Identity certification
Select an identity certification type to certify user accounts and entitlements for specific applications.
To review information about templates, refer to Create templates.
You must populate the Display Name Attribute on the target application User entity object in the Details tab. This allows each account pulled into Advanced Identity Cloud to display with a human-readable name. This is required for the data to properly display when a certifier (reviewer) reviewers their certification. Perform the following:
The following video shows an example: |
The following table lists the areas to configure for each campaign template type:
Section | Description |
---|---|
General details of the template, such as the name, description, and a default certifier. |
|
The items to be certified. |
|
The cadence in which the review process is kicks off (campaign). |
|
The end users responsible for certifying the items in the campaign. |
|
Optional. Set up email notifications based on various events that take place during the certification process. |
|
Optional. Various configurations to allow during the campaign, such as bulk actions on line items or self-certification. |
|
Summary of configured sections. |
Details
This section includes basic information about the template, such as the display name, description, owner, and staging process.
To complete this section, do the following:
-
From the Advanced Identity Cloud admin UI, click Certification > Templates > + New Template.
-
Select Identity Certification.
-
Click Next.
-
Complete the following fields:
Field Description Name
The display name for the campaign. This campaign name displays on both the certifications tab and the end-user tasks dashboard.
You can define a date variable in the name of the campaign to know which campaign kicks off. Identity Governance uses moment.js to format the date.
For example, if you have a campaign scheduled to run every two weeks, appending the date to the name lets you know which campaign you are working on. The campaign name can include the date (year, month, day), time (hour, minute), and time of day (AM/PM):
Campaign name — {{YYYY-MM-DD-hh:mma}}
When you kick off the template into a campaign, an example of the name is:
Campaign name — 2023-12-12-08:18pm
NOTE: Once the campaign kicks off you cannot modify the name. Description
Enter a general description for the campaign. Your company should follow a descriptive convention to describe each of your campaign.
This field is limited to 1000 characters. Campaign Owner
Enter the owner of the campaign. Only campaign owners can fully control their campaigns, including certification decisions, certifier assignment changes, sign off, and more.
Enable Campaign Staging
Enable staging to set up the campaign in the system but not activate it in production. This option allows compliance officers to preview a campaign before it is activated and exposed to end users. Compliance officers can inspect and review the content, decision items, and other details to determine whether to activate or delete it.
-
Click Next.
What to Certify
This sections lets you define the items to certify, including the organizations, users, applications, accounts, and entitlements.
To complete this section, do the following:
-
Complete the following fields:
Field Description Organizations
Filter any generated certification by organization. This feature only appears for identity certification campaigns.
-
All organizations
Include child organization
Click to include any suborganizations in the campaign.
Users
Certify one of the following:
-
All users
-
A single user
-
Users matching a filter — Create a filter to certify select users.
Accounts, Entitlements, Roles
Select at least one of the following:
-
Certify User Accounts.
-
Certify User Entitlements.
-
Certify User Roles.
Applications
Certify one of the following:
-
All applications
-
Specific applications — If you select this, an additional box displays to select which Applications to certify.
-
Applications matching a specific filter — Create a filter to certify specific applications.
If you create a governance glossary attribute and enhance the target application(s) with the attribute, you can filter on attribute(s) you create. For more information, refer to Create an application glossary attribute.
Accounts
Displays if you selected
Certify User Accounts
.-
Select All accounts in selected applications if you selected Certify User Accounts.
Entitlements
Displays if you selected
Certify User Accounts
.-
Certify one of the following if you selected Certify User Entitlements:
-
All entitlements
-
Entitlements matching a filter — Create a filter to certify specific entitlements.
If you create a governance glossary attribute and populate the attribute you create on the onboarded entitlement(s), you can filter on the attribute(s) you create. For more information, refer to Create an entitlement glossary attribute.
Roles
Displays if you selected
Certify User Roles
.Certify one of the following if you selected Certify User Roles:
-
All roles
-
Roles matching a filter — Create a filter to certify specific roles.
