Making Access Decisions

When you approve access, you are indicating that it's OK for this user to have this access. That means no action will be taken, and the user's access will remain the same as it is now.

When the reviewer revokes access, IdentityIQ will remove the access, in whatever way the system is configured to do it. It's important to note that this revocation doesn't necessarily happen immediately. This is another option that is configurable by the person who set up the certification. It can be set up so that revocation happens as soon as you make the decision, or it could be set up so that nothing is revoked until the entire certification campaign is complete is complete and signed off. If you're unsure about when a revocation will take effect, you can check with the owner of the certification – which, remember, is something you can see on the main review page.

Revoking an account is similar to revoking an individual entitlement or role, but it lets you revoke both the account and all the entitlements associated with the account, at once. This is one of the options that is configurable, so whether you have this option or not will depend on how the certification was set up.

There is a specific type of revoke option for Separation of Duties policy violations. This type of violation occurs when a user has two or more accesses that conflict with each other, in violation of a defined company policy. For example, your company may have a policy that says that one person can't both approve vendors and make payments to them. For separation of duties policy violations, revoking access involves choosing which of the two conflicting accesses the user will keep, and which will be revoked.

This is another configurable option that you may or may not have. What the "allow" option means is that you don't want the user to have this access indefinitely, but you do want to allow the access for some particular period of time, after which you'll revisit the access and potentially revoke it. A typical use case for this is when someone is on a temporary assignment and needs time-limited access to some system, or perhaps is transitioning between job responsibilities and will be losing access to a system or account at some known date in the future. When you allow access, you're prompted to choose an ending date for the access. Allowing an exception is always an option on policy violation items in an access review, but only appears for other access review items if the certification is configured to include this option.

For separation-of-duties policy violations, allowing an exception marks the item as allowed for a specified duration, so any policy checking during that time will not reflag the violation.

One of the options that your administrator or certification owner can configure is sending email notifications when an exception period expires – so keep in mind that it is up to the certification owner whether or not you will be alerted when an exception period expires.

If you have implemented AI Services, you can enable automatic approvals of access based on recommendations. With this feature enabled, any access review item that has a recommendation of "thumbs up" is automatically moved from the reviewer's Open tab to the Review tab, with an Approved decision. Reviewers retain the option of changing the automated decision, as needed, before signing off on the review. Automated approvals help your reviewers process access reviews quickly and more efficiently by taking easy decisions out of the way so that they can focus on exceptional items. See Using Automatic Approvals for more information.