Identity Cloud

Identity certification

Select an Identity certification type to certify user accounts for specific applications.

To review information about templates, refer to Create templates.

The following table lists the areas to configure for each campaign template type:

Section Description


General details of the template, such as the name, description, and a default certifier.

What to Certify

The items to be certified.

When to Certify

The cadence in which to run the campaign.

Who will Certify

The individual(s) that are responsible for certifying the items in the campaign.


Optional. Set up email notifications based on various events that take place during the certification process.

Additional options

Optional. Various configurations to allow during the campaign, such as bulk actions on line-items or self-certification.


Summary of configured sections.


This section includes basic information about the template, such as the display name, description, owner, and staging process.

To complete this section, do the following:

  1. From the Identity Cloud admin UI, click Certification > Templates > + New Template.

  2. Complete the following fields:

    Field Description

    Certification Name

    The display name for the certification. This certification name displays on both the certifications tab and the end-user tasks dashboard.

    You can define a date variable in the name of the certification to know which campaign is ran. Identity Governance uses moment.js to format the date.

    For example, if you have a certification that is scheduled to run every two weeks, having the date appended to the name would be beneficial to know which campaign you are working on.

    For example, to include the date to show the year, month, day, hour, minute, and if it is AM/PM, the name of the certification would be:

    Campaign name - {{YYYY-MM-DD-hh:mma}}

    When the template is run into a campaign, an example of the name is: Campaign name - 2023-04-23-08:18pm

    After the certification is run, you can’t change the name.


    Enter a general description for the certification. Your organization should follow a descriptive convention to describe each of your certifications.

    This field is limited to 1000 characters.

    Certification Owner

    Enter the owner of the certification. Only certification owners can fully control their certifications, including certification decisions, certifier assignment changes, sign off, and more.

    Enable Campaign Staging

    Enable certification staging to set up the certification in the system but not activate it in production. This option allows compliance officers to preview a certification before it is activated and exposed to end users. Compliance officers can inspect and review the content, decision items, and other details to determine whether to activate or delete it.

  3. Click Next.

What to Certify

This sections allows you to define the items to certify, including the certifiers, applications, and accounts.

To complete this section, do the following:

  1. Complete the following fields:

    Field Description


    Certify one of the following:

    • All users

    • A single user

    • Users matching a filter: Create a filter to certify select users.


    Certify one of the following:

    • All applications

    • Specific applications: If you select this, an additional box is displayed to select which Applications to certify.

    • Applications matching a specific filter: Create a filter to certify specific applications.


    Select All accounts in selected applications.

    (Optional) Show advanced filters

    To certify accounts based on properties from the last certification decision made on a line-item from the drop-down, select Filter by last certification decision.

    A line-item is a particular record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line-item.

  2. Click Next.

When to Certify

The When to Certify section lets the administrator specify when to run the campaign and what to do in the event the campaign expires.

To complete this section, do the following:

  1. Complete the following fields:

    Field Description


    Define whether this certification will run on a periodic basis. If selected, the administrator can input various choices to define the schedule on which the certification will run.

    Check the Run on a schedule box to define a schedule for the template.

    Options include:

    • Run Every: Run the certification every specified number of days, weeks, months, or years.

    • Start: Specify a start time when this campaign will run for the first time. We recommend using this in most cases, otherwise the schedule will likely run immediately on creation of the template.

    • End: Run the certification on its defined periodic basis until this date is reached.

    Campaign Duration

    Specify the amount of time each access review (campaign) has before expiration. You can specify the duration in days, weeks, months, or years.

    When Campaign Expires

    Select a behavior to handle the open access review (campaign) line-items when the campaign expires:

    • Close open items: Complete the items using the given information after the campaign expires. The administrator can select what decision to add to the item (certify, revoke, abstain from, and allow exception to) and when that decision takes effect. The decision can take effect immediately or after a duration (in days).

    • Reassign to: Select a given user or role that the access review (campaign) is reassigned to after the expiration date. The campaign will not be closed.

    • Do Nothing: No action will be taken, and the line-items will remain in progress.

  2. Click Next.

Who will Certify

This section allows you to specify the users that review and make decisions about the items you defined in the What to Certify section.

To complete this section, do the following:

  1. Complete the following fields:

    Field Description

    Certifier Type:

    Specify who can review and certify user access by selecting one of the following:

    • User: Select a single user to review and make a decision on all the items. When you select this, a Select user box displays. Select the user who will certify the campaign.

