Define a Certification Event

Basic

These options specify what and when to certify and who is responsible for performing the access reviews.

Assign a descriptive name for the event certification.

This name is used to identify the event certification. This name is not displayed in the certification requests that are created when an event is triggered.

Add a brief description of the certification event.

Specify an event-type or rule to associate with the certification.

Create – launch a certification when a new identity is discovered.

Manager Transfer – launch a certification when an identity's manager changes.

Attribute Change – launch a certification when a change is detected for the specified attribute.

Rule – use a rule to determine when certifications are launched.

Native Change – launch a certification when a change is detected on a native application.

Alert – launch a certification when an alert is triggered within your enterprise

For Manager Transfer event certification types only:
Certifications are launched if identities are transferred from the specified manager.

If no manager is specified, all managers are included.

For Manager Transfer event certification types only:
Certifications are launched if identities are transferred to the specified manager.

If no manager is specified, all managers are included.

For Attribute Change event certifications types only:
Select the identity attribute to associate with the event certification.

The attribute dropdown list contains all of the standard and extended identity attributes configured in your deployment of IdentityIQ.

For Attribute Change event certification types only:
Certifications are launched if the attribute value specified has changed.

If no value is specified, all values are included.

For Attribute Change event certification event types only:
Certifications are launched if the attribute value specified was newly assigned.

If no value is specified, all values are included.

For Rule event certification types only:
Select the event certification rule used to launch certifications.

Rules are created as part of the configuration process of IdentityIQ.

Select to specify that a lifecycle event should not be processed.

Specifies which identities to include when detecting this lifecycle event. Select one of the following filter types to narrow your selection:

Match List – a list of attributes and permissions on selected applications.

Filter – a custom database query for role creation.

Script – a custom script for role creation.

Rule – select an existing rule from the drop-down list.

Note: Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

Population – select an existing population of identities to include.

To use an Identity Processing Threshold to stop lifecycle events before they are fully processed, in case of accidentally-triggered workflows, choose from Fixed or Percentage.

For more information, see Using Identity Processing Thresholds for Error Prevention.

Enter a value to use in conjunction with the Threshold Type, for Identity Processing Thresholds.

Specify the name of the certification associated with the certification event.

Specify the owner of the certification.

Specify the full name of the person or people to be assigned the certification.

To display a list of all valid certifiers in the system, type the first few letters of the name and then select a name from the displayed list.

Assign to Manager(s) – assign to the manager(s) of the identities for whom the certifications are created. You must also enter a default certifier in case some of the identities do not have a manager assigned.

Select Certifier(s) Manually – manually specify certifiers to whom these event certifications will be assigned.

Specify the applications with the roles and entitlements that should be discovered when generating this certification.
If no applications are specified, then all of the applications are included.

Include entitlements or Accounts in the certification that are assigned to an identity but are not contained within a defined role.

Include policy violations for each identity in the certification report. If this field is deactivated no policy violations are included.

Include roles assigned to the identity in the certification.

Specify one or more tags for the certifications.
Tags can be used to classify certifications for searching and reporting.

Lifecycle

These options define the lifecycle of the certification.

Select a rule to run when the certification enters its active period.

Specify the length of the review period during when all decisions required within this certification should be made. During this phase changes can be made to decisions as frequently as needed. You can sign off on a certification in the active stage if no roles or entitlements were revoked or if the challenge period is not active. When you sign off on a certification, it enters the end phase or the revocation phase. To enter the revocation phase, the revocation period must be active and a revocation decision must exist.

Specify the period when all revocation requests can be challenged by the user whose role or entitlement is being removed. When the challenge phase begins, a work item and email are sent to each user in the certification that the revocation decision affects. The work items contain the details of the revocation request and any comments the requestor adds. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. You can sign off on a certification in the challenge phase if all challenges are completed and there is no open decision on the certification. When you sign off on a certification, it enters the end phase or the revocation phase. To enter the revocation phase, the revocation period must be active and a revocation decision must exist.

If the revocation period is disabled, the certification is not scanned for completed revocations and revocation status might not be accurately reflected throughout the product.

Specify the period when all revocation work should be completed. Revocations can be done automatically or manually. Your provisioning provider must be configured for automatic revocation. Manual revocations use a work request assigned to a IdentityIQ user with the proper authority on the specified application. The revocation phase begins when a certification is signed off or when the active and challenge phases have ended.

Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. Revocation completion status is updated at an interval specified during the deployment of IdentityIQ. By default this task is performed daily. Click Details to see view detailed revocation information. Revocation requests that are not acted upon during the revocation phase can be escalated as needed.

Select a rule to run when the certification begins its end period.

Select this option to specify that revocation requests are processed as soon as a revocation decision is saved. If this field is not selected, revocation requests are not sent until the certification is signed off.

If the challenge period is active, the revocation request is not sent until the revocation is accepted or the challenge period expires.

Select this option to automatically close the review after the specified parameters are met. This option closes unfinished reviews.

Notifications:
These options specify when reminders and escalations occur for certification and revocations.

Prevent the sending of an initial notification.

Set the default email template for initial certification notifications.

Send email reminders before certification expires.
Send the first reminder: The number of days before the certification expiration date that the first reminder is sent.
Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires.
Reminder Email Template: The IdentityIQ notification template used for the reminders.

