User certifications
User certifications table
-
Display Columns
-
Campaign Name
-
Description: Name of the active campaign
-
Searchable: Yes
-
Sortable: Yes
-
-
Certifier
-
Description: Certifier that is assigned to the campaign, either the logged in user or the role that they belong to
-
Searchable: No
-
Sortable: No
-
-
Campaign Start Date
-
Description: Date the campaign was initially kicked off
-
Searchable: No
-
Sortable: Yes
-
-
Deadline
-
Description: Deadline of the tasks assigned to the user in the given campaign
-
Searchable: No
-
Sortable: Yes
-
-
Reviewing and certifying a user certification
-
Log into ForgeRock Identity Governance and navigate to the User Certifications table.
-
Locate or search for the campaign in the certifications table that you wish to review and/or certify.
-
Click on the campaign to navigate to the certification list for the selected campaign.
Note: In certain scenarios, it is possible for a user to have access to certify a campaign as two different certifier types. For example, if a user is a part of two different authorization roles that both are assigned as certifiers for one or more events in a campaign, then they can view that campaign as either of the two roles they are a part of. Since each individual role that a user belongs to can give the certifier visibility into different portions of a certification, a user is only able to view each campaign as a single acting certifier at a time.
When this occurs, the user will see the term “Multiple Options” displayed underneath the certifier column. When the user chooses to click on a campaign with multiple certifier options, a page will be displayed informing them of the situation and instructing them to choose the certifier to act as. Once chosen the user will be redirected to the certification list.
User certification list
The certification list screen is the landing page for the certifier for a single campaign. The page is broken up into several sections, all of which are described in detail below.
Campaign information
The campaign information box will display some basic information about the campaign being viewed, most notably the Campaign Status. For an active certification, the campaign status field is marked in-progress
. For a closed certification, it shows the result of the certification, either signed-off
, cancelled
, or expired
.
Stage information
The stage information box will show a breakdown of the stages within the certification campaign that have tasks that are assigned to you.
Each stage row will show the following information:
-
Stage Name - The name given to the certification stage
-
Deadline - The date that the stage’s tasks are due
-
Progress - The breakdown of the statuses of the stage events that are assigned to you.
-
In-Progress - event is active and not complete
-
Reviewed - event is active, completed, but not signed-off
-
Signed-off - event has been completed and signed-off.
-
Pending - event will be assigned to you when a previous stage is completed.
-
Stage selector
Shows a chronological visual of the certification stages. By selecting a stage node, the page will be updated to reflect data for the selected stage.
When a different stage is selected, the user will be able to see information about the previous stage results or future stage events that match with the current list of events available to the certifier in the current stage. The user will not be able to see events in a previous or future stage that target users that they are not responsible for certifying.
Stage actions
Certifiers have access to a handful of stage actions at the certification list level. These are actions that affect all or a selected subset of the targets within the certification. Certain actions are available or unavailable depending on the status of the certification campaign. For example, sign off is only be available if all or some of the events are reviewed or completed.
The full list of actions are:
Item | Description |
---|---|
Certify Selected |
Certify all entitlements within the selected events in the stage that have not yet been acted on. This action does NOT overrule any revoke or abstain decisions made previously. This action is only available if the governance administration team has enabled bulk certification. |
Certify Remaining |
Certify all remaining entitlements within the stage that have not yet been acted on. Certify remaining only takes action on incomplete entitlements and does NOT overrule any revoke or abstain decisions made previously. This action is only available if the governance administration team has enabled bulk certification. |
Reset Selected |
Reset all entitlement decisions within the stage for the events selected via checkbox, clearing all results. |
Reset All |
Reset all entitlement decisions within the stage that have not been signed-off. |
Claim Selected |
Claim the events selected via checkbox. Claiming is available in role-owned stages only, and is required for any single user within a role to take actions on an event. Claiming is only available to a single user within a role. Once claimed, the user must complete the task. |
Claim All |
Claim all available events in the stage. Available in role-owned stages only. |
Sign-off |
Finalize all actions taken and remove them from your tasks. Sign off is available as an option when all certifications in a stage are reviewed (single user certifier) or all claimed events have been reviewed (role certifiers) the sign-off action is available. Choosing sign off prompts the user to confirm the action. Once confirmed, the sign-off takes effect. |
Reassign selected |
Reassign the items you have selected to another user or role. This action is only available if the governance administration team has enabled Allow Certification Event Reassignment in the system settings. |
Reassign all tasks |
Reassign all the items assigned to you on the access review to another user or role. This action is only available if the governance administration team has enabled Allow Certification Event Reassignment in the system settings. |
Search filter
Users can use the search filter above the certification target list to filter the visible list of users included in the campaign. Any of the columns that are displayed within the table are eligible to be searched against except for the certifier column at the end of the row.
