Targeted Certification: Schedule

Use the Schedule section to configure when and how frequently this certification should run.

Start

Execution Frequency

If you want the certification to run on a recurring basis, choose the frequency.

Start Date

The date the certification will be launched.

Start Time:

The time the certification will be launched. Certification start times must be at least one minute later than the current time. For example, if it is currently 11:41, the certification start time must be 11:42 or later. Certifications that run across time zones run at the time scheduled, relative to the time zone in which they are scheduled. For example, a certification scheduled to run at 1:00 PDT will run at 4:00 EDT.

Run Now

Start the certification immediately after Schedule Certification is clicked. If this is a recurring certification, the subsequent certifications are scheduled accordingly.

Enable Staging Period

A staging period is when the access reviews have been created but are not yet visible to certifiers, allowing the owner to review the certification before making it active. You can view what the certification definition produces before the certification is activated. If the generated certification does not match your needs, you can cancel the certification and redefine it as needed. If the certification is accurate, activate the schedule.

Initial Notification Email Template:

The default email template to use for sending initial certification notices to certifiers.

Suppress Initial Notification

Check this option if you do not want send initial notification emails to certifiers.

Note: Automatic approvals are not dismissed in the access reviews if you turn off the automatic approval feature and then activate a staged certification. To remove automatic approvals access reviews generated by a staged certification, you must delete and redefine the certification.

Active

Active Period Duration

The review period when all decisions required within this certification must be made. During this phase changes can be made to decisions as often as needed. You can sign off a certification in the active period only if no roles or entitlements were revoked, or if a challenge period is not active. When you sign off a certification, the certification enters the end phase or the revocation phase. To enter the revocation phase, the revocation period must be active and a revocation decision must exist.

Active Period Enter Rule

A rule to run when the certification enters its active period. Rules of type CertificationPhaseChange are included in the list.

Notifications and Reminders

Reminders can be sent to the certifiers during the Active period if they have not yet completed and signed off on their access reviews. Escalations can be used to transfer responsibility to someone else (such as the certifier's manager or the certification owner) when a certifier has not completed the access review and the end of the Active phase is near.

Click Add to create a reminder or escalation.

Create a Reminder

Send First Reminder Notification

When to send the first reminder email. After Start means days after the certification's scheduled start date. Before Expiration means days before the Active or Challenge (if enabled) period ends.

Reminder Frequency

How frequently email reminders are sent, until the request is completed or expires.

Reminder Email Template

The email template to use for reminder notifications.

Additional Email Recipients

Activate this option to add more email recipients. Then choose how the additional recipients are defined:

  • Recipient Rule: To use a rule to add more email recipients, choose from the list. Rules of type EmailRecipient are included in this list.

  • Select Additional Recipients: Add identities or workgroups who should receive email notifications for reminders. You can choose multiple recipients.

Create Another

Check this box then click Add to create additional reminders.

Create an Escalation

Escalate

When to trigger an escalation. You can only choose After Sending Reminders if at least one reminder has been created. Day(s) After Start means days after the certification's scheduled start date. Day(s) Before Expiration means days before the Active or Challenge (if enabled) period ends.

Escalation Rule

This rule transfers ownership of the access review to a different identity. Choose a rule from the list; rules of type WorkItemEscalationRule are included in this list. The rule is run if the access review has not yet been finished and signed off by the certifier at the time specified in the Escalate section above.

Escalation Email Template

The email template to use for escalation notifications.

Additional Email Recipients

Activate this option to add more email recipients. Then choose how the additional recipients are defined:

  • Recipient Rule: To use a rule to add more email recipients, choose from the list. Rules of type EmailRecipient are included in this list.

  • Select Additional Recipients: Add identities or workgroups who should receive email notifications for escalations. You can choose multiple recipients.

Create Another

Check this box then click Add to create more escalations.

End

Enable Revocation Period

Enabling a revocation period makes IdentityIQ periodically scan identities to determine whether the requested remediations have been carried out. Remediation occurs whether or not a Revocation period is enabled, but when the Revocation period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are processed but are not tracked.

When the revocation phase is entered, revocation is done automatically if your provisioning provider is configured for automatic revocation, or manually using a work request assigned to an IdentityIQ user with the proper authority on the specified application. The revocation phase is entered when a certification is signed off, or when any Active and Challenge phases have ended.

Revocation completion status is updated at an interval specified during the deployment of IdentityIQ. By default this is performed daily. Revocation requests that are not acted upon during the revocation phase can be escalated as required.

If the revocation period is disabled, the certification is not scanned for completed revocations and revocation status might not be accurately reflected throughout the product.

Revocation Period Duration

The length of the revocation period.

Revocation Period Enter Rule

A rule to run when the certification enters the revocation period. Rules of type CertificationPhaseChange are included in this list.

Process Revokes Immediately

Select this option to indicate that revocations should happen immediately when a decision is made. Otherwise, revocations are not launched until the certification is signed off.

Revocation Notifications

Use this option to send email reminders or escalations before the revocation period expires. Reminders send emails as the end of the revocation period approaches. Escalations use rules to determine how the work item for the revocation is escalated (for example, by transferring responsibility to the certifier's manager). You can only add revocation notifications if Enable Revocation Period is selected. Click Add to create a reminder or escalation.

Create Revocation Reminder

Days Before Expiration to Send First Reminder Notification

When to send the first reminder email.

Reminder Frequency

How frequently email reminders are sent, until the request is completed or expires.

Reminder Email Template

The email template to use for reminder notifications.

Additional Email Recipients

Activate this option to add more email recipients. Then choose how the additional recipients are defined:

  • Recipient Rule: To use a rule to add more email recipients, choose from the list. Rules of type EmailRecipient are included in this list.

  • Select Additional Recipients: Add identities or workgroups who should receive email notifications for revocations. You can choose multiple recipients.

Create Another

Check this box then click Add to create additional reminders.

Create Revocation Escalation

Escalate

When to trigger an escalation. You can only choose After Sending Reminders if at least one reminder has been created. Day(s) Before Expiration means days before the Active or Challenge (if enabled) period ends.

Escalation Rule

This rule transfers ownership of the access review to a different identity. Choose a rule from the list; rules of type WorkItemEscalationRule are included in this list. The rule is run if the access review has not yet been finished and signed off by the certifier at the time specified in the Escalate section above.

Escalation Email Template

The email template to use for escalation notifications.

Additional Email Recipients

Activate this option to add more email recipients. Then choose how the additional recipients are defined:

  • Recipient Rule: To use a rule to add more email recipients, choose from the list. Rules of type EmailRecipient are included in this list.

  • Select Additional Recipients: Add identities or workgroups who should receive email notifications for revocation escalations. You can choose multiple recipients.

Create Another

Check this box then click Add to create additional notifications.

Notify Users of Revocation

Send an email notification to identities whose access was revoked.

End Period Enter Rule

A rule to run when the certification begins its end period. Rules of type CertificationPhaseChange are included in this list.

Enable Challenge Period

A challenge period allows users to be notified of revocation decisions affecting their access. The affected user has the duration of the challenge period to accept the loss of access, or to challenge the decision with a justification for continued access. The Challenge period begins when the Active Period ends. The certifier can consider a challenger's justification and can change decisions based on the challenge.

Challenge Period Duration

The length of the challenge period.

Challenge Period Enter Rule

A rule to run when the certification enters the challenge period. Rules of type CertificationPhaseChange are included in this list.

Email Notifications

  • Challenge Period Start Notices to Certifiers: Email template for notifying certifiers when the challenge period will start.

  • Challenge Period End Notices To Certifiers: Email template for notifying certifiers when the challenge period will end.

  • Challenged Decision Notices To Certifiers: Email template for notifying certifiers when a decision has been challenged.

  • Challenge Decision Expiration Notices To Challengers And Certifiers: Email template for sending challenge decision expiration notices to challengers and certifiers.

  • Challenge Creation Notices To Challengers: Email template for notifying challengers that a challenge has been created.

  • Challenge Expiration Notices To Challengers: Email template for sending challenge expiration notices to challengers.

  • Challenge Accepted Notices To Challengers: Email template for notifying challengers that a challenge has been accepted and agreed to by the certifier.

  • Challenge Rejected Notices To Challengers: Email template for notifying challengers that their challenge has been rejected by the certifier.

Enable Automatic Closing

Automatic closing enables IdentityIQ to automatically complete and sign off access reviews that are unsigned by the access review’s expiration date. Automatic closing occurs after all the other phases that have been enabled for the certification are complete.

Closing Rule

A rule to run at the beginning of the automatic closing process. Rules of type CertificationAutomaticClosing are included in the list.

Action Taken On Undecided Items

The action IdentityIQ will take on any undecided items when automatically closing the access review.

Automatic Closing Signer

An identity or workgroup to add as the signer of the access review when it is automatically closed.

Time After Certification Expiration

The amount of time following this certification's expiration date that IdentityIQ should wait before attempting to automatically close it.

Comments

Include any comments to add to undecided items when automatically closing this access review.