IGA 2021.11.0

Certification Template

The following procedure steps present how to set up an certification campaign and are run in stages depending on the certification type:

Create a Certification Campaign

  1. From the Identity Governance UI, click Certifications.

  2. Click Campaign Templates > New Campaign Template.

  3. For New Campaign, select the type of campaign, and then click Next. This will take you through several stages to create your certification.

    • Identity Certification. Review user accounts and entitlements granted on specified applications.

    • Role Membership Certification. Review roles granted to users.

    • Role Definition Certification. Review role membership rules and entitlements granted to role members.

    • Entitlement Certification. Review attributes for specified entitlements.

Campaign Details

  1. Enter the following information:

    • Certification Name. Enter the display name for the certification campaign. This certification name appears on both the Campaigns tab and the end-user Tasks Dashboard. Note: You cannot change the name during the campaign process.

    • Description. Enter a general description for the certification campaign. Your company should come up with a descriptive convention to describe each of your campaigns.

    • Campaign Owner. Enter the owner of the campaign. Campaign owners have full control over their campaigns only, including certification decisions, actor assignment changes, sign off, and more.

    • Enable Staging Phase. Enable campaign staging to set up the campaign in the system but not activate it in production. This feature is useful for compliance officers to preview a certification before the campaign is activated and exposed to the end users to whom tasks have been assigned. Compliance officers can inspect and review the content, decision items, and other details to determine whether or not it should be activated or deleted. Once the certification is activated, the campaign is active and email notifications are sent to designated assignees. Start dates and deadlines are then calculated from that point on. If the certification is deleted, the campaign is removed from the system and is no longer accessible.

  2. Click Next to continue.

Whom To Certify

The Whom to Certify section lets the administrator define the subset of the user population that they plan to target within this certification campaign.

The user can choose from either a specific predefined filter (that is, single user, users with manager), or choose to define a custom expression to specifically target a user population.

The IGA UI displays the current number of users that will be targeted given the current filter.

  1. Under Certify. Select the user or users to certify. Options are:

    • A Subset of users. Certify a subset of users based on your conditions.

    • A single user. Certify a single user, and enter the user ID.

    • Users with manager. Certify users with a specific manager. Make sure to set the conditions below.

    • Users with authorization role. Certify users with a specific authorization role. Make sure to set the conditions below.

    • Users with provisioning role. Certify users with a specific provisioning role. Make sure to set the conditions below.

    • All users. Certify all users in your system.

  2. For Conditions. Enter the filtering conditions depending on the users selected.

    • Select all|any|none for conditions met.

    • Select the user property.

    • Select equals|contains.

    • Enter a value for the condition.

    • Click + to add the rule or group. You can additional conditions as needed.

  3. To save the certification template, click Save. To continue to add more options, click Next.

What to Certify

The What to Certify section lets the administrator further filter the items targeted by this campaign template. This section may vary depending on the type of certification chosen, but can include the following fields:

  • Applications. Choose whether to target entitlements from one or more specific application(s) or target all applications.

  • Entitlements. Filter the entitlements targeted by this campaign.

  • Accounts. Filter the accounts target by this campaign.

What to Certify:

  1. Under Certify For, select All Applications or Specific Applications.

  2. Under Certify, select Entitlements or Accounts.

  3. Select one of the following:

    • All entitlements|Accounts in selected application(s)

    • Entitlements|Accounts matching the filter. This step opens the filtering options to locate the entitlements or accounts.

  4. Under Certify. Select the entitlements or accounts to certify. Options are:

    • A Subset of entitlements|accounts. Review a subset of entitlements|accounts based on your filtering options.

    • A single entitlement|account. Review a single entitlement|account, and select the entitlement|account.

  5. Enter the filtering conditions depending on the users selected.

    • Select all|any|none for conditions met.

    • Select the entitlement|account property.

    • Select equals|contains.

    • Enter a value for the entitlement|account.

    • Click + to add the rule or group. You can additional filters as needed.

  6. To save the certification template, click Save. To continue to add more options, click Next.

When To Certify

The When to Certify section lets the administrator specify when to run the certification campaign and what to do when the campaign expires. There are three key properties:

  • Schedule. Define whether or nor this campaign will run on a periodic basis. If selected, the administrator can input various choices to define the schedule on which the campaign will run. For example, the following schedule options exist:

    • CRON-like Trigger. Runthe campaign using a CRON expression.

    • Run Every. Run the campaign every specified number of days, weeks, or months.

    • Start Time. Specify a start time when this campaign will run for the first time. We recommend using this in most cases, otherwise the schedule will likely execute immediately on creation of the template.

    • Repeat. Repeat the schedule a number of times before ending. Use -1 to run the schedule with no bounds on the number of times.

    • Until Specific Date. Run the campaign on its defined periodic basis until this date is reached.

  • Campaign Duration. Specify the amount of time each decision item will have to be acted upon before expiration in days, weeks, years, and so on.

  • When Campaign Expires. Sets multiple different behaviors to specific decision items when the item deadline passes. The following options are available:

    • Close Open Items. Complete the items using the given information once expired. The administrator can select what decision is added to the item (for example, certify, revoke, abstain from, and allow) and when that decision takes effect.