You can search on multiple columns at once for advanced filtering. See it in action |
Table headers
The table headers allow the user to sort the table contents based on the selected column.
Clicking a column header resorts the table based on that criteria, and clicking it a second time reverses the order of sorting. All columns contained in a certification list table are eligible to be used for sorting except for the certifier column at the end of the row
Table rows
Each individual row within the certification list table contains the data for a single user or object event within a certification. At the beginning of each row is a checkbox used for selecting multiple rows at a time to take bulk stage actions on. The rest of the row contains the data for that user event that corresponds to the headers found at the top of the table.
In order to view the event details of a given event, simply click on the row of the desired event and the details page will dropdown from the top of the page. This is how the user can navigate to the screen to make their certification decisions.
Pagination controls
Pagination controls allow the end user to cycle between different pages of results for the given campaign stage. Users also have the ability to choose a rows per page option, to display more or less results per page. The options available are 10, 25, and 50 per page. See section Table Pagination Controls for images and further explanation on pagination.
User event details
The event details page for a certification is a complete view of an individual certification event that targets a single user or object. This is where the certifier makes their decisions on certifying or revoking entitlements for the target of the event.
Target display name
The top of the event details page will have the target’s display name displayed. For user certifications, this will be the name formatted to fit the Display Format defined by the administrator in the system settings.
Event information
The event information that correspond to the active event. Based on the status and definition of the certification campaign, several of the following rows may or may not be visible:
-
Stage Selector - Similar to the stage selector on the user certification list screen, when a target in a given campaign has multiple stages there will be a stage selection component available for the certifier to quickly toggle between stages. This can be useful for a certifier to look back at the decisions previously made by another certifier to help in their choices.
-
Event Actions - List of actions that are available to the certifier to take at the event level. The actions are described below:
-
Certify - Take the certify action on all of the available entitlements within the event. This action will NOT take precedence over individual revoke or abstain actions, those will still persist after selecting this.
-
Revoke - Take the revoke action on all of the available entitlements within the event. This action is the highest precedence action, and WILL overrule any previously made abstain or certify decisions
-
Reset - Reset the entire event’s decision back to its initial state. The only thing that will persist after a reset are comments made on individual entitlements.
-
Comment - Add a comment on the certification event.
-
Abstain - Take the abstain action on all of the available entitlements within the event. This action WILL take precedence over previous certify actions but will NOT overrule any previously made revoke decisions.
-
Claim - If the event certifier is an authorization role, the user will have the ability to claim the event if it is currently unclaimed by another user. Once claimed, the user can then act on the certification.
-
-
Certifier - The user or role assigned as the certifier of the event
-
Claimed By - If the event certifier is a role and the event has been claimed by a user, that user will be displayed here.
-
Completion Date - Date of completion, If the event has been reviewed and signed-off.
-
Progress Bar: Percentage of certification decisions made on the displayed event.
User information
The User Information table will display information about the target user for the given event. It will always include at least the user first name, last name, and email address, and will also include any user attributes that are listed in the glossary with a key of displayInUserInfo set to true. This list of additional attributes is the same list that appears as columns within the user certification list table for a campaign. For example, in the screenshot pictured above, the attribute manager has been added as displayable within certifications. Note that these are not calculated at the time the certification is viewed, but rather at creation, so the glossary key for those attributes must be set before a certification is created to appear here. To expand or collapse this table, click the icon at the top right of the table’s header row.
User attributes
The user attributes table contains all the entitlements that are assigned to the user and are directly tracked and controlled by ForgeRock Identity Manager. Each row within this table is organized into the following format:
-
Attribute Name and/or Value
-
An entry that has a single value assigned to it (e.g. manager) will appear in the format [Attribute Name]: [Attribute Value]
-
An entry that has multiple values will be organized into rows beneath a single collapsible header row. A header row can be identified as just the attribute name in bold, with a collapse icon to its left, and no action buttons or comment icon within its row. Its entries will appear directly below, each in their own row, with just the entitlement name in the attribute column. See the rows for “Provisioning Roles” above.
