About Certifications
In IdentityIQ, certifications let you automate the review and approval of identity access privileges. In a certification, IdentityIQ collects fine-grained access or entitlement data, and formats the information into interactive reports, which are sent to the appropriate reviewers as access reviews. You can also use certifications to validate things like roles and account groups.
Certifications typically consist of multiple access reviews. For example, when you schedule a Manager Certification, a type of certification that asks managers to review and validate their direct reports' access, it will consist of an individual access review for each of the managers you choose to include as part of the campaign. However, it is possible to configure a certification such that it includes only one access review – for example, you might schedule a Manager Certification for just one specific manager, which means that there would only be one access review making up that certification.
When you configure the certification, you can set it up to annotate each access review with descriptive language that highlights changes, flags anomalies, and highlights where policy violations appear. The access reviews enable reviewers to:
-
Approve access for identities
-
Approve account group permissions and membership
-
Approve role composition and membership
-
Take corrective actions, such as revoking entitlements that violate policy
-
Forward, reassign, or delegate all or part of the access review to another reviewer
For all corrective actions, IdentityIQ can fulfill certification revocations through automated or manual means, depending on the individual applications' connector configurations. IdentityIQ can also be configured to integrate with ticketing systems or other provisioning systems to fulfill provisioning requests.
The sections below will familiarize you with some terms and concepts related to certifications.
Certification Schedules
Certifications can be scheduled to run on a periodic basis; they can also be triggered by an event, or run as a one-off process.
Periodic Certifications
Periodic certifications are scheduled to run on a recurring basis, such as daily, weekly, monthly, quarterly, or annually. These periodic access reviews provide a snapshot view of the identities, roles, and account groups within your enterprise. Periodic certifications focus on the frequency at which entire entities (identities, roles, or account groups) must be certified.
A periodic certification is considered complete when all the access reviews contained within the certification have been completed. The access reviews that make up the certification, in turn, are considered complete when all items, such as roles, entitlements, violations, and application objects, have been acted upon, and those decisions are confirmed by the user to whom that access review was assigned.
Periodic certifications can be created using a multi-level sign-off structure, to allow multiple certifiers to review the access before the review is considered complete.
Event-Based Certifications
Certifications can be configured to run based on "trigger" events that occur within IdentityIQ. For example, you can configure IdentityIQ to automatically generate a certification any time an identity's manager changes. You can also configure the events that trigger the certifications to meet the needs of your enterprise. See Certification Events(LINK IN DOC) for more information.
One-Off Certifications for Identities
One-off certifications can be created from the Identity Risk Score, Identity Search Results, or Policy Violation pages. These one-off access reviews can be run for a single identity, or for multiple identities at once. One-off certifications are most often used in special situations, such as when an access review is required outside of the normal certification cycle. You can also schedule standard IdentityIQ certifications to run on a one-off basis.
Types of Certification
IdentityIQ provides these types of certification:
Targeted Certifications
The most flexible type of certification, designed to meet most organizations' full range of certification needs from a single place. In a Targeted Certification you can certify role, entitlement, and account access for a narrowly defined set of your users. The Targeted Certification gives you a high level of flexibility in choosing which parameters to include in the certification, such as who, what, and when to certify.
Manager Certifications
Certify that a manager's direct reports have the right entitlements they need to do their job, and no more than that. You can configure a Manager Certification to include all managers in the company, or only specific managers. You can also configure which applications you want to certify as part of the Manager Certification.
Application Owner Certifications
Certify that all identities that have access to applications for which the reviewer is responsible have the proper entitlements.
Entitlement Owner Certifications
Certify that all identities that have access to entitlements for which the reviewer is responsible are correct.
Advanced Certifications
Certify entitlements and roles for all identities included in a specific population or group.
Account Group Membership Certifications
Certify that all accounts which make up an account group are correct – that is, are the right accounts in the account group. Account groups that do not have owners assigned are certified by the owner of the application on which they reside.
Account Group Permissions Certifications
Certify that all permissions that are granted to an account group for selected application(s) are correct. Account groups that do not have owners assigned are certified by the owner of the application on which they reside.
Role Membership Certifications
Certify that roles for which the reviewer is responsible are assigned to the correct identities.
Role Composition Certifications
Certify that roles for which the reviewer is responsible are composed of the proper permissions and entitlements.