If you create a governance glossary attribute and populate the attribute you create on roles, you can filter on the attribute(s) you create. For more information, refer to Create a role glossary attribute.
Exclude access granted only from a role
Enabled by default.
Excludes account and entitlement line items that are granted only through a role.
Identity Governance cannot certify or revoke an application or entitlement from an end user when they’re granted access through a role; therefore, excluding these line items can help reduce unnecessary information in the certification. For more information, refer to Decisions change based on how you grant access.
Exclude dynamically granted role memberships
Displays if you selected
Certify User Roles
.Enabled by default if you are creating a role membership certification.
Exclude role line items that are granted to an end user through a condition.
Identity Governance can’t certify or revoke an end user being a member of a role through a condition; therefore, excluding these line items can help reduce unnecessary information in the certification. For more information, refer to Decisions change based on how you grant access.
(Optional) Show advanced filters
To certify accounts based on properties from the last certification decision made on a line item from the drop-down, select Filter by last certification decision.
A line item is a particular record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line item.
-
-
Click Next.
When to Certify
The When to Certify section lets the administrator specify when to kick off the review process (campaign) and what to do in the event the campaign expires.
To complete this section, do the following:
-
Complete the following fields:
Field Description Schedule
Define whether the template will kick off on a periodic basis. If selected, input various choices to define the schedule.
Check the Run on a schedule box to define a schedule for the template.
Options include:
-
Run Every - Run the certification every specified number of days, weeks, months, or years.
-
Start - Specify a start time when this campaign kicks off for the first time.
-
End - Run the certification on its defined periodic basis until this date is reached.
Campaign Duration
Specify the amount of time each access review (campaign) has before expiration. You can specify the duration in days, weeks, months, or years.
When Campaign Expires
Select a behavior to handle the open access review (campaign) line items when the campaign expires:
-
Close open items - Complete the items using the given information after the campaign expires. The administrator can select what decision to add to the item (certify, revoke, and allow exception to) and when that decision takes effect. The decision can take effect immediately or after a duration (in days).
-
Reassign to - Select a given user or role that the access review (campaign) is reassigned to after the expiration date. The campaign will not be closed.
-
Do Nothing - No action will be taken, and the line items will remain in progress.
-
-
Click Next.
Who will Certify
This section allows you to specify the users that review and make decisions about the items you defined in the What to Certify section.
To complete this section, do the following:
-
Complete the following fields:
Field Description Certifier Type
Specify who can review and certify user access by selecting one of the following:
-
User — Select a single user to review and make a decision on every record. When you select this, a Select user box displays. Select the user who will certify the campaign.
-
Role — Select a role that allows any of its members to review every record. When you select this, a Select a role box displays. Select a role from the list of the created roles in Advanced Identity Cloud.
-
Manager — The user’s manager becomes the certifier of their data (also known as a line item).
-
Organization Admin - Select an administrator for an organization who can certify their data.
Enable default certifiers
Select a certifier to assign in case an access review (campaign) line item is not assigned a certifier. For example, if the manager is the certifier and the user has no manager defined, then the default certifier will be assigned the access review for this user.
-
-
Click Next.
Notifications
This optional section allows you to send email notifications when one or more campaign events are triggered. For example, when a campaign is about to expire or when a certifier is reassigned.
To complete this section, do the following:
-
Define an email template for each selected notification. Each notification requires an associated email template. From the left navigation pane in the Advanced Identity Cloud admin UI, go to Email > Templates. For more information, refer to Email templates.
There are preset email templates created for certification templates. Use these as a base, copy the email template, and customize them to suit your needs. To reference variables in your email templates for Identity Governance, the object is nested an additional level. The following table shows how to access these objects:
Item Usage User attributes
Use the syntax
object.user.userAttribute
.Use the attributes available from the email template screen. For more information, refer to Email templates.