    • Role: Select a role that allows any of its members to act on a decision item. When you select this, a Select a role box displays. Select a role from the list of the created roles in Identity Cloud.

    • Manager: The user’s manager becomes the certifier of their data (also known as a line-item).

    Enable default certifiers

    Select a certifier to assign in case an access review (campaign) line-item is not assigned a certifier. For example, if the manager is the certifier and the user has no manager defined, then the default certifier will be assigned the access review for this user.

  2. Click Next.


This optional section allows you to send email notifications when one or more campaign events are triggered. For example, when a campaign is about to expire or when a certifier is reassigned.

To complete this section, do the following:

  1. Define an email template for each selected notification. Each notification requires an associated email template. From the left navigation pane in the Identity Cloud admin UI, go to Email > Templates. For more information, refer to Email templates.

    To reference variables in your email templates for Identity Governance, the object is nested an additional level. The following table shows how to access these objects:



    User attributes

    Use the syntax object.user.userAttribute.

    Use the attributes available from the email template screen. For more information, refer to Email templates.

    Manager attributes

    Use the syntax object.manager.managerAttribute.

    Use the attributes available from the email template screen. For more information, refer to Email templates.

    If the manager is the certifier type in the Who will Certify section, use the same user attributes in the managerAttribute. For example, if you need to reference a user’s manager within the email, then use this object.

    Campaign attributes

    Use the syntax object.campaign.campaignAttribute.

    Available attributes are name and type.

  2. Select any of the notification types:

    Field Description

    Send initial notification

    Send a notification any time a certifier is assigned to a line-item.

    Send reassign notification

    Send to a new certifier when a line-item in an access review (campaign) is reassigned or forwarded to them.

    Send expiration notification

    Send a reminder notification to the certifiers before a campaign expires. Select the number of days, before the campaign expires, to send the reminder.

    Send reminders

    Send a notification to remind certifiers to take action on access review (campaign) line-items. Select the number of days, weeks, months, or years to send the reminder.

    Enable escalation

    Send an escalation notification to specific recipients that certifiers have not completed their actions on a campaign. When selected, an additional Escalation Owner box displays. Select the number of days, weeks, months, or years and the user to send the escalation to.

  3. Click Next.

Additional options

This optional section allows you to configure other options for a campaign, such as performing bulk certifications or reassigning tasks to another user or group.

To complete this section, do the following:

  1. Complete the following optional fields:

    Field Description

    Allow self-certification

    Allows select individuals to certify their own data.

    The options to choose from are:

    • All certifiers: Users who are certifying the access review (campaign) can certify their own access.

    • Owners and administrators: Users who are campaign owners or tenant administrators can certify their own access.

    Enable line-item reassignment and delegation

    Allow the certifier to reassign or forward a line-item to another user.

    When you select this box, you can choose the following options:

    • Forward: Allow certifiers to forward their access review (campaign) to another certifier. When forwarding an access review, all other certifiers are removed from the access review in its entirety. For more information, refer to forward line-items.

    • Reassign: Select the privileges the current certifier can assign to the new certifier:

      • Add Comment

      • Make Decision

      • Reassign/Forward

      • Sign off

        For context on how you use this as a certifier, refer to reassign line-items.

    Allow exceptions

    Allow certifiers to continue to certify line-items assigned to them after the campaign expires. Select a duration in days, months, weeks, or years.

    Allow bulk-decisions

    Allow certifiers to make line-item decisions in bulk.

    This includes:

    • Making a decision (certify, revoke, exception).

    • If Enable line-item reassignment and delegation is enabled, then you can bulk Reassign and/or Forward line-items.

    As an administrator, most access reviews require an in-depth look on each line-item. This is to ensure accuracy of each item. Bulk-decisions allow for a certifier to make a decision on many items at once, which could lead to inaccurate data. Use caution when selecting this option.

    Allow partial sign-off

    Allow a certifier to sign-off on an access review before all of their assigned line-items have a decision made on them.

    Process Remediation

    Select a workflow to run either immediately after revocation of access or after a duration.

  2. Click Next.


The Summary section is the final section in creating a template. It gives a breakdown of each section in the template, allowing for a review.

Summary steps:

  1. Review all items.

  2. Click Save Template to complete the certification template.

    Under the What to Certify review section, ensure that the Total Decision Items is greater than 0. If you identify that this is 0, this means that the template did not identify items to be certified. Therefore, if you create the campaign off of the template, the system will immediately cancel the campaign. If you identify this to be 0, go back to the What to Certify section and adjust your settings.
Copyright © 2010-2023 ForgeRock, all rights reserved.