To collapse an attribute and all its entries, simply click the collapse icon to the left of the name.
-
Each attribute name and value is clickable by the user to see any attached metadata that belongs to the given item. Those items that do not have a corresponding glossary entry will display a page informing the administrator that no entry exists. The certifier can use this information to better inform themselves of each entitlement that they are certifying, if need be.
-
-
Certification Action Buttons - these buttons allow the certifier to take action on each certifiable item within the event. Once an action has been selected, that button will be filled in with the color of the action. If no button is selected and filled, then no decision has been made for that item. The buttons included are listed below:
-
Certify
-
Revoke
-
Abstain
To reset the action taken on the given entitlement, the certifier can click the action a second time to deselect that choice, essentially resetting their action.
-
-
Comment icon
-
The comment icon will either be unfilled if no current comments exist, or have mini comment lines inside of the icon to indicate there are existing comments. The user can click on the comment icon to display the existing comments, and also to add a new comment to that entitlement.
-
Applications
Contains attributes within connected systems to be certified for the target user. These are not the attributes that are tracked directly by the ForgeRock Identity Manager user object, but rather the direct values as pulled in through the external systems. Each row within this table is organized into the following format:
-
Attribute Name and/or Value
-
Each attribute name and value is clickable by the administrator to see any attached metadata that belongs to the given item. Those items that do not have a corresponding glossary entry will display a page informing the administrator that no entry exists.
-
-
Certification Action Buttons - these buttons, disabled for administrators, will show the result of the certification action taken on each item if one has been made. If no button is selected and filled, then no decision has been made for that item. The buttons included are listed below:
-
Certify
-
Revoke
-
Abstain
To reset the action taken on the given entitlement, the certifier can click the action a second time to deselect that choice, essentially resetting their action.
-
-
Comment icon
-
The comment icon will either be unfilled if no current comments exist, or have mini comment lines inside of the icon to indicate there are existing comments (pictured below). The administrator can click on the comment icon to display the existing comments, and also to add a new comment to that entitlement.
-
Closing event details
To close the event details page and return to the certification list simply click the ‘X’ icon in the top right of the page. Note that there is no submission or save action involved at this stage of the certification process. The actions that you make will persist on the certification event until changed, reset, or eventually signed-off. There is no need to confirm actions in any way.
Reviewing user certification history
-
Log into ForgeRock Identity Governance and navigate to the User Certifications table in the My Review Tasks view.
-
Click the tab marked Closed in the status selection row. The closed certifications table will be displayed with the following data.
-
Display columns
-
Campaign Name
-
Description: Name of the active campaign
-
Searchable: Yes
-
Sortable: Yes
-
-
Certifier
-
Description: Certifier that is assigned to the campaign, either the logged in user or the role that they belong to
-
Searchable: No
-
Sortable: No
-
-
Campaign Start Date
-
Description: Date the campaign was initially kicked off
-
Searchable: No
-
Sortable: Yes
-
-
Completed On
-
Description: Date that the certification was completed
-
Searchable: No
-
Sortable: Yes
-
-
-
-
Locate or search for the campaign in the certifications table that you wish to review.
-
Click on the campaign to navigate to the certification list for the selected campaign.
In certain scenarios, it is possible for a user to have access to certify a campaign as two different certifiers, in which case the user will have to choose which role or ID to access the campaign as. For a more detailed description of this functionality, refer to Section Reviewing and Certifying a User Certification. |
Visibility of closed certifications that were completed by authorization role certifiers is determined by the user’s access at the time of viewing the certification tables. This means that a user that is granted an authorization role after a certification has been completed will still be able to see that certification within the closed tab of this view. |
Closed user certification list
The closed user certification list functionality is the same as described in section Creating New Certification Definitions for active certifications, with a few minor exceptions described below. For more detailed information on this page and the information it contains, please refer to that section of the document.
-
Stage actions are no longer available on a certification that is closed.
Closed user event details
The closed event details functionality is the same as described in section User Event Details for active certifications, with a few minor exceptions described below. For more detailed information on this page and the information it contains, please refer to that section of the document.
-
Event actions buttons will not appear at the top of the event details screen
-
Completion date will display in the event information section
-
Entitlement row action buttons are disabled and cannot be changed on a closed certification
-
Comment pages for entitlements with no existing comments will not be clickable.