User items

A user has the ability to be assigned items. When a user is assigned a task, and they log in to the Identity Cloud console as an end user, the items are displayed under the Dasboard tab or the Inbox tab in the left navigation pane.

End user screen for Identity Governance.

Figure 1. End user dashboard

The Dashboard and Inbox tabs are only enabled in Identity Cloud when the Identity Governance add-on capability is purchased.

Dashboard

The Dashboard tab is the landing page users are directed to after logging in. It aggregates actions for the end user to take in one central place. The displayed cards link to the respective section in the Identity Cloud End User UI where the action lies.

To navigate to the Dashboard tab, from the Identity Cloud End User UI, click Dasboard in the left navigation pane.

For example, if a user is assigned an access review, it is displayed under dashboards. Clicking the card will jump the user to the Inbox tab.

Inbox

The Inbox tab is the main tab that regular users will interact with. This tab aggregates all the items that are given to a user, no matter how that task was assigned.

To access the Inbox tab, from the Identity Cloud End User UI, click Inbox.

Certify user access

The process of certifying access for users is known as an access review.

Certify access step for access certifications.

Figure 2. Certify access step in access certifications

Notes on access reviews:

When a user is designated as a reviewer from a campaign, it is displayed under Inbox > Access Reviews or in their Dashboard landing.
A user who has an access review is considered a reviewer of the certification, a certifier.
An access review consists of one or more line-items, or records, to review and certify.
Certifiers are initially assigned when a tenant administrator creates the template and a campaign is started. A reviewer can also be added through forwarding or reassignment during the campaign duration.
Certifiers can change the decision a previous reviewer made for an item. Only one decision that can be made per item.

For example, if one certifier decides to certify the access for a line-item, but another certifier decides to revoke access for it after, then the last certifiers decision is the decision that will stand.

You cannot make changes to a campaign after a decision is set and the campaign is signed off. Additional changes require remediation through another campaign.

As there are various features that become enabled or disabled depending on the configurations in the template, the following is a table to quick links in this page.

Details

Item	Description
View all access review tasks	A landing screen that shows all access reviews that are assigned to you. This includes an explanation of the access review landing page columns.
View individual access review line-items	The screen where you complete the access review of the line-items for a campaign. A line-item is a record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line-item. This includes: Access review task columns: A description of the columns that display when you certify items. High-level reviewer steps: An overview of potential steps to take when reviewing items. Since there are various combinations of configurations you can make in the template, this process is subject to change.
Filter items	Filter campaign items that display data in different ways.
Customize table columns	Rearrange or hide the table columns.
Add comment	Provide a comment on a line-item in the access review. Use cases include: Justification for why a decision was made. Rationale for reassigning the item. Rationale for forwarding the item. To view/respond to a comment left by another reviewer.
Make a decision (certify)	Make a decision to either certify access, revoke access, or provide an exception to access for a specified duration (you must enable the configurations in the template).
View other certifiers	View other reviewers assigned to a line-item in the access review.
Reassign an item	Not configured by default, you must enable this in the template configurations. You can reassign an item that is assigned to you and define the permissions of the new assignee. There are two ways to reassign a line-item: Reassign from view reviewers screen Reassign from bulk reassign
Forward an item	Not configured by default, you must enable this in the template configurations. Remove all prior reviewers and assign the line-item to another individual(s). Full permissions on the item are given to the forwarded individual(s). There are two ways to forward a line-item: Individual forwarding Bulk forwarding
Bulk certify items	Not configured by default, you must enable this in the template configurations. Perform a bulk line-item certification. Not recommended for every campaign as this will bypass much needed manual oversight on each item.
Delegate items	Delegate items assigned to you to others indefinitely or for a specific time period.

Item

Description

View all access review tasks

A landing screen that shows all access reviews that are assigned to you.

This includes an explanation of the access review landing page columns.

View individual access review line-items

The screen where you complete the access review of the line-items for a campaign.

A line-item is a record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line-item.

This includes:

Access review task columns: A description of the columns that display when you certify items.
High-level reviewer steps: An overview of potential steps to take when reviewing items. Since there are various combinations of configurations you can make in the template, this process is subject to change.

Filter items

Filter campaign items that display data in different ways.

Customize table columns

Rearrange or hide the table columns.

Add comment

Provide a comment on a line-item in the access review.

Use cases include:

Justification for why a decision was made.
Rationale for reassigning the item.
Rationale for forwarding the item.
To view/respond to a comment left by another reviewer.

Make a decision (certify)

Make a decision to either certify access, revoke access, or provide an exception to access for a specified duration (you must enable the configurations in the template).