Send an escalation notice and change the owner of the certification to the escalation recipient.

Escalation Trigger: The number of days after which a certification is assigned, or the number of email reminders that are sent to the certification owner, before the first escalation notice is sent.

Escalation Rule: The escalation rule to apply when escalating a certification request.

Send email reminders before the revocation period expires.
Send the first reminder: The number of days before the revocation expiration date that the first reminder is sent.

Reminder Frequency: The frequency with which email reminders are sent until the request is completed or expires.

Reminder Email Template: The IdentityIQ notification template used for the reminders.

Send an escalation notice and change the owner of the revocation request to the escalation recipient.

Escalation Trigger: The number of days after which a revocation request is assigned, or the number of email reminders that are sent to the revocation request owner, before the first escalation notice is sent.

Escalation Rule: The escalation rule to apply when escalating a revocation request.

Set the default email template for initial certification notifications.

Set the default email template for bulk reassignment notifications.

Behavior:
These advanced options specify items that can change the presentation and behavior of the certification.

Enable this option to require an electronic signature as part of the Sign-off procedure. Select the electronic signature meaning from the Electronic Signature Meaning dropdown list.

An electronic signature performs the same authorization checking as the IdentityIQ login page.

Enable this option to require that all subordinate access reviews be completed before the parent report can be completed.

Enable this option to automatically sign off an access certification, with the assignee's credentials, if the access review contains no items, even if there are subordinate access reviews present.

Access reviews containing no items and having no subordinate access reviews are always automatically signed off on using the certification initiator's credentials.

Do not send notification email when the assignee has nothing to certify.

Enable this option to require that all reassignment access reviews be completed before the parent report can be completed.

Enable this option to cause the contents of reassignment access reviews to revert to the original access review when the reassigned access review is signed.

Enable this option for an access review to be automatically signed off when all items in the access review are reassigned.

The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available.

Enable this option to require the original access review owner to review all delegated access reviews.

Enable this option to require the certifier to include comments when an access review item is approved.

Enable this option to require the certifier to include comments when an exception is allowed.

Require the certifier to include comments when a certification item is revoked.

Select to disallow the forwarding of a work item that was delegated by a different user.

Limit the number of times an item can be reassigned with a certification champaign.

Show classification information. When enabled, classifications provide additional information about roles, managed attributes and policy violations.

Enable this option to allow certifiers to delegate individual items from an access review.

Enable this option to allow certifiers to delegate entire identities in an access review.

Enable this option to allow the certifier to revoke an account, when its associated entitlements are also revoked. Note that disabling this option does not prevent the reviewer from revoking accounts directly – it only enables or disables the "revoke account" option when entitlements are being certified.

Enables certifiers to allow exceptions on access review items such as roles or entitlements, that are not policy violations. Allowing an exception means the user should not have access indefinitely, but can retain access for a specified period of time.

Enables automatic deprovisioning of access when the allowed exception period has expired. This setting applies only to items such as roles or entitlements, that are not policy violations. This option is available only when the Enable Allow Exceptions option is also enabled.

Enable this option to allow certifiers to view the Allow Exception popup and manually set expiration dates and allow comments. This applies to both violation and non-violation items.

Set a default time period in which exceptions are allowed during the access review.

Enable this option to allow users to bulk approve access review items.

Enable this option to allow users to bulk revoke access review items.

Enable this option to allow users to allow exceptions in bulk.

Enable this option to allow users to bulk reassign access review items.

Enable this option to allow users to revoke all entitlements for a specific account in bulk.

This option is not available for Entitlement Owner certifications.

Enable certifiers to cancel all decisions currently made on the access review.

Advanced:
These advanced options specify items that can change the contents and behavior of the certification.

Specify the custom name template used to name certifications. The name can contain parameterized content that is merged into the name when the certification is generated.

Specify the custom short name template used to give certifications short names. The name can contain parameterized content that is merged into the short name when the certification is generated.

Select the rule to run to exclude specific entitlements from the certification. For example, if you have an entitlement that is assigned to every user in your enterprise, you generally do not need to include it in certifications.

Select this option to save any entitlements that are discovered, but excluded from the certification enabling them to be used in reports.

Select this option to exclude inactive identities from new certifications and remove identities that become inactive from existing certifications.

Select this option to exclude entitlements on tier application accounts from the certification.
This option applies to composite applications.

Select this option to allow logical entitlements defined on the logical application's managed entitlement list to be included in the certification. Any logical application entitlements are filtered from the tier application entitlements

Select this option to include IdentityIQ capabilities of the identity for certification.

Select this option to update assignments after entitlement decisions are made.

Automated pre-delegation and pre-reassignment rules are not meant to be run in conjunction with the Fallback Forwarding User rule.

Specify the rule to use to determine if portions of the certifications that this schedule generates need be pre-delegated to specific certifiers.

Specify the rule that is used to determine if additional review is need on the sign off decision.
After the certifier's initial sign off, this rule is run to determine if another approver need to review the decisions need to be reviewed. If additional review is needed, the certification request is sent to that user's inbox and they receive an email notification. This process is repeated until no more reviewers are discovered by the rule.

Choose which users may self-certify (that is, be the certifier for their own access), either by forwarding or reassigning an access review: All certifiers, Certification and System Administrators, System Administrators only.