifier can only make a decision once per line item, no matter the number of certifiers. The decision made by the last certifier on a line item is the decision that prevails. After an access review (campaign) is signed off, a decision cannot be modified.

Decisions change based on how you grant access

Depending on the certification type and how an end user is given access to a resource, the decisions a certifier can take on a line item changes:

How you grant access Cert type Notes

To an application or entitlement via a role.

Identity

Identity Governance can’t certify or revoke the line item if you assign an end user to an application or entitlement using a role.

To remove the user from the application or entitlement, remove them from the role.

Identity Governance displays that the access is role-based by the assignment_ind Role-based flag being present in the Flags column.

In the What to Certify section of the template, you select to certify Roles and an end user is assigned to a role through a condition being met.

Identity

Identity Governance can’t certify or revoke an end user being a member of a role through a condition.

To remove the end user from the role, update them to no longer meet the condition.

To an entitlement via a role.

Entitlement

Identity Governance can’t certify or revoke the line item if you assign an end user to an entitlement using a role.

To remove an end user from an entitlement, when they’re granted access through a role, remove them from the role.

Through a role with a condition.

Role membership

Identity Governance can’t certify or revoke an end user being a member of a role through a condition.

To remove the end user from the role, update them to no longer meet the condition.

For each situation, the following UI elements change:

  • The Revoke and Allow an Exception decisions are disabled.

  • The Certify text changes to Acknowledge.

  • The line item can’t be used with bulk certify.

View other certifiers

For each line item in the access review, certifiers have the ability to view the other certifiers. To view the certifiers, click next to the item and click View Reviewers.

From here an end user has the ability to:

Edit certifier privileges

To edit the privileges a certifier has, you must enable the configuration setting Enable line item reassignment > Reassign in the Additional Options section of the template.

To edit the permissions of a certifier on a line item:

  1. Click next to the line item and click View Reviewers.

  2. End users locate the certifier they would like to modify and click > Edit.

  3. Select/deselect the privileges on the certifier.

  4. Click Save.

Reassign an item

End users reassign a line item by adding another certifier to review the item. When a certifier adds another certifier, they specify the privileges of the certifier.

To reassign an item, you must enable the configuration setting Enable line item reassignment > Reassign in the Additional Options section of the template. For more information, refer to additional options.

There are two ways to reassign an item:

Reassign from view reviewers screen

  1. On the item, click > View Reviewers.

  2. Click + Add a Reviewer.

  3. Select to add either Add a user or Add a role to the line item.

  4. Search for the individual or role and select it.

  5. Select the privileges that the new end user or role will have on the line item. The privileges you can add are:

    1. View — Allows another end user to view the line item.

    2. Comment — Allows another end user to leave a comment on the line item.

    3. Decide — Allows another end user to make a decision on the line item.

    4. Assign/Forward — Allows another end user to reassign or forward the line item.

    5. Sign off — Allows another end user to sign-off on the line item.

      You can only select a privilege if enabled from the template under the Additional Options section. Therefore, the options listed above are subject to change. For more information, refer to additional options.
  6. Click Reassign.

Reassign from bulk reassign

The option for bulk certify and reassign must first be enabled in the Additional Options section of the template before bulk reassign can be utilized. For more details, refer to Bulk certify items.
  1. After selecting more than one item, click the Actions drop-down that shows and select Reassign.

  2. In the modal, choose to reassign to Another user or to Users with assigned role to the line item.

  3. Search for the individual or role and select it.

  4. Select the privileges that the user or role will have on the line item. The privileges you can add are:

    1. View — Allows a user to view the line item.

    2. Comment — Allows a user to leave a comment on the line item.

    3. Decide — Allows a user to make a decision on the line item.

    4. Forward — Allows a user to reassign or forward the line item.

    5. Sign off — Allows a user to sign-off on the line item.

      You will only be able to select a privilege if allowed from the template under the additional options section. Therefore, the options listed above are subject to change.
  5. Click Reassign.

Forward an item

When end users forward a line item in an access review, the end user removes prior certifiers and assigns the line item to another end user or role. The new certifier(s) have full permissions on the line item.

To forward a line item, you must enable the configuration setting Enable line item reassignment > Forward in the Additional Options section of the template.

There are two ways to forward an item:

Individual forwarding

  1. On the line item, click > Forward.

  2. In the modal, choose to forward the line item to Another user or to Users with assigned role.

  3. Search for the individual or role.

  4. End users leave a comment as to why they are forwarding the line item.

  5. Click Forward Item.

Bulk forwarding

The option for bulk certify and forward must first be enabled in the Additional Options section of the certification campaign template before bulk reassign can be utilized. For more details, refer to Bulk certify items.
  1. Select more than one item via the checkbox next to the items in the left of the certification items table or check the Select All box.

  2. Click the Actions drop-down that is displayed.

  3. Select Forward.

  4. A modal window is displayed.

  5. Select if the line items should be forwarded to Another user or Users with assigned role.

  6. Search for the individual or role.

  7. End users leave a comment as to why they are forwarding the line items.

  8. Click Forward Item.

Bulk certify items

The bulk certification of line items allow for many items to undergo the certification process at once instead of one-by-one. This configuration setting is not enabled by default and should be used with caution. Most access reviews require an in-depth look into the accuracy of data and bulk certification circumvents this.

To bulk certify line items, you must enable the configuration setting Allow Bulk Decisions in the Additional Options section of the template. For more information, refer to additional options.

Once the bulk certify option is enabled, checkboxes display to the left of the line items table. Additionally, a Select drop-down button displays at the top left of the campaign items table.

When end users select one or more items via the checkboxes, or they select All items (in the drop-down button of Select), an additional Actions drop-down button displays. End users click this button to view actions they can make in a bulk fashion.

Under the Select drop-down button, end users can choose to select All items that under review, All on this page, or Deselect all items.

The items that display under the Actions button vary depending on if the configuration settings that you enable in the template, but can include:

  • Certify

  • Revoke

  • Allow an exception

  • Reassign

  • Forward


1. Not configured by default, you must enable this in the template configurations.
Copyright © 2010-2024 ForgeRock, all rights reserved.