Overview
Certifications is an important Identity Governance service that lets authorized users review and certify all access assignments within your company to ensure that they are correct and meet compliance regulations.
ForgeRock Identity Governance’s Certifications service provides a centralized dashboard to configure, monitor, and track all access certifications and reviews.
Certification Types
Currently, there are four types of certifications that you can run within Identity Governance:
-
Identity Certification. Certify user accounts and entitlements on some or all applications.
-
Role Definition Certification. Certify all roles or roles that match some filtering criteria. You can also certify different types of attributes including out-of-the-box, custom, glossary, and operational attributes.
-
Role Membership Certification. Certify all roles and users, or roles and users that match some filtering criteria.
-
Entitlement Owner Certification. Certify all entitlements from some or all applications, or entitlements that match some filtering criteria. You can also certify different types of attributes including entitlement, glossary, and operational.
Campaigns
Each certification review is organized as a campaign. Campaigns involves filtering criteria that administrators configure to review the access rights to resources and entitlements. Administrators can monitor all active campaigns on the main Certifications dashboard. Administrators can only work with campaigns and cannot browse the specific data to be certified.
Identity Governance supports certification staging. Staging temporarily halts the review process by letting compliance officers preview the certification and its data before its launch.
Campaign Delegations, Reassignment, and Forwarding
Identity Governance also supports the ability to delegate, reassign, and forward a campaign to other users to view its progress or finish the sign-off.
The following chart shows the main differences in these features:
Features |
Can reassign to user |
Can track progress |
Can edit/override decision |
Line-item or Entire certification |
Who signs off |
Content of certification |
Delegate |
Y |
Y |
Y |
Either |
Owner of the certification task |
Stays intact |
Reassign |
Y |
Y |
N |
Either |
User to whom the certification task is reassigned, if partial sign-off is allowed or owner of the certification task |
Stays intact |
Forward |
Y |
N |
N |
Either |
User to whom the task was forwarded |
Is split. The forwarded lines are no longer part of the original certification. |
Campaign Templates
To facilitate the certification process, Identity Governance provides templates for administrators to create a campaign. A campaign template is an object that defines all of the information needed in a certification, either on an ad-hoc or scheduled basis. Administrators can manage (create, activate, duplicate, edit, or delete) all campaign templates on the Certifications page and set up scheduling runs for each of them.
Once a campaign is created and activated, Identity Governance sends a task notification to authorized certifiers to approve or reject the certification.