View other certifiers

View other reviewers assigned to a line-item in the access review.

Reassign an item

Not configured by default, you must enable this in the template configurations.

You can reassign an item that is assigned to you and define the permissions of the new assignee.

There are two ways to reassign a line-item:

Reassign from view reviewers screen
Reassign from bulk reassign

Forward an item

Not configured by default, you must enable this in the template configurations.

Remove all prior reviewers and assign the line-item to another individual(s). Full permissions on the item are given to the forwarded individual(s).

There are two ways to forward a line-item:

Individual forwarding
Bulk forwarding

Bulk certify items

Not configured by default, you must enable this in the template configurations.

Perform a bulk line-item certification. Not recommended for every campaign as this will bypass much needed manual oversight on each item.

Delegate items

Delegate items assigned to you to others indefinitely or for a specific time period.

View all access review tasks

To view the access review tasks, from the Identity Cloud End User UI, click Inbox > Access Reviews.

The landing screen on Access Reviews is a view of all the Active campaigns that have a task assigned to you.

To view campaigns that have a specific status, such as Closed or Canceled, click the Status drop-down and filter the status.

To view additional tasks, click the caret icons at the bottom of the table.

Campaign statuses to filter

Status	Description
Active	The campaign is in progress. In the Status column, this includes the In-progress, Expiring and Overdue states. In-progress: The campaign is in progress and active. Expiring: The campaign is in process and will expire in two days or less. The deadline is defined in the template, but it can be updated at any time. For more information on updating a campaign deadline, refer to the [governance-admin-campaign-details]. Overdue: The campaign is past the expiration date but in process. Tasks still require completion. Identity Governance sets this status when you select one of the following settings in the template: When to Certify > When certification expires > Close open items > Reassign. Do nothing. The template defines the deadline; however, you can update the deadline at any time. For more information, refer to the details tab.
Expired	The campaign expired. Identity Cloud triggers this status when you select When to Certify > When certification expires > Close open items > immediately in the template.
Completed	The campaign finished as expected with no issues.

Status

Description

Active

The campaign is in progress. In the Status column, this includes the In-progress, Expiring and Overdue states.

In-progress: The campaign is in progress and active.
Expiring: The campaign is in process and will expire in two days or less. The deadline is defined in the template, but it can be updated at any time. For more information on updating a campaign deadline, refer to the [governance-admin-campaign-details].
Overdue: The campaign is past the expiration date but in process. Tasks still require completion. Identity Governance sets this status when you select one of the following settings in the template:
- When to Certify > When certification expires > Close open items > Reassign.
- Do nothing.

The template defines the deadline; however, you can update the deadline at any time. For more information, refer to the details tab.

Expired

The campaign expired. Identity Cloud triggers this status when you select When to Certify > When certification expires > Close open items > immediately in the template.

Completed

The campaign finished as expected with no issues.

Access reviews landing page columns

The campaigns listed on the landing page of the Access Reviews tab consists of a table with various columns.

Table 1. Campaign tab landing page columns

Field

Description

Name

The name of the campaign. This name is generated from the template.

Deadline

The date in which the campaign must be completed.

Status

The state the campaign is in. Refer to Campaign statuses to filter for more information.

Progress

The percent complete of the campaign.

To view the percentage and number of items that are complete, hover over the progress icon.

To filter a column, click the up/down icon.

The ellipses (…) to the right of the table shows additional features, such as forwarding a certifier’s items to another person or users assigned to a role.

View individual access review line-items

To review the line-items you need to certify, click an access review (campaign) assigned to you.

The top section of the screen shows information about the access review including:

The Status metric shows the percentage of items to complete, as well as a numeric value of items that are complete versus the total amount of items.
The Decisions pie chart is shows the number of records certified versus revoked.
The Deadline is the campaign completion date. Click the View campaign details to view additional information such as the description of the campaign and the campaign owner.

Access review task columns

The columns that are shown in the line-items table are:

Field	Description
User	The user in Identity Cloud.
Application	The onboarded application the user has access to.
Account	The account in the application that correlates to a user in Identity Cloud.\
Comment	Comments that have been made on a record in a campaign. A number above the comment icon indicates the amount of comments left.
Decision	The action taken on a record in a certification. Options are: Certify access Revoke access Allow an exception: For this to display, you must configure the Additional options section of the template.

Field

Description

User

The user in Identity Cloud.

Application

The onboarded application the user has access to.

Account

The account in the application that correlates to a user in Identity Cloud.\

Comment

Comments that have been made on a record in a campaign. A number above the comment icon indicates the amount of comments left.

Decision

The action taken on a record in a certification.

