Identity Cloud

Review access for users

In Identity Governance, an access certification is the process of reviewing access for users. This includes various types of certifying, or validating, such as access to applications, the accounts in those applications, and more.

Steps for access certifications.
Figure 1. Review access for users (access certification) steps

To review data and approve or deny access you:

  • Create templates: Create templates to define the data to review, who is responsible for the review, and when the data needs to be reviewed (on a periodic or ad hoc basis). Often, organizations need to review the same data multiple times a year to ensure access is accurate. Templates make this process easier by providing saved templates.

  • Run campaigns: Campaigns are a process that runs when a template is run. When a campaign runs, it uses an existing template and the configurations of the template.

  • Certify access: When a campaign runs, tasks are assigned to one or more end users or certifiers. The template defines the tasks the certifier is responsible for. As an end user, review and complete the tasks assigned to you.

Certifications and related features can be found by selecting Certification from the left navigation bar in the Identity Cloud admin UI.

Three tabs display under Certification:

Overview tab

To access the Overview tab, from the Identity Cloud admin UI, go to Certification > Overview.

Administration overview tab for Identity Governance.
Figure 2. Certification overview tab

The Overview landing page displays various metrics that allow you to view items such as campaign status, active reviews, and campaigns by type. This page includes the following charts.

You can hover your cursor over the charts to view the data details.

Table 1. Identity Governance overview metrics
Data Element Description

Active Campaigns

The number of campaigns currently in progress.

Expiring Campaigns

The number of campaigns that expire in the next two weeks.

Active Reviews

The total amount of line-items in access reviews that are in progress. A line-item is a record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line-item.

Campaigns By Type

A breakdown of the varying types of certifications.

Campaigns By Status

A breakdown of all certifications by status.

Access Review History

The number of line-items certified versus revoked from all campaigns.

Create or modify a template

Templates define the data to review, who is responsible for the review, and when the data needs to be reviewed (on a periodic or ad hoc basis). Often, organizations need to review the same data multiple times a year to ensure access is accurate. Templates make this process easier by providing saved templates.

Create template step for access certifications.
Figure 3. Create templates step in access certifications

You can run templates on an ad-hoc or scheduled basis.

Administrators manage (create, duplicate, edit, or delete) templates on the Templates tab and schedule each campaign to run at a specific interval (if desired).

View saved templates

To view saved templates, from the Identity Cloud admin UI, click Certification > Templates tab. The page displays all saved templates.

Administration of templates in Identity Governance.
Figure 4. Templates tab
Table 2. Columns on templates tab
Field Description

Name

The name of the template.

Next run date

A date displays when the template is configured to run according to a schedule. If the template runs ad-hoc, then (None Scheduled) displays.

Status

A template can be in one of the following states:

  • Creating: The template is created in the background. This is a temporary state.

  • Unused: The template is not part of a campaign. In this state, you can edit/modify the template.

  • Active: The template is turned into a campaign. In this state, you can view the template details, but you can’t edit/modify it.

The general sequence of states are Creating → Unused → Active.

Create template

To create a template:

  1. Navigate to the Certification > Templates tab.

  2. Click + New Template.

  3. Select the template type.

    • The currently available template type is an identity certification. With an identity certification, certify user accounts on some or all applications.

      To continue setting up the identity certification campaign type, follow the preceding link.

Modify a template

You can modify various template items:

  1. From the Identity Cloud admin UI, go to Certification > Template tab.

  2. Locate the template and click the ellipses (…​) to perform various actions:

    To view additional templates, click the caret icons at the bottom of the table.
    Field Description

    Duplicate

    Duplicate the template details to create a new template, and edit/modify as needed. The characters (copy) are appended to the newly duplicated template.

    View Details

    This option displays if the template has been run at least once. It provides a read-only view into the configurations on the template. After you run a template, you can’t change the configuration settings.

    Edit Template

    This option displays if you create the template, but never run it to create a campaign. In this case, you can edit/modify the template configuration.

Run a template

You can run a template by:

  • Creating a schedule when you define the template.