Manager attributes
Use the syntax
object.manager.managerAttribute
.Use the attributes available from the email template screen. For more information, refer to Email templates.
If the manager is the certifier type in the Who will Certify section, use the same user attributes in the managerAttribute
. For example, if you need to reference a user’s manager within the email, then use this object.Campaign attributes
Use the syntax
object.campaign.campaignAttribute
.Available attributes are
name
andtype
. -
Select any of the notification types:
Field Description Send initial notification
Send a notification any time a certifier is assigned to a line item.
Send reassign notification
Send to a new certifier when a line item in an access review (campaign) is reassigned or forwarded to them.
Send expiration notification
Send a reminder notification to the certifiers before a campaign expires. Select the number of days, before the campaign expires, to send the reminder.
To illustrate the expiration notification mechanism:
If the notification is set for three days prior to expiration, reviewers will receive an email when the campaign is three days away from the expiration date. If the deadline is extended by a week, the expiration date of the notification will be recalculated and sent three days before the new deadline, regardless of any previously sent notifications.
Send reminders
Send a notification to remind certifiers to take action on access review (campaign) line items. Select the number of days, weeks, months, or years to send the reminder.
Enable escalation
Send an escalation notification to specific recipients that certifiers have not completed their actions on a campaign. When selected, an additional Escalation Owner box displays. Select the number of days, weeks, months, or years and the user to send the escalation to.
-
Click Next.
Additional options
This optional section allows you to configure other options for a campaign, such as performing bulk certifications or reassigning tasks to another user or group.
To complete this section, do the following:
-
Complete the following optional fields:
Field Description Allow self-certification
Allows select individuals to certify their own data.
The options to choose from are:
-
All certifiers - Users who are certifying the access review (campaign) can certify their own access.
-
Owners and administrators - Users who are campaign owners or tenant administrators can certify their own access.
Enable line item reassignment and delegation
Allow the certifier to reassign or forward a line item to another user.
When you select this box, you can choose the following options:
-
Forward - Allow certifiers to forward their access review (campaign) to another certifier. When forwarding an access review, other certifiers are removed from the access review in its entirety. For more information, refer to forward line items.
-
Reassign - Select the privileges the current certifier can assign to the new certifier:
-
Add Comment
-
Make Decision
-
Reassign/Forward
-
Sign off
For context on how you use this as a certifier, refer to reassign line items.
-
Require justification on revoke
Require a mandatory comment or reason for the revocation.
Require justification on exception
Require a mandatory comment or reason for any allowed exception.
Allow exceptions
Allow certifiers to continue to certify line items assigned to them after the campaign expires. Select a duration in days, months, weeks, or years.
Allow bulk-decisions
Allow certifiers to make line item decisions in bulk.
This includes:
-
Making a decision (certify, revoke, exception).
-
If Enable line item reassignment and delegation is enabled, then you can bulk Reassign and/or Forward line items.
As an administrator, most access reviews require an in-depth look on each line item. This is to ensure accuracy of each item. Bulk-decisions allow for a certifier to make a decision on many items at once, which could lead to inaccurate data. Use caution when selecting this option. Allow partial sign-off
Allow a certifier to sign-off on an access review before their assigned line items have a decision made on them.
Process remediation
Revokes the end user’s access in the target application when a certifier revokes (denies) the line item. Select a workflow to run either immediately after revocation of access or after a duration.
To ensure end-user access is removed when revoking a line item, you must enable this property. -
-
Click Next.
Summary
The Summary section is the final section in creating a template. It gives a breakdown of each section in the template, allowing for a review.
Summary steps:
-
Review each section.
-
Click Save to complete the certification template.
Under the What to Certify review section, ensure that the Total Decision Items is greater than 0. If you identify that this is 0, this means that the template did not identify items to be certified. Therefore, if you create the campaign off of the template, the system will immediately cancel the campaign. If you identify this to be 0, go back to the What to Certify section and adjust your settings.