Compliance Manager Setup

Lifecycle:

Enabling this option will send email notifications to users that have access revoked.

To apply rule-based behavior when certifications are escalated, select a rule from the drop-down. This will be default rule that the system uses when an access review is escalated.

Select the action performed on an exception when it expires: Do Nothing, or Notify Certifier.

The Active Period is the period when all decisions in the access reviews are made by the reviewers. Set the number and type of units (hours, days, weeks or months) to use as the default active period duration.

A Challenge Period is an optional period when users can challenge decisions from reviewers to remove their access privileges. If you want to enable a challenge period as your certifications' default behavior, select the option and set its default duration.

The Revocation Period is when all revocation work is completed. The revocation period places a limit on the amount of time a revoker has to act on a revocation request before that request work item is escalated.

Select this option to enable the default revocation period and its default duration.

If the revocation period is disabled, the certification will not be scanned for completed revocations, and revocation status might not be accurately reflected throughout the product.

If you enable Bulk Revocations (see the Bulk Actions section below), you can choose a default user to whom all bulk remediation requests will be sent.

Bulk revocation requests are made during the certification process. You can select an item from the Select Bulk Action dropdown list on the Certification Report worksheet view or click Revoke All on the Certifications Decision tab.
If this field is left blank, the remediator is specified as part of the request process.

Behavior:

Input the number of selected items which require additional confirmation for bulk revocations.

Select to display a pop-up window when an access review is complete and ready for sign off.

Select to require that, by default, all certifications require an electronic signature.

For more information on configuring electronic signatures, see Electronic Signatures.

Require that, by default, all subordinate access reviews be completed before the parent access review can be completed.

Automatically sign off the certification when assignee has nothing to certify.

Suppress notification of certification when assignee has nothing to certify.

Require that, by default, all reassigned access review items be completed before the parent access review can be completed.

Specify that, by default, the content of reassigned access reviews be returned to the parent access review upon sign off.
Use this option to ensure that the original content of an access review request is preserved for tracking and reporting purposes.

Specify that an access review be automatically signed off on when all items in that access review are reassigned.

This item is not available if the Required Reassignment Completion or the Return Reassignments to Original Access Review options are selected.

Require that all certifiers enter comments for each item they approve in an access review request.

Require the certifier to include comments when a certification decision is made.

Require the certifier to include comments when a certification item is revoked.

Select to require that all access review approvers review the decision made on any user, role, entitlement, or policy violation that they delegated to another approver before they can complete the access review containing that delegation.

Select to require that all items in a delegation work item have a decision associated with them before the work item can be marked as complete. This setting is only configurable at the system setup level. Individuals cannot change the value of this setting for a single certification.

Select to disallow the forwarding of a work item that a different user delegated.

Choose which users may self-certify – that is, be the certifier for their own access, either by forwarding or reassigning an access review: All certifiers, Certification and System Administrators, System Administrators only

For users that are not allowed to self-certify, this is the identity or workgroup that will receive any items that would require a self-certification – that is, when the reviewer and the user whose access is under review are the same person. If a Self Certification Violation Owner is not specified, any items that require self-certification will be read-only to the reviewer.

The limit reassignment feature allows you to limit the number of times the users within the certification campaign can reassign a certificate item.

Set the number of reassignments allowed.

Certification is not forwarded or reassigned when the reassignment limit is reached.

Classifications can be shown in Manager, Application Owner, Advanced, Role Membership, and Targeted certifications. This setting also determines whether classification information is shown in Separation of Duties (SOD) policy violations, in the dialog for correcting violations by revoking access.

Decisions:

Enable the certifier to provision missing role requirements from within an access review.

Enables certifiers to delegate individual access review items, such as a single role or entitlement, rather than the entire identity to be reviewed.

This option also enables the delegation of policy violations, either from inside an access certification or from the Manage > Policy Violations page.

Allows the certifier to revoke an account, when its associated entitlements are also revoked. Note that disabling this option does not prevent the reviewer from revoking accounts directly – it only enables or disables the "revoke account" option when entitlements are being certified..

Enable certifiers to delegate entire identities from a certification request.

Enables certifiers to allow exceptions on access review items such as roles or entitlements, that are not policy violations. Allowing an exception means the user should not have access indefinitely, but can retain access for a specified period of time.

Enables automatic deprovisioning of access when the allowed exception period has expired. This setting applies only to items such as roles or entitlements, that are not policy violations.

Enables certifiers to view the Allow Exception pop-up and manually set expiration dates.

Set the time period during which exceptions should be allowed. Input the number of units and unit type (hours, days, weeks or months) to use as the exception duration.

Set the default operation shown on the revocation dialog for remediation-modifiable attributes.

Note: This option is only visible if you have purchased and activated the SailPoint AI Services product.

Enable recommendations from AI Services to display in access reviews.

Bulk Actions:

Certification Contents:

The default granularity at which additional entitlements are listed in the access review. For example, if you select Attribute / Permission, each permission associated with each attribute is listed, and must be acted upon, separately.

Exclude entitlements on tier application accounts from the access review.
This only applies to logical applications. Tier applications are those application that make up a logical application.