Scheduling a Non-Targeted Certification

Specify a name and date parameter that identifies the certification.

Specify an owner of the certification.

The full name of a specific manager being assigned a certification.

To display a list of all of the manager names in the system, type the first few letters of the name. You can select a name from the displayed list.

Schedule a certification for all managers configured in the IdentityIQ application.

Select the applications to certify. Use the Ctrl or Shift keys to select multiple applications or select All Applications.

Include all applications in the certification.

Population – All available populations IdentityIQ. Includes all public populations and populations you created.

Certifier(s) – The identities who are requested to complete the certification request. Certifiers can be individual identities or workgroups.

To display a list of all of the manager names in the system, type the first few letters of the name. You can select a name from the displayed list.

A separate certification request is sent for each population specified, even if the certifier of each is the same.

Group Factory – All available groups created by group factories and includes all identity attributes designated as group factories.

Certifier Rule – Select the rule used to designate certifiers for the groups selected.

Select the person or people to review the certification. Options include assigning managers or manually selecting certifiers.

Lists each identity included in the certification. To remove identities, select an identity and click Remove Selected Users. To add identities type a name in the field and click Add User.

The applications included when generating this certification.

If no applications are specified, all of the applications are included.

To specify roles to certify, select a role from the list. To specify a role type to certify, click the Certify by Role Type radio button and select the role type from the list.

When you include business roles, all assigned business roles are displayed in the certification.

Schedule a certification on all roles defined in your enterprise.

Create certification items for each role that is included in the roles selected for certification.

Select Entitlements to include entitlement access in the certification. You can also choose to include Additional Entitlements, Roles and Accounts With No Entitlements in the certification.

You must select Accounts to include from accounts in the certification.

The Include Roles option is enabled by default and all assigned business roles are displayed in the certification.

Include policy violations for each identity in the certification report.

Select this option to include managed entitlements and permissions that have no owner in the access review.

Use to generate a test certification that is used to verify functionality and configuration of the parameters before the certification is generated. The test certification displays in the Certifications tab with the status set to Staged. Click the certification to view it is contents and either activate or cancel it.

You might experience a short delay between scheduling the test certification and seeing it on the Certifications tab with all of the data displayed.

Automatic approvals are not dismissed in the access reviews if you turn off the automatic approval feature and then activate a staged certification. To remove automatic approvals access reviews generated by a staged certification, you must delete and redefine the certification.

Select a rule from the dropdown list to apply when the certification enters its active period.

Specify the review period when all decisions required within this certification must be made. During this phase changes can be made to decisions as often as needed. You can sign off on a certification in the active period only if no roles or entitlements were revoked or if the challenge period is not active. When you sign off on a certification, the certification enters the end phase or the revocation phase. To enter the revocation phase, the revocation period must be active and a revocation decision must exist.

Specify the period when all revocation requests can be challenged by the user from which the role or entitlement is being removed. When the challenge phase begins, a work item and email are sent to each user in the certification that the revocation decision affects. The work items include the details of the revocation request and any comments the requestor added. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. You can sign off on a certification in the challenge phase if all challenges were completed and no open decisions remain on the certification. When you sign off on a certification, it enters the end phase or the revocation phase. To enter the revocation phase, the revocation period must be active and a revocation decision must exist.

This option is not available for Role Composition and Role Membership certifications.

Select a rule from the dropdown list to apply when the certification enters its challenge period.

Specify the period of time when items remain in the challenge period.

Choose the email templates used for a variety of challenge period notifications.

If the revocation period is disabled, the certification is not scanned for completed revocations and revocation status might not be accurately reflected throughout the product.

Specify the period when all revocation work must be completed. When the revocation phase is entered, revocation is done automatically if your provisioning provider is configured for automatic revocation or manually using a work request assigned to an IdentityIQ user with the proper authority on the specified application. The revocation phase is entered when a certification is signed off or when the active and challenge phases have ended.

Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. Revocation completion status is updated at an interval specified during the deployment of IdentityIQ. By default this is performed daily. Click Details to view detailed revocation information. Revocation requests that are not acted upon during the revocation phase can be escalated as required.

Select a rule from the dropdown list to apply when the certification enters its revocation period.

The period of time when items remain in the revocation period.

Select rule to run when the certification enters the end period.

Specifies that revocation requests must be processed as soon as a revocation decision is saved. If this field is not activated, revocation requests are not sent until the certification is signed off.

If the challenge period is active, the revocation request is not sent until the revocation is accepted or the challenge period expires.

Select this option to prevent the sending of initial certification notification emails.

Choose the email template used for initial certification notifications.

Send email reminders before certification expires.

Send email reminders before the revocation period expires. Includes when the first reminder is sent, how often reminders are sent, and which template to use for the reminders.

Send an escalation notice and change the owner of the revocation request to the escalation recipient. Includes settings for:

• Number of reminders to send to the revocation request owner before the first escalation occurs

• Escalation rule to apply when escalating an uncompleted revocation request

• Email template to use for the escalation notice

Send an email notification to identities whose access was revoked.

This option is not available for Account Group Permissions or Role Composition certifications.

Enable this option to display a pop-up reminder to indicate when an access review is complete and ready for sign-off.

Enable this option to require an electronic signature as part of the Sign-off procedure. Select the electronic signature meaning from the Electronic Signature Meaning dropdown list.

An electronic signature performs the same authorization checking as the IdentityIQ login page.

Enable this option to require that all subordinate access reviews be completed before the parent report can be completed.

Enable this option to automatically Sign Off an access certification, with the assignee's credentials, if the access review contains no items, even if there are subordinate access reviews present.