    • Reassign to User. Select a given user that item is reassigned to after the expiration date. The item will not be closed.

    • Do Nothing. No action will be taken, and the item remains in progress.

When to Certify:

  1. Click Run on a schedule to run this campaign periodically.

  2. Enter the Campaign Duration.

  3. Select the options to when the campaign expires. Options are:

    • Close open items immediately|after duration. Then select the action to open items: certify|revoke|abstain from|allow exception.

    • Reassign to user. Select the user to reassign to whom to reassign this campaign.

    • Do Nothing

  4. Click Next to continue.

Who will Certify

The Who Will Certify section defines the actors for each decision item that will be calculated.

  • Certifier Type. Specify the type of certifier for this campaign. The following options are available:

    • User. Select a single user to assigned all decition items.

    • Group. Select a single role that lets any member of that role to act on a decision item.

    • Manager. Select a manager of the user for each decision item. This is only used for Identity Certifications only.

    • Owner. Select the defined owner of each individual entitlement that is assigned the decision item.

    • Coverage File. Specify a pre-defined coverage file to calculate one or more actors with a specific set of permissions for all decision items.

  • Select Certifier. When type is user or group, this field selects the given user or role desired.

  • Path to Coverage File. When the type is a coverage file, this field defines the path to the coverage filr for this template.

  • Enable Default Certifiers. Select the certifier to be used in the event a decision time’s actor cannot be determined. For example, if a manager is the certifier, and the user has no manager defined, the default certifier will be used. You can select between a user or a group for this option.

Who will Certify:

  1. Select User|Group|Manager|Owner|Coverage File to define who will certify the campaign.

  2. Select the certifier.

  3. Click to skip inactive certifiers for the certification

  4. Click Enable default certifier, and select the default certifier for the campaign. This case can occurs when the certifier is inactive or there is no certifier.

  5. To save the certification template, click Save. To continue to add more options, click Next.

Notifications

The Notifications section provides templates when one of the existing predefined events in the certification process is triggered. The following notification templates are available:

  • Initial Notification. Sent when an assignment of any task to a given actor, whether during creation or when added during the campaign.

  • Expiration Notification. Sent a given number of days before the campaign expires to let the actors know the campaign is expiring.

  • Reminder Notification. Sent on a periodic basis to remind the actors that their action is required on the campaign item.

  • Escalation Notification. Sent on a periodic basis to allow a given party to be notified that the campaign item is active and still needs action taken.

Notifications:

  1. Select one or more of the following notification options:

    1. Select Send initial notification. Select the email template. The following email template options are available:

      • certificationAssigned.

      • certificationEscalated.

      • certificationExpired.

      • certificationReminder.

      • forgottenUsername.

      • registration.

      • resetPassword.

      • updatePassword.

      • welcome.

    2. Select Send expiration notification. Select email template, and select the number of days before the campaign expiration.

    3. Select Send reminders. Select email template, and select the number of days to send the reminders.

    4. Select Enable escalation. Select the email template, the number of days to send the escalation reminder, and select the Escalation Owner.

  2. To save the certification template, click Save. To continue to add more options, click Next.

Additional Options

  1. Select any of the following optional settings:

    1. Allow self-certification. Select the users or groups who can self-certify their own access. Options are: all certifiers|Owners and administrators.

      • If not selected, no user will be able to take action on the certification of their own access.

      • If you select only admin or owner is selected, then only the governance admin or the campaign owner is allowed to certify their own access.

      • If all users is selected, then self-certification is not restricted at all.

    2. Enable line-item reassignment. Select to let certification actors reassign or forward decision items to other users. A line item refers to an assignment, a role membership, a role definition, an identity, or an account. Administrators can select to have one or both of those actions be available to end users, and if enabled, the actions for the user appears in the certification menu to select from.

    3. Reassign. Select to let certification actors reassign decision items to other users. Reassign keeps the person taking action on the item as a reviewer.

    4. Forward. Select to let certification actors forward decision items to other users. Forward removes the person taking action as a reviewer and passes it completely to the new reviewer.

    5. Allow exceptions. Select the option to allow exception to be available to the actors on the items in this campaign as an alternative to certify and revoke. If selected, the campaign template defines the period of time for which an exception lasts for the items in this campaign.

    6. Allow bulk-decisions. Select the option to allow bulk certification decisions on a page, search results, or the entire certification and take action on them together.

    7. Process remediation. Select a pre-defined workflow that will be executed for each item upon sign-off. Any item that is given a decision of revoke or exception will have this process instantiated for that item when the remediation data for that item has been reached. Select the following options:

      • Workflow: BasicRevocation. When revocation decisions are done, confirm the account no longer has the resource assigned.

      • immediately|after duration. Run the workflow immediately or after a time duration.

    8. Start Script. Click to specify a start script when the campaign starts.

    9. Close Script. Click to specify an end script when the campaign ends.

  2. Click Next to continue.

Summary

  1. Review the identity certification template.

  2. Click Save Campaign.

Copyright © 2010-2025 ForgeRock, all rights reserved.