Options are:

Certify access
Revoke access
Allow an exception: For this to display, you must configure the Additional options section of the template.

To view information about a line-item, click on the item under the column. For example, to review a user’s information in Identity Cloud for an Identity Certification type, click the user’s name and a modal window pops up displaying the information for review. The same is true for each single item in a row.

See it in action

Figure 3. Review data on a line-item

To view additional line-items in the access review, click the caret icon at the bottom of the table.

High-level reviewer steps

The following are typical steps when you certify line-items in an access review (campaign):

Click into a record and review information by clicking into each item in the row.
Add a comment if necessary (or mandatory if the campaign requires it).
Make a decision by selecting Certify access, Revoke access, or Allow an exception. The last reviewer on the item to make a decision is the decision that will prevail for the item.
Repeat steps 1-3 for each line-item in the table.

Once you certify every record, click Sign-off. Once this takes place, no changes can be made to the campaign as it acts as the final decision on a certification.

If Allow partial sign-off is enabled in the Additional Options section of the campaign template, then all the line-items do not have to be completed before the task can be signed off. A gradual fashion can be used whereas a subset of the items can be signed off and the other items can be completed at a later date. For more information on setting these configurations in the template, refer to additional options.

See it in action

Video of a typical process for certifying items.

Figure 4. High-level reviewer steps

These steps may vary depending on the configurations made in the template.. For example, if bulk actions is enabled, then the certifier has the ability to make a decision for all the items in the table at once. Additionally, the task could be reassigned or forwarded.

Subsequent sections display various functions of the certifier process in detail.

Filter items

When viewing the access review as a certifier, there are various ways to manipulate the data presented on the screen.

To filter the items, click on the filter icon in the top right of the line-items table. Once selected, there are two ways to filter:

By decision: Filter the table by the decision made on a line-item, either Certified, Revoked, Exception Allowed, or No Decision.
By item attributes: Filter the table by a particular column item, such as a user. Click the item to filter on, then enter the appropriate value in the additional box that is displayed.

Customize table columns

You can modify the order in which Identity Governance presents the line-items table for readability.

For example, you might want to have the Application column display first in the table instead of the User column.

To customize columns:

Click the icon with three vertical rectangles next to the filter icon.
Deselect columns you do not want to display on the screen and/or drag and drop the order of the columns.
Click Apply.

Add comment

When reviewing a line-item in an access review, you can leave a comment.

The comment could vary in nature due to a number of reasons:

A justification for the decision being made.
A comment about why the item is being reassigned.
A comment about why the item is being forwarded.
A comment from another certifier if there are multiple certifier on the line-item(s).

An auto-generated comment is created when an item is forwarded or reassigned.

To add a comment:

To get to the comment box either:
- Click the comment icon box.
- Click the ellipses (…) next the item you wish to comment on and click the Add Comment.
Enter the comment.
Click Add Comment.

Once a comment has been made and added to a line-item, it cannot be removed.

Make a decision (certify)

A decision is an action a certifier makes on a line-item in an access review.

Figure 5. Certify, revoke, and exception icons

There are three decisions that can be made on an item:

The green mark icon means Certify (allow/keep) access.
The red circle with cross-through means Revoke (deny) access. When selecting this, a mandatory comment box is displayed to enter the justification as to why the line-item is being revoked.

The clock icon means Allow an exception. This requires a justification comment. The item access should be prohibited. Instead, grant access for a specific time interval. Afterwards, the item is immediately revoked.

This option is only enabled if the Allow Exceptions is marked as allowed in the Additional Options when you create the template. The maximum duration of the exception is also specified there. For more information, refer to additional options.

A decision can only be made once per line-item, no matter the amount of certifiers. The last certifier to make a decision on a line-item is the decision that will prevail. Once an access review (campaign) is signed off, a decision can not be modified.

View other certifiers

For each line-item in the access review, you have the ability to view the other certifiers. To view the certifiers, click the ellipses (…) next to the item and click View Reviewers.

From here you have the ability to:

Reassign the item to another certifier
Edit certifier privileges

Edit certifier privileges

To edit the privileges a certifier has, you must enable the configuration setting Enable line-item reassignment > Reassign in the Additional Options section of the template.

To edit the permissions of a certifier on a line-item:

Click the ellipses(…) next to the line-item and click View Reviewers.
Locate the certifier you would like to modify and click the ellipses (…) > Edit.
Select/deselect the privileges on the certifier.
Click Save.

Reassign an item

You reassign a line-item by adding another certifier to review the item. When you add another certifier, you specify the privileges of the certifier.

To reassign an item, you must enable the configuration setting Enable line-item reassignment > Reassign in the Additional Options section of the template. For more information, refer to additional options.