Identity Certifications
This type of certification is used for "one-off" certifications that are launched from the Identity Risk Score, Identity Search Results, or Policy Violation pages. These certifications verify the entitlement information for the identities, typically for at-risk users.
Event-Based Certifications
Certify the entitlement information for the identities selected based on events detected within IdentityIQ.
Contents of a Certification: Policies, Roles, and Entitlements
These are some common terms that are used in certifications.
Policies
Policies govern access and can be defined for your enterprise. You can use certifications to monitor users that are in violation of those policies. For example, a separation-of-duties policy may dictate that one person can not both request and approve purchase orders, or an activity policy might dictate that a user with the Human Resource role should not be able to update the payroll application.
In access reviews, Policy Violations show any violations of policy for an identity. The access reviewer(s) must take action on these violations before the certification can be completed.
There is a Policy Violations page in IdentityIQ that is separate from the access review page. Policy violations can be viewed and acted upon from this page, or as part of another access review.
Decisions made on a violation that come from another page or review are displayed within the access review, below the summary information, or in the revocation dialog.
Roles
Roles are essentially collections of permissions. Through roles, system entitlements can be grouped together and presented as a logical unit, such as a job function, rather than as a detailed and often difficult-to-interpret list of access rights. Within IdentityIQ, users are granted permissions through the roles that are assigned to them, or through roles they inherit through a role hierarchy.
In an access review, only the top-level roles are displayed in the roles section. For example, if a role contains required and permitted roles, only the top-level role is displayed and the required and permitted roles are certified as part of that role. You can click Details in the three-line menu for the item to expand the role information and view the role details and hierarchy. Both assigned and detected roles are displayed in the roles section.
If an identity has a role assigned to it multiple times – for example, to grant the same access to multiple accounts the user holds – that role is displayed multiple times, and each one must be reviewed and acted on individually.
Entitlements
Entitlements are either permissions or specific values for an account attribute, such as group membership. In the context of certifications, entitlements refer to all the entitlements an identity has access to that are not included as part of a role that is assigned to the identity.
Certifications can also include IdentityIQ capabilities and scopes; if the certification includes capabilities and scopes, these appear as additional entitlements on the IdentityIQ application, as Capabilities and Authorized Scopes attributes. Revoking these entitlements has auto-remediation enabled by default. This means that when the revocation is processed (either when the access review is signed, or immediately, based on the certification configuration) the capabilities and authorized scopes are removed from the identity.
For additional information, see Access Review Pages(LINK IN DOC).
Challenges
When an access reviewer has determined that the user's access should be revoked, you may want to allow the affected user to challenge the decision; for example, to share information with the reviewer about why they may need to retain the access in question.
To allow users to challenge revocation decisions, enable a challenge period as part of a certification's configuration. During the challenge period, if the certifier has, for example, revoked a user's Financial Reporting access, that user would get an email saying that the entitlement has been revoked. The user can then respond with comments on the item describing why they need to keep access to the Financial Reporting system. The certifier sees that the revocation has been challenged and why, and is able go back in to the access review and reconsider their decision.
For more information, see How to Challenge a Revocation Request(LINK IN DOC).
Revocations
Revocation is when an identity's entitlements are altered in the source application, to remove any entitlements that were marked by the access reviewer as needing to be revoked. Depending on the provisioning features in use, remediations may be processed manually or automatically. If automatic provisioning is enabled in your system for the relevant application, revocation of access can happen without any further action from the reviewer, as a consequence of an access review decision. If the relevant application does not have automated provisioning enabled, then remediation of that application's entitlements is managed by the creation of manual work items for the Application Revoker or Application Owner, requesting that they change the identity's access or permissions manually. IdentityIQ alerts the Application Revoker or Application Owner about the manual work item via an email message.
A Revocation phase can be enabled for the certification as part of the certification setup. Note that remediation of access occurs as a result of revocations in an access review whether or not a Revocation period is enabled. The difference is that when a Revocation period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are submitted for processing but are not tracked.
The purpose of the revocation phase is for the work of revoking access to be done, according to the access revisions that have been made. This means that once a revocation has been processed, an access reviewer can not change their decision for that item.
Configuration settings in the certification setup determine when the revocation is processed.
-
Immediate Revocation: If the Process Revokes Immediately option is selected, then revