Targeted Certification: Choose Certifier
Use the Choose Certifier section to configure who will perform the certification by reviewing and deciding on access.
Targeted certifications are designed to enable you to get very specific on the certification scheduling page to select exactly who should be the certifier for the certification. Tools are provide that eliminate the need to reassign certifications. This design provides the flexibility of rules from the user interface so that you can schedule certifications without having to write rules.
If required, reassignment can be performed by specifying a Certifier type rule in the Primary Certifier field. For example, if the certifier should be a manager except if the target identity is a manager themself or has no manager, a Certifier type rule can contain the following:
import sailpoint.object.Identity;
Identity target = entity.getIdentity(context);
if (target.getManagerStatus() || (target.getManager() == null)) {
return "spadmin";
}
return target.getManager().getName();Pre-delegation rules can still be used to support the Delegation and Forwarding of access reviews, but any reassignment components are ignored. Pre-delegation rules are set in the Targeted Certification: Additional Settings section.
Primary Certifier
Choose the Primary Certifier for the access reviews.
Manager
The manager of each identity will act as the primary certifier for that identity. A backup certifier is also required.
Owner
For Roles, the role owner always acts as the primary certifier. For Additional Entitlements, you can choose from the Application Owner or the Entitlement Owner as the primary certifier. A backup certifier is also required. Pre-delegation rules do not support reassignments in the Targeted Certification. Use the Primary Certification field in a Certifier type rule for reassignment
Rule
Choose the certifier using a rule. The Targeted Certification does not include a rule editor, so you are limited to choosing existing rules from the list. Only rules with a rule type of "Certifier" are included in this list. A backup certifier is also required. If you want to use a rule to manage reassignments, use a Certifier Rule here to control reassignments rather than a pre-delegation rule; pre-delegation rules do not support reassignments in the Targeted Certification.
Single Certifier
Choose an identity or workgroup who will be responsible for the access review. You have the option to add a backup certifier, but a backup certifier is not required.
Backup Certifier
A Backup Certifier is required for all types of Primary Certifier except single certifier. The Backup Certifier is the user or workgroup that will be assigned the review if the Primary Certifier can not be identified (for example, in a manager certification when an identity does not have a manager assigned).
Advanced Options
Reassignments
With reassignment, you can pass individual line items or an entire identity to another user to review. The person the items are reassigned to assumes complete responsibility for all decisions on those items, and must sign off on those decisions themselves.
Enable Bulk Reassignment
Allow reviewers to reassign multiple items simultaneously within an access review.
Limit Reassignments / Reassignment Limit
Limit the number of times reviewers can reassign an item in the access review. If you opt to limit reassignments, include the number of reassignments allowed.
Require Reassignment Completion
Require the completion of all reassigned reviews before the parent review can be completed.
Return Reassignments to Original Access Review
When a reassigned review is signed off, return the reassigned review to the original access review owner. When items are returned, the original owner can modify the decisions the reassigned reviewer has made.
Automatically Sign Off When All Items Are Reassigned
Allow the access review to be automatically signed off when all items in the access review are reassigned. This option can only be enabled if the Require Reassignment Completion and Return Reassignments to Original Access Review options are not enabled.
Self Certification
Allow self certification for
Choose which users may self-certify – that is, be the certifier for their own access, either by forwarding or reassigning an access review: All certifiers, Certification and System Administrators, or System Administrators only
Self Certification Violation Owner
For users that are not allowed to self-certify, this is the identity or workgroup that will receive any items that would require a self-certification - that is, when the reviewer and the user whose access is under review are the same person. If a Self Certification Violation Owner is not specified, any items that require self-certification will be read-only to the reviewer.
Other
Prompt for Sign Off
Display an overlay prompting reviewers to sign off, when the access review is complete.
Require Electronic Signature
Require an electronic signature as part of the sign-off process. Reviewers use their IdentityIQ login as authorization for the electronic signature.
Electronic Signature Meaning
If you choose to require electronic signature, choose the meaning (the text that goes with the electronic signature) from the list. Electronic signature meanings are defined in Global Settings > Electronic Signatures.
Automatically Sign Off When Nothing to Certify
If the access review contains no items, allow the review to be signed off automatically with the assigned reviewer's credentials. This sign-off occurs even if there are subordinate access reviews.
Suppress Notification When Nothing to Certify
Do not send a notification email when the assignee has nothing to certify.
Sign Off Approval Rule
A rule can determine if any additional review is needed on the Sign-Off decision. If you enable this option, you also choose the rule to run after initial sign-off by the reviewer, and a Sign Off Approval Notice Email Template. The rule determines if the decisions need to be reviewed by another approver. If so, the user is notified via email using the email template, and the certification request is sent to that user’s inbox. This process is repeated until no more reviewers are discovered by the rule. The Targeted Certification does not include a rule editor, so you are limited to choosing existing rules from the list. Only rules with a rule type of CertificationSignOffApprover are included in this list.
Bulk Reassignment Modification Notices
Choose the email template to use to send bulk reassignment notices.