There are two ways to reassign an item:

View reviewers screen
Bulk reassign

Reassign from view reviewers screen

Click the ellipses (…) of the item > View Reviewers.
Click + Add a Reviewer.
Select to add either Add a user or Add a role to the line-item.
Search for the individual or role and select it.

Select the privileges that the user or role will have on the line-item. The privileges you can add are:

View: Allows a user to view the line-item.
Comment: Allows a user to leave a comment on the line-item.
Decide: Allows a user to make a decision on the line-item.
Assign/Forward: Allows a user to reassign or forward the line-item.

Sign off: Allows a user to sign-off on the line-item.

You can only select a privilege if enabled from the template under the Additional Options section. Therefore, the options listed above are subject to change. For more information, refer to additional options.

Click Reassign.

Reassign from bulk reassign

The option for bulk certify and reassign must first be enabled in the Additional Options section of the template before bulk reassign can be utilized. For more details, refer to Bulk certify items.

After selecting more than one item, click the Actions drop-down that shows and select Reassign.
In the modal, choose to either reassign to Another user or to Users with assigned role to the line-item.
Search for the individual or role and select it.
Select the privileges that the user or role will have on the line-item. The privileges you can add are:
1. View: Allows a user to view the line-item.
2. Comment: Allows a user to leave a comment on the line-item.
3. Decide: Allows a user to make a decision on the line-item.
4. Forward: Allows a user to reassign or forward the line-item.
5. Sign off: Allows a user to sign-off on the line-item.
  
  You will only be able to select a privilege if allowed from the template under the additional options section. Therefore, the options listed above are subject to change.
Click Reassign.

Forward an item

When you forward a line-item in an access review, you remove all prior certifiers and assign the line-item to a user or role. The new certifier(s) have full permissions on the line-item.

To forward a line-item, you must enable the configuration setting Enable line-item reassignment > Forward in the Additional Options section of the template.

There are two ways to forward an item:

Individual forwarding
Bulk forwarding

Individual forwarding

Click the ellipses on the line-item (…) > Forward.
In the modal, choose to forward the line-item to Another user or to Users with assigned role.
Search for the individual or role.
Leave a comment as to why you are forwarding the line-item.
Click Forward Item.

Bulk forwarding

The option for bulk certify and forward must first be enabled in the Additional Options section of the certification campaign template before bulk reassign can be utilized. For more details, refer to Bulk certify items.

Select more than one item via the checkbox next to the items in the left of the certification items table or check the Select All box.
Click the Actions drop-down that is displayed.
Select Forward.
A modal window is displayed.
Select if the line-items should be forwarded to Another user or Users with assigned role.
Search for the individual or role.
Leave a comment as to why you are forwarding the line-items.
Click Forward Item.

Bulk certify items

The bulk certification of line-items allow for many items to undergo the certification process at once, instead of one-by-one. This configuration setting is not enabled by default and should be used with caution. Most access reviews require an in-depth look into the accuracy of data and bulk certification circumvents this.

To bulk certify line-items, you must enable the configuration setting Allow Bulk Decisions in the Additional Options section of the template. For more information, refer to additional options.

Once the bulk certify option is enabled, checkboxes display to the left of the line-items table. Additionally, a Select drop-down button displays at the top left of the campaign items table.

When you select one or more items via the checkboxes, or you select All items (in the drop-down button of Select), an additional Actions drop-down button displays. Click this button to see various actions you can make in a bulk fashion.

Under the Select drop-down button, you can choose to select All items that under review, All on this page, or Deselect all items.

The items that display under the Actions button will vary depending on if the configuration settings that you enable in the template, but can include:

Certify
Revoke
Allow an exception
Reassign
Forward

Delegate items

In Identity Governance, you have the ability to delegate:

Entire access reviews
Line-items forwarded to you
Line-items reassigned to you

Items still show up in your inbox, however, they are also sent to the delegate.

Delegation could be useful, for example, if you are on vacation and need someone to cover your items while you are away.

Assign a delegate

To assign a delegate:

From the Identity Cloud End User UI, click My Directory > Delegates.
Click + Add Delegates.
Search for a user to delegate items to.
If desired, check the Assign role only during a selected time period box.

If no start and end date is set the delegate is set indefinitely.
1. Select a start and end date. Items are assigned during this timeframe only.
Click Save.

Remove a delegate

To remove a delegate:

From the Identity Cloud End User UI, click My Directory > Delegates.
Find the delegate you would like to remove, click the ellipses(…) and click Remove.
Click Delete.

When you remove a delegate, all items that were delegated to them are automatically removed.