  • Adding a schedule to the template after you define the template.

  • Running the template on an ad-hoc basis.

To run a template:

  1. From the Identity Cloud admin UI, go to Certification > Template tab.

  2. Locate the template and click the ellipses (…​) to perform various actions:

    To view additional templates, click the caret icons at the bottom of the table.
    Action Field

    Run Now

    This runs the template and starts a campaign. When selected, the active campaign displays in the Campaigns tab.

    When you create a template, if you select Run on a schedule under the When to Certify section. The campaign runs on the set schedule and display on the Campaigns tab at the specified interval.

    Schedule Campaign

    This option displays if you did not configure a schedule when creating the template. This creates a run schedule for the template.

    Edit Schedule

    This option displays if you did configure a schedule when creating the template, but you would like to modify the existing schedule.

Delete a template

To delete an existing template:

  1. From the Identity Cloud admin UI, go to Certification > Template tab.

  2. Locate the template, click the ellipses (…​), and click Delete. This action cannot be undone.

Identity certification

Select an Identity certification type to certify user accounts for specific applications.

The following table lists the areas to configure for each campaign template type:

Section Description

Details

General details of the template, such as the name, description, and a default certifier.

What to Certify

The items to be certified.

When to Certify

The cadence in which to run the campaign.

Who will Certify

The individual(s) that are responsible for certifying the items in the campaign.

Notifications

Optional. Set up email notifications based on various events that take place during the certification process.

Additional options

Optional. Various configurations to allow during the campaign, such as bulk actions on line-items or self-certification.

Summary

Summary of configured sections.

Details

This section includes basic information about the template, such as the display name, description, owner, and staging process.

To complete this section, do the following:

  1. From the Identity Cloud admin UI, click Certification > Templates > + New Template.

  2. Complete the following fields:

    Field Description

    Certification Name

    The display name for the certification. This certification name displays on both the certifications tab and the end-user tasks dashboard.

    You can define a date variable in the name of the certification to know which campaign is ran. Identity Governance uses moment.js to format the date.

    For example, if you have a certification that is scheduled to run every two weeks, having the date appended to the name would be beneficial to know which campaign you are working on.

    For example, to include the date to show the year, month, day, hour, minute, and if it is AM/PM, the name of the certification would be:

    Campaign name - {{YYYY-MM-DD-hh:mma}}

    When the template is run into a campaign, an example of the name is: Campaign name - 2023-04-23-08:18pm

    After the certification is run, you can’t change the name.

    Description

    Enter a general description for the certification. Your organization should follow a descriptive convention to describe each of your certifications.

    This field is limited to 1000 characters.

    Certification Owner

    Enter the owner of the certification. Only certification owners can fully control their certifications, including certification decisions, certifier assignment changes, sign off, and more.

    Enable Campaign Staging

    Enable certification staging to set up the certification in the system but not activate it in production. This option allows compliance officers to preview a certification before it is activated and exposed to end users. Compliance officers can inspect and review the content, decision items, and other details to determine whether to activate or delete it.

  3. Click Next.

What to Certify

This sections allows you to define the items to certify, including the certifiers, applications, and accounts.

To complete this section, do the following:

  1. Complete the following fields:

    Field Description

    Users

    Certify one of the following:

    • All users

    • A single user

    • Users matching a filter: Create a filter to certify select users.

    Applications

    Certify one of the following:

    • All applications

    • Specific applications: If you select this, an additional box is displayed to select which Applications to certify.

    • Applications matching a specific filter: Create a filter to certify specific applications.

    Accounts

    Select All accounts in selected applications.

    (Optional) Show advanced filters

    To certify accounts based on properties from the last certification decision made on a line-item from the drop-down, select Filter by last certification decision.

    A line-item is a particular record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line-item.

  2. Click Next.

When to Certify

The When to Certify section lets the administrator specify when to run the campaign and what to do in the event the campaign expires.

To complete this section, do the following:

  1. Complete the following fields:

    Field Description

    Schedule

    Define whether this certification will run on a periodic basis. If selected, the administrator can input various choices to define the schedule on which the certification will run.

