Targeted Certification: What to Certify

This section lets you narrow the focus of the certification by defining which elements of accounts, roles, entitlements, and target permissions to include.

For Roles / Entitlements, you can add more criteria that is specific to entitlements:

  • Check Additional Entitlements to include entitlements that are not contained in a role. If you check this option, you can also add filtering criteria to choose the entitlements to include.

  • Check Include Accounts without Entitlements to include accounts that have no entitlement attributes.

  • Check Target Permissions to include the actions a user can perform on an Unstructured Target such as a file share or folder.

Adding Filters

You can filter the Roles/Entitlements or Accounts to include in the certification, using operations like Equals, Not Equals, or Starts With. You can choose the values for the filter from a list, or type them in. You can only type in valid values.

You can choose more than one value for any one filter. When you do this, the criteria works as an "or" operation, so the certification will include all entities meeting any of the criteria. For example, filtering on Owner Equals and entering two identities will select roles / accounts owned by either of those identities.

Add more filters if you want to filter on more than one attribute using an "and" condition. With multiple filters, entities have to meet each of the sets of filter criteria in order to be included. For example, filtering accounts on Service Account Equals True and Application Equals Active_Directory will select only service accounts on the Active Directory application

Select Attribute

Select a role / entitlement attribute from the dropdown list.

Operator

Select an operator from the dropdown list for this attribute.

Value

Select a value from the dropdown list. The values available are dependent on the attribute and operator selected. You can enter text in the value field for some types of attributes, to help find the value you want; only valid values are supported.

Other Options

Include Policy Violations

Policies are rules that enforce your enterprise's business policies on separation of duty, activity, and risk. Violations of those policies can be included in the access reviews generated by the certification.

Exclude Logical Tier Entitlements

Logical applications are applications formed by the detection of accounts from other applications, called "tier" applications, in existing Identity Cubes. Use this option to exclude entitlements on tier application accounts from the certification. This applies only to logical applications, which are applications formed by the detection of accounts from other applications, called "tier" applications, in existing Identity Cubes.

Filter Logical Application Entitlements

Allow logical entitlements defined on the logical application's managed entitlement list to be included in the certification. Any logical application entitlements are filtered from the tier application entitlements.

Include IdentityIQ Capabilities

Capabilities control access to pages, tabs, and fields within IdentityIQ. Use this option to include IdentityIQ capabilities in the certification.

Include IdentityIQ Scopes

Scopes are used to restrict access to objects in IdentityIQ. If scoping is enabled in your implementation, use this option to include scopes in the certification.