Access reviews containing no items and having no subordinate access reviews are always automatically signed off using the certification initiator's credentials.

Do not send notification email when the assignee has nothing to certify.

Enable this option to require that all reassignment access reviews be completed before the parent report can be completed.

Enable this option to cause the contents of reassignment access reviews to revert to the original access review when the reassigned access review is signed.

Enable this option for an access review to be automatically signed off when all items in the access review are reassigned.

The Require Reassignment Completion and Return Reassignments to Original Access Review options must not be enabled for this option to be available.

Enable this option to require the original access review owner to review all delegated access reviews.

Enable this option to require the certifier to include comments when an access review item is approved.

Enable this option to require the certifier to include comments when an exception is allowed.

Require the certifier to include comments when a certification item is revoked.

Select to disallow the forwarding of a work item that was delegated by a different user.

Enable this option to allow users to limit the number of reassignment of certification item.

Show classification information in identity-based access reviews. When enabled, classifications provide additional information about roles, managed attributes and policy violations.

Note that this option is available only in identity-based certifications.

Enable this option to allow certifiers to delegate individual items from an access review.

Enable this option to allow certifiers to delegate entire identities in an access review.

Enable this option to allow users to bulk revoke all entitlements for a specific account.

Enables certifiers to allow exceptions on access review items such as roles or entitlements, that are not policy violations. Allowing an exception means the user should not have access indefinitely, but can retain access for a specified period of time.

Enables automatic deprovisioning of access when the allowed exception period has expired. This setting applies only to items such as roles or entitlements, that are not policy violations. This option is available only when the Enable Allow Exceptions option is also enabled.

Enable this option to allow certifiers to view the Allow Exception popup and manually set expiration dates and allow comments. This applies to both violation and non-violation items.

Set a default time period in which exceptions are allowed during the access review.

This option is only visible if you have purchased and activated the SailPoint AI Services product

This feature is only available on Manager, Application Owner, Advanced, and Role Membership certifications.

Enable recommendations from AI Services to display in access reviews.

This option is only visible if you have purchased and activated the SailPoint AI Services product.

Note: This feature is only available on Manager, Application Owner, Advanced, and Role Membership certifications.

Automatically mark access review items as approved and move them from the Open to the Review tab of the access review.

Enable this option to allow users to bulk approve access review items.

Enable this option to allow users to bulk revoke access review items.

Enable this option to allow users to allow exceptions in bulk.

Enable this option to allow users to bulk reassign access review items.

Enable this option to allow users to revoke all entitlements for a specific account in bulk.

This option is not available for Entitlement Owner certifications.

The custom name used to name certifications. You can combine free text and parameterized text by selecting parameters from the dropdown list on the right.

You can combine free text and parameterized text by selecting parameters from the dropdown list on the right.

Assign to Manager (Role Membership Only) – assign the certification request to the role member's manager. If the role members do not share a common manager, a separate certification request will be created for each manager with at least one direct report in the role under certification. If a manager is not found for an identity, the certification is assigned to the role owner for that identity.

Assign to Role Owner – assign the certification to the owner of the role under certification. If multiple roles have been selected, separate certifications will be created if the given roles do not share a common owner. If no role owner is discovered, a warning is attached to the task results with a list of the items that could not be assigned for certification.

Select Certifier Manually – enter the full name of a specific certifier or certifiers being assigned this certification. Certifiers can be individual identities or workgroups.
A name entered here overrides the default certifier for the type of certification requested.
Typing the first few letters of the name displays a list of all of the authorized certifier names in the system containing that letter combination. You can select from the displayed list.

The full name of a specific certifier or certifiers being assigned to this certification. A name entered here overrides the account group owner as certifier for this certification request. Certifiers can be individual identities or workgroups.

Select whether to generate a certification request for the specified managers, or for the specified managers and all of their subordinate managers.

If you select For the specified manager(s) only, the Flatten Hierarchy option is displayed. Select the Flatten Hierarchy option to include everyone below the manager in the reporting hierarchy on the certification request.

Select the rule that should be run to exclude certain entitlements from the certification. For example, if you have an entitlement that is assigned to every user in your enterprise, you probably do not need to include it in certifications.

Activate to save any entitlements that are discovered, but excluded from the certification so that they can be used in reports.

Exclude inactive identities from new certifications and remove identities that become inactive from existing certifications.

Include roles that are required by other roles in the certification. Note that revoking a required role in an access review will not remove it.

Only logical entitlements defined on the logical application's managed entitlement list will be included in the certification. Additionally any logical application entitlements will be filtered from the tier application entitlements.

Include IdentityIQ capabilities of the identity for certification.

Enable to have decisions made on entitlement values in the access review apply to the entitlement assignment model. When enabled, approvals create assignments and revocations remove assignments.

Specify the rule to use to determine if portions of the certifications generated by this schedule should be pre-delegated or reassigned to specific certifiers.

The rule used to determine if additional review is needed on the Sign Off decision.
After the initial Sign Off by the certifier, this rule is run to determine if the decisions need to be reviewed by another approver. If they do, the certification request is sent to that user's inbox and they receive an email notification. This process is repeated until no more reviewers are discovered by the rule. You must also select the email template used for Sign Off approvers.

Choose which users may self-certify (that is, be the certifier for their own access), either by forwarding or reassigning an access review: All certifiers, Certification and System Administrators, System Administrators only

For users that are not allowed to self-certify, this is the identity or workgroup that will receive any items that would require a self-certification – that is, when the reviewer and the user whose access is under review are the same person.

If a Self Certification Violation Owner is not specified, any items that require self-certification will be read-only to the reviewer.