Rules in Certifications
Certifications can use rules to customize certification behavior. Rules enable you to insert your own logic to modify the behavior of the certification; for example, you could write a rule to exclude your executive management team from certifications, or to add an additional level of sign-off approval to an access review. Rules are written using BeanShell, a lightweight Java-based scripting language. IdentityIQ provides a standard set of example rules that you can import to use as starting points for developing your own rules, in an examplerules.xml file.
When you set up a certification, there are numerous places where you can choose rules to modify the certification's behavior. Every rule has a type that categorizes it, and in certifications, the rule type determines where and how in the certification the rule can be used, and what kind of effect or purpose it has. Rules that are applicable to certifications are listed here, in the order in which they would be run in a certification.
For an overview of developing and using rules in IdentityIQ, see Rules and Scripts in IdentityIQ.
Rule Types
|
User Interface Field Name |
Rule Type |
How/When Triggered |
Effect/Purpose |
|
Exclusion Rule |
CertificationExclusion |
Run as a part of the certification generation process |
Excludes entitlements from the certification based on the rule's logic |
|
Pre-delegation Rule |
CertificationPreDelegation |
Run as a part of the certification generation process |
Automatically delegates access reviews based on the rule's logic |
|
Who Do You Want to Certify Rule (Targeted Certifications Only) |
CertificationScheduleEntitySelector |
Run as a part of the certification generation process |
Select identities to certify in a Targeted certification. |
|
Group Factory: Certifier |
Certifier |
Run as a part of the Advanced certification generation process for Group Factory certifications |
Assigns certifier for each group's access review |
|
Active Period Enter Rule |
CertificationPhaseChange |
Run at the start of the Active period; the Active period is the period during which certifiers can examine their access reviews and make access decisions |
Open-ended; depends on rule logic |
|
Certification Escalation Rule |
WorkItemEscalationRule |
If the access review has not yet been finished and signed-off by the certifier at the time specified by the Escalation Trigger in the certification definition, this rule is run at that time |
Transfers ownership of the access review to a different identity (often the certifier's manager or the certification owner) |
|
Challenge Period Enter Rule |
CertificationPhaseChange |
Run at the start of the Challenge period (if enabled), which follows immediately after the Active Period ends; If Process Revokes Immediately is selected, Challenge period begins for each entitlement at the moment it is revoked and this rule runs once for each revocation |
Open-ended; depends on rule logic |
|
Closing Rule |
CertificationAutomaticClosing |
Run according to the timeframe specified in the Automatic Closing configuration in the certification definition (after the end of the Active phase -- or Challenge phase if enabled) |
Open-ended; depends on rule logic |
|
Sign-off Approver Rule |
CertificationSignOffApprover |
Triggered by certifier sign-off on an access review |
Transfers ownership of the access review to a next-level approver who needs to approve the certification decisions made by the certifier; this rule enables two-level (or multi-level) signoff on an access review Exception: When a challenge period is included, the sign-off approver can only override approval decisions; revocation decisions made by the original certifier and seen by the access holder in a challenge work item (whether they challenge the decision or not) will not be changeable in the sign-off approver's certification view. |
|
Revocation Period Enter Rule |
CertificationPhaseChange |
Run at the start of the Revocation period; the Revocation period immediately follows the Active period (or the Challenge period if it is enabled) |
Open-ended; depends on rule logic |
|
Revocation Escalation Rule |
WorkItemEscalationRule |
If the revocation work item has not yet been completed by the assigned revoker at the time specified by the Revocation Escalation Trigger in the certification definition, this rule is run at that time |
Transfers ownership of the revocation to a different identity (often the revoker's manager or the application owner) |
|
End Period Enter Rule |
CertificationPhaseChange |
Run at the beginning of the End period, which starts after all other periods configured for the certification are complete |
Open-ended; depends on rule logic |