Self-Certification

Self-certification means a user is allowed to be the certifier for his or her own access. Self-certification is often considered a security risk because it allows a user to approve and permit his or her own access, whether or not it is appropriate to his or her job. By default, IdentityIQ does not allow self-certification, other than for System Administrators. However, some organizations have business reasons for allowing self-certification, so there are configuration options to permit it. These can be set at the global level, or at the individual certification level.

Globally, self-certification options are set in the gear menu > Compliance Manager page's Behavior section. Global settings set the default configuration values for individual certifications, but these defaults can be changed when you configure individual certifications.

At the individual certification level, self-certification options are set on the Advanced page of the Certification configuration options for most types of certification; for Targeted certifications this option is set in the Choose Certifier section, under Advanced Options.

When allowing self-certification, you can choose who is allowed to self-certify: All certifiers, System and Certification Administrators, or System Administrators only. Which users are considered System Administrators or Certification Administrators is determined by the IdentityIQ capabilities the user has. Capabilities can be assigned directly to users, and also to workgroups. The System Administrator capability defines who is considered a System Administrator. For Certification Administrators, any IdentityIQ capability that includes the CertifyAllCertifications SPRight (such as the standard Certification Administrator capability) defines the user or workgroup as a Certification Administrator, for purposes of being allowed to self-certify.

You can not configure IdentityIQ to exclude all users from self-certification, since excluding even your System Administrators from self-certifying can potentially lead to certifications that are impossible to complete.

When you allow users to self-certify, you can also choose an identity or workgroup to be the Self Certification Violation Owner. For users that are not allowed to self-certify, this is the identity or workgroup that will receive any items that would require a self-certification – that is, when the reviewer and the user whose access is under review are the same person. If a Self Certification Violation Owner is not chosen, any items that require self-certification will be shown as read-only to the reviewer in the access review.