Object Certifications

Object Certifications Table

iga object certifications table

Display columns

  • Campaign Name

    • Description: Name of the active campaign

    • Searchable: Yes

    • Sortable: Yes

  • Certifier

    • Description: Certifier that is assigned to the campaign, either the logged in user or the role that they belong to

    • Searchable: No

    • Sortable: No

  • Type

    • Description: Type of object being certified

    • Searchable: Yes

    • Sortable: Yes

  • Start Date

    • Description: Date the campaign was initially kicked off

    • Searchable: No

    • Sortable: Yes

  • Deadline

    • Description: Deadline of the tasks assigned to the user

    • Searchable: No

    • Sortable: Yes

Reviewing and Certifying an Object Certification

  1. Log into ForgeRock Identity Governance and navigate to the Object Certifications table.

  2. Locate or search for the campaign in the certifications table that you wish to review and/or certify.

  3. Click on the campaign to navigate to the certification list for the selected campaign.

    In certain scenarios, it is possible for a user to have access to certify a campaign as two different certifier types. For example, if a user is a part of two different authorization roles that both are assigned as certifiers for one or more events in a campaign, then they can view that campaign as either of the two roles they are a part of. Since each individual role that a user belongs to can give the certifier visibility into different portions of a certification, a user is only able to view each campaign as a single acting certifier at a time.
    iga object certification row multiplier certifier options

    When this occurs, the user will see the term “Multiple Options” displayed underneath the certifier column. When the user chooses to click on a campaign with multiple certifier options, a page will be displayed informing them of the situation and instructing them to choose the certifier to act as. Once chosen the user will be redirected to the certification list.

    iga object certifications choosing multiple certifier options

Object Certification List

The certification list screen is the landing page for the certifier for a single campaign. The page is broken up into several sections, all of which are described in detail below.

iga object certification list for object campaign

Campaign Information

The campaign information box will display some basic information about the campaign being viewed, most notable the Campaign Status. For an active certification, the campaign status field will be marked in-progress. For a closed certification it will show the result of the certification, either signed-off, cancelled, expired, etc.

Stage Information

The stage information box will show a breakdown of the stages within the certification campaign that have tasks that are assigned to you. Each stage row will show the following information:

iga stage information box
  • Stage Name - The name given to the certification stage

  • Deadline - The date that the stage’s tasks are due

  • Progress - The breakdown of the statuses of the stage events that are assigned to you.

    • In-Progress - event is active and not complete

    • Reviewed - event is active, completed, but not signed-off

    • Signed-off - event has been completed and signed-off.

    • Pending - event will be assigned to you when a previous stage is completed.

Stage Selector

Shows a chronological visual of the certification stages. By selecting a stage node, the page will be updated to reflect data for the selected stage

iga stage selector

When a different stage is selected, the user will be able to see information about the previous stage results or future stage events that match with the current list of events available to the certifier in the current stage. The user will not be able to see events in a previous or future stage that target objects that they are not responsible for certifying.

Stage Actions

Certifiers have access to a handful of stage actions at the certification list level. These are actions that will affect all or a selected subset of the targets within the certification. Certain actions will be available or unavailable depending on the status of the certification campaign (e.g. sign off will only be available if all or some of the events are reviewed or completed.) The full list of actions is as follows:

iga stage actions button
iga selected action buttons
  • Certify Selected - Certify all entitlements within the selected events in the stage that have not yet been acted on. Note that this action will NOT overrule any revoke or abstain decisions made previously. This action is only available if the governance administration team has enabled bulk certification.

  • Certify Remaining - Certify all remaining entitlements within the stage that have not yet been acted on. Note that certify remaining only takes action on incomplete entitlements and will NOT overrule any revoke or abstain decisions made previously. This action is only available if the governance administration team has enabled bulk certification.

  • Reset Selected - Reset all entitlement decisions within the stage for the events selected via checkbox, clearing all results.

  • Reset All - Reset all entitlement decisions within the stage that have not been signed-off

  • Claim Selected - Claim the events selected via checkbox. Claiming is available in role owned stages only, and is required for any single user within a role to take actions on an event. Claiming is only available to a single user within a role, once claimed that user must complete the task.

  • Claim All - Claim all available events in the stage. Available in role owned stages only.

  • Sign-Off - Finalize all actions taken and remove them from your tasks. Sign off is available as an option when all certifications in a stage are reviewed (single user certifier) or all claimed events have been reviewed (role certifiers) the sign off action is available. Choosing sign off will prompt the user to confirm the action. and once confirmed, the sign off will take effect.