    Check the Run on a schedule box to define a schedule for the template.

    Options include:

    • Run Every: Run the certification every specified number of days, weeks, months, or years.

    • Start: Specify a start time when this campaign will run for the first time. We recommend using this in most cases, otherwise the schedule will likely run immediately on creation of the template.

    • End: Run the certification on its defined periodic basis until this date is reached.

    Campaign Duration

    Specify the amount of time each access review (campaign) has before expiration. You can specify the duration in days, weeks, months, or years.

    When Campaign Expires

    Select a behavior to handle the open access review (campaign) line-items when the campaign expires:

    • Close open items: Complete the items using the given information after the campaign expires. The administrator can select what decision to add to the item (certify, revoke, abstain from, and allow exception to) and when that decision takes effect. The decision can take effect immediately or after a duration (in days).

    • Reassign to: Select a given user or role that the access review (campaign) is reassigned to after the expiration date. The campaign will not be closed.

    • Do Nothing: No action will be taken, and the line-items will remain in progress.

  2. Click Next.

Who will Certify

This section allows you to specify the users that review and make decisions about the items you defined in the What to Certify section.

To complete this section, do the following:

  1. Complete the following fields:

    Field Description

    Certifier Type:

    Specify who can review and certify user access by selecting one of the following:

    • User: Select a single user to review and make a decision on all the items. When you select this, a Select user box displays. Select the user who will certify the campaign.

    • Role: Select a role that allows any of its members to act on a decision item. When you select this, a Select a role box displays. Select a role from the list of the created roles in Identity Cloud.

    • Manager: The user’s manager becomes the certifier of their data (also known as a line-item).

    Enable default certifiers

    Select a certifier to assign in case an access review (campaign) line-item is not assigned a certifier. For example, if the manager is the certifier and the user has no manager defined, then the default certifier will be assigned the access review for this user.

  2. Click Next.

Notifications

This optional section allows you to send email notifications when one or more campaign events are triggered. For example, when a campaign is about to expire or when a certifier is reassigned.

To complete this section, do the following:

  1. Define an email template for each selected notification. Each notification requires an associated email template. From the left navigation pane in the Identity Cloud admin UI, go to Email > Templates. For more information, refer to Email templates.

    To reference variables in your email templates for Identity Governance, the object is nested an additional level. The following table shows how to access these objects:

    Item

    Usage

    User attributes

    Use the syntax object.user.userAttribute.

    Use the attributes available from the email template screen. For more information, refer to Email templates.

    Manager attributes

    Use the syntax object.manager.managerAttribute.

    Use the attributes available from the email template screen. For more information, refer to Email templates.

    If the manager is the certifier type in the Who will Certify section, use the same user attributes in the managerAttribute. For example, if you need to reference a user’s manager within the email, then use this object.

    Campaign attributes

    Use the syntax object.campaign.campaignAttribute.

    Available attributes are name and type.

  2. Select any of the notification types:

    Field Description

    Send initial notification

    Send a notification any time a certifier is assigned to a line-item.

    Send reassign notification

    Send to a new certifier when a line-item in an access review (campaign) is reassigned or forwarded to them.

    Send expiration notification

    Send a reminder notification to the certifiers before a campaign expires. Select the number of days, before the campaign expires, to send the reminder.

    Send reminders

    Send a notification to remind certifiers to take action on access review (campaign) line-items. Select the number of days, weeks, months, or years to send the reminder.

    Enable escalation

    Send an escalation notification to specific recipients that certifiers have not completed their actions on a campaign. When selected, an additional Escalation Owner box displays. Select the number of days, weeks, months, or years and the user to send the escalation to.

  3. Click Next.

Additional options

This optional section allows you to configure other options for a campaign, such as performing bulk certifications or reassigning tasks to another user or group.

To complete this section, do the following:

  1. Complete the following optional fields:

    Field Description

    Allow self-certification

    Allows select individuals to certify their own data.