Search Filter

Users can use the search filter above the certification target list to filter the visible list of objects included in the campaign. Any of the columns that are displayed within the table are eligible to be searched against except for the certifier column at the end of the row.

Table Headers

The table headers allow the user to sort the table contents based on the selected column. Clicking a column header will resort the table based on that criteria, and clicking it a second time will reverse the order of sorting. All columns contained in a certification list table are eligible to be used for sorting except for the certifier column at the end of the row

iga table headers row

Table Rows

Each individual row within the certification list table contains the data for a single user or object event within a certification. At the beginning of each row is a checkbox used for selecting multiple rows at a time to take bulk stage actions on. The rest of the row contains the data for that event that corresponds to the headers found at the top of the table.

In order to view the event details of a given event, simply click on the row of the desired event and the details page will dropdown from the top of the page. This is how the user can navigate to the screen to make their certification decisions.

Pagination Controls

Pagination controls allow the end user to cycle between different pages of results for the given campaign stage. Users also have the ability to choose a rows per page option, to display more or less results per page. The options available are 10, 25, and 50 per page.

Object Event Details

The event details page for a certification is a complete view of an individual certification event that targets a single user or object. This is where the certifier makes their decisions on certifying or revoking entitlements for the target of the event.

iga event details object certification

Target Display Name

The top of the event details page will have the target’s display name displayed. For objet certifications, this will be the glossary defined display name for the object being certified.

Event Information

The event information section will contain several different pieces of information that correspond to the active event. Based on the status and definition of the certification campaign, several of the following rows may or may not be visible:

  • Stage Selector - Similar to the stage selector on the object certification list screen, when a target in a given campaign has multiple stages there will be a stage selection component available for the certifier to quickly toggle between stages. This can be useful for a certifier to look back at the decisions previously made by another certifier to help in their choices.

    iga stage selector
  • Event Actions - List of actions that are available to the certifier to take at the event level. The actions are described below:

    iga events actions buttons
    • Certify - Take the certify action on all of the available entitlements within the event. This action will NOT take precedence over individual revoke or abstain actions, those will still persist after selecting this.

    • Revoke - Take the revoke action on all of the available entitlements within the event. This action is the highest precedence action, and WILL overrule any previously made abstain or certify decisions

    • Reset - Reset the entire event’s decision back to its initial state. The only thing that will persist after a reset are comments made on individual entitlements.

    • Comment - Add a comment on the certification event.

    • Abstain - Take the abstain action on all of the available entitlements within the event. This action WILL take precedence over previous certify actions but will NOT overrule any previously made revoke decisions.

    • Claim - If the event certifier is an authorization role, the user will have the ability to claim the event if it is currently unclaimed by another user. Once claimed, the user can then act on the certification.

  • Certifier - The user or role assigned as the certifier of the event

  • Claimed By - If the event certifier is a role and the event has been claimed by a user, that user will be displayed here.

  • Completion Date - Date of completion, If the event has been reviewed and signed-off.

  • Progress Bar: Percentage of certification decisions made on the displayed event.

    iga event details progress bar

Object Information

The Object Information table will display information about the target object for the given event.

iga object information table

The table always includes the name and description of the object that is the target of the certification. To expand or collapse this table, click the icon at the top right of the table’s header row.

Object Attributes

The object attributes table contains all of the entitlements that are assigned to the object and are directly tracked and controlled by ForgeRock Identity Manager.

iga object attributes certification table

Each row within this table is organized into the following format:

  • Attribute Name and/or Value

    • An entry that has a single value assigned to it (e.g. manager) will appear in the format [Attribute Name]: [Attribute Value]

    • An entry that has multiple values will be organized into rows beneath a single collapsible header row. A header row can be identified as just the attribute name in bold, with a collapse icon to its left, and no action buttons or comment icon within its row. Its entries will appear directly below, each in their own row, with just the entitlement name in the attribute column. See the rows for “Provisioning Roles” above.

      To collapse an attribute and all its entries, simply click the collapse icon to the left of the name.