    The options to choose from are:

    • All certifiers: Users who are certifying the access review (campaign) can certify their own access.

    • Owners and administrators: Users who are campaign owners or tenant administrators can certify their own access.

    Enable line-item reassignment and delegation

    Allow the certifier to reassign or forward a line-item to another user.

    When you select this box, you can choose the following options:

    • Forward: Allow certifiers to forward their access review (campaign) to another certifier. When forwarding an access review, all other certifiers are removed from the access review in its entirety.

    • Reassign: Select the privileges the current certifier can assign to the new certifier:

      • Add Comment

      • Make Decision

      • Reassign/Forward

      • Sign off

    Allow exceptions

    Allow certifiers to continue to certify line-items assigned to them after the campaign expires. Select a duration in days, months, weeks, or years.

    Allow bulk-decisions

    Allow certifiers to make line-item decisions in bulk.

    This includes:

    • Making a decision (certify, revoke, exception).

    • If Enable line-item reassignment and delegation is enabled, then you can bulk Reassign and/or Forward line-items.

    As an administrator, most access reviews require an in-depth look on each line-item. This is to ensure accuracy of each item. Bulk-decisions allow for a certifier to make a decision on many items at once, which could lead to inaccurate data. Use caution when selecting this option.

    Allow partial sign-off

    Allow a certifier to sign-off on an access review before all of their assigned line-items have a decision made on them.

    Process Remediation

    Select a workflow to run either immediately after revocation of access or after a duration.

  2. Click Next.

Summary

The Summary section is the final section in creating a template. It gives a breakdown of each section in the template, allowing for a review.

Summary steps:

  1. Review all items.

  2. Click Save Template to complete the certification template.

    Under the What to Certify review section, ensure that the Total Decision Items is greater than 0. If you identify that this is 0, this means that the template did not identify items to be certified. Therefore, if you create the campaign off of the template, the system will immediately cancel the campaign. If you identify this to be 0, go back to the What to Certify section and adjust your settings.

Run campaigns

Campaigns are a process that certifies items. Before running campaigns, you must first set up a template. Once you create a template, you can initiate a campaign.

Run campaigns step for access certifications.
Figure 5. Run campaigns step in access certifications

After you initiate a campaign, either through the ad-hoc (one time) run under the Templates tab or through the schedule set in the template, the Certification tab displays the certification.

See it in action
Turn template into a campaign GIF.
Figure 6. Example of turning a created template into a campaign

To access campaigns, from the Identity Cloud admin UI, click Certification > Campaigns tab.

Administration of campaigns in Identity Governance.
Figure 7. Campaigns tab

Every campaign has certifiers that validate the data within a campaign. These users are known as reviewers or certifiers.

View all campaigns

The landing page/modal on the Campaigns tab displays all Active campaigns.

To view campaigns that have a specific status, such as Closed or Canceled, click the Status drop-down and filter the status.

To view additional campaigns, click the caret icons at the bottom of the table.
Campaign statuses to filter
Status Description

Active

The campaign is in progress. In the Status column, this includes the In-progress, Expiring and Overdue states.

  • In-progress: The campaign is in progress and active.

  • Expiring: The campaign is in process and will expire in two days or less. The deadline is defined in the template, but it can be updated at any time. For more information on updating a campaign deadline, refer to the Details tab.

  • Overdue: The campaign is past the expiration date but in process. Tasks still require completion. Identity Governance sets this status when you select one of the following settings in the template:

    • When to Certify > When certification expires > Close open items > Reassign.

    • Do nothing.

      The template defines the deadline; however, you can update the deadline at any time. For more information, refer to the Details tab.

Expired

The campaign expired. Identity Cloud triggers this status when you select When to Certify > When certification expires > Close open items > immediately in the template.

Cancelled

This campaign was canceled manually and is no longer in progress. In certain situations when there is an error creating the campaign from the template, a campaign might automatically go into this state.

Completed

The campaign finished as expected with no issues.

Staged

The campaign is staged and is not active.

Campaign landing page columns

The campaigns listed on the landing page of the Campaigns tab consists of a table with various columns.

Table 3. Campaign tab landing page columns
Field Description

Name

The name of the campaign. This name is generated from the template.

Deadline

The campaign completion date.

Status

The state the campaign is in. Refer to Campaign statuses to filter for more information.

Progress

The percent complete of the campaign.

To view the percentage and number of items that are complete, hover over the progress icon.
To filter a column, click the up/down icon (where applicable).

View details of campaign

From the Campaigns tab on the landing page, click the desired campaign to view more details.

The selected campaign includes two tabs:

Details tab

The Details tab includes graphical information about the campaign. For example, the percentage of completeness or the reviews currently in progress.

The information is broken out into various cards. The following table shows the various information by card.

Campaign details page
Card/Title Description

Status

Provides information about when the campaign expires. You can select Update Deadline to extend the duration of the campaign or Cancel Campaign.

  • If the campaign status is Staged, you can select Activate to kick-off the campaign.

  • If the campaign has the statuses of Canceled, Complete, or Closed, then the Update Deadline or Cancel Campaign options will not be present.

Campaign Details

Shows the percentage of the campaign complete, including the number of reviews completed versus the total amount of reviews, as well as general information about the campaign:

  • Campaign Owner: The person responsible for the overall campaign.

  • Duration: The length of the campaign.

  • Start Date: The date the campaign was started (either manually through ad-hoc or via a pre-defined schedule).

  • Deadline: The date the campaign expires.

  • Description: Information about the campaign.

Users

Pie chart.

The number of new users versus previously certified users in the campaign.

Decisions Breakdown

Pie chart.

A breakdown of the decisions made in the campaign by certifiers (certified, revoked, exception).

Access by Application

Pie chart.

The number of accounts by application to be certified in the campaign.

Users with no email address

Numerical.

The number of users that do not have an email address on their ForgeRock profile.

Certifiers with no email address

Numerical.

The number of certifiers (reviewers) that do not have an email address on their ForgeRock profile.

Access reviews tab

The Access Reviews tab contains information on the certifiers in the campaign. The certifiers could be an individual or a role. This includes the progress they have made on their reviews, as well as the ability to view the items each certifier is responsible for.

By default, the page displays the certifiers who are reviewing the access review, which is in the Active state.

To view other statuses, select the Status drop-down:

Table 4. Certifier statuses to filter
Status Description

Active

The certifier has line-items on the campaign that do not have a decision made on them. A line-item is a record for a certifier to review. For example, the user Barbara Jensen’s record that details their access to a particular application is a line-item.

Expired

The campaign has passed its deadline and the certifier has line-items that do not have a decision made on them.

Completed

The certifier has reviewed and made decisions on all the line-items assigned to them in their access review and signed off.

You can use the search icon to search for a specific campaign by its name.

There are three columns in the Access Reviews tab:

  • Certifier: The individual or users assigned to a role responsible for a part of the campaign.

  • Status: The status of the campaign.

  • Progress: The progress the certifier has made in their reviews.

    To view the percentage and number of items that are complete, hover over the progress icon.
Click the arrow icon on Certifier to filter alphabetically (ascending or descending).

The ellipses (…​) to the right of the table shows additional features, such as forwarding a certifier’s items to another person or users assigned to a role.

To gain a detailed view of the items left for a certifier, click on their record in the table. The drilled-down view is the same view a certifier utilizes when completing their items for the campaign.

Cancel existing campaign

You can only cancel a campaign that is in the Active state (which includes the states Expiring and Overdue). For more information, refer to Campaign statuses to filter.

There are two ways to cancel a campaign:

  1. When viewing all campaigns from the Certifications > Campaigns landing page:

    1. Click the ellipses (…​) next to the campaign.

    2. Click Cancel.

    3. Click Cancel Campaign.

  2. In the drill-down campaign view:

    1. Click into a campaign.

    2. Click Cancel Campaign.

    3. Click Cancel Campaign again in the confirmation screen.

Copyright © 2010-2023 ForgeRock, all rights reserved.