    • Any object certification that includes managed assignment entitlements will display those in the Object Attributes table using a slightly special format. Each assignment will list all of its attributes directly below the name of the assignment. This will give the certifier more insight into the actual contents of the assignment and the access it provisions. Each assignment name will have a collapse/expand icon to the left of its name if the certifier wishes to hide or show the extra information.

      iga certifying a managed assignment
    • Each attribute name and value is clickable by the user to see any attached metadata that belongs to the given item. Those items that do not have a corresponding glossary entry will display a page informing the administrator that no entry exists. The certifier can use this information to better inform themselves of each entitlement that they are certifying, if need be.

      iga user attributes table click entitlement
  • Certification Action Buttons - these buttons allow the certifier to take action on each certifiable item within the event. Once an action has been selected, that button will be filled in with the color of the action. If no button is selected and filled, then no decision has been made for that item. The buttons included are listed below:

    • Certify

    • Revoke

    • Abstain

      iga selected action buttons

      To reset the action taken on the given entitlement, the certifier can click the action a second time to deselect that choice, essentially resetting their action.

  • Comment icon

    • The comment icon will either be unfilled if no current comments exist, or have mini comment lines inside of the icon to indicate there are existing comments (pictured below.) The user can click on the comment icon to display the existing comments, and also to add a new comment to that entitlement.

iga comment icons and dialog

Metadata

This section contains the metadata that exists on the Identity Glossary object for the target object of the event. Each row within this table is organized into the following format:

iga metadata table object certification
  • Attribute Name and Value

    • Each metadata entry takes up a single certification row, and is displayed in the format of [Key]: [Value]. The majority of the entries will appear here exactly as defined in the glossary, with the exception of managed object entries, which are displayed as formatted values (see: entitlementOwner above.)

  • Certification Action Buttons - these buttons, disabled for administrators, will show the result of the certification action taken on each item if one has been made. If no button is selected and filled, then no decision has been made for that item. The buttons included are listed below:

    • Certify

    • Revoke

    • Abstain

      iga selected action buttons

      To reset the action taken on the given entitlement, the certifier can click the action a second time to deselect that choice, essentially resetting their action.

  • Comment icon

    • The comment icon will either be unfilled if no current comments exist, or have mini comment lines inside of the icon to indicate there are existing comments (pictured below.) The administrator can click on the comment icon to display the existing comments, and also to add a new comment to that entitlement.

Closing the Event Details page

To close the event details page and return to the certification list simply click the ‘X’ icon in the top right of the page. Note that there is no submission or save action involved at this stage of the certification process. The actions that you make will persist on the certification event until changed, reset, or eventually signed-off. There is no need to confirm actions in any way.

Reviewing Object Certification History

  1. Log into ForgeRock Identity Governance and navigate to the Object Certifications table in the My Review Tasks view.

  2. Click the tab marked Closed in the status selection row. The closed certifications table will be displayed with the following data.

    • Display columns

      • Campaign Name

        • Description: Name of the active campaign

        • Searchable: Yes

        • Sortable: Yes

      • Certifier

        • Description: Certifier that is assigned to the campaign, either the logged in user or the role that they belong to

        • Searchable: No

        • Sortable: No

      • Campaign Start Date

        • Description: Date the campaign was initially kicked off

        • Searchable: No

        • Sortable: Yes

      • Completed On

        • Description: Date that the certification was completed

        • Searchable: No

        • Sortable: Yes

  3. Locate or search for the campaign in the certifications table that you wish to review.

  4. Click on the campaign to navigate to the certification list for the selected campaign.

In certain scenarios, it is possible for a user to have access to certify a campaign as two different certifiers, in which case the user will have to choose which role or ID to access the campaign as. For a more detailed description of this functionality, refer to Section Reviewing and Certifying a User Certification.
Visibility of closed certifications that were completed by authorization role certifiers is determined by the user’s access at the time of viewing the certification tables. This means that a user that is granted an authorization role after a certification has been completed will still be able to see that certification within the closed tab of this view.

Closed Object Certification List

The closed object certification list functionality is the same as described in section Object Certification List for active certifications, with a few minor exceptions described below. For more detailed information on this page and the information it contains, please refer to that section of the document.

  • Stage actions are no longer available on a certification that is closed.

Closed Object Event Details

The closed event details functionality is the same as described in section Object Event Details for active certifications, with a few minor exceptions described below. For more detailed information on this page and the information it contains, please refer to that section of the document.

  • Event actions buttons will not appear at the top of the event details screen.

  • Completion date will display in the event information section.

  • Entitlement row action buttons are disabled and cannot be changed on a closed certification.

  • Comment pages for entitlements with no existing comments will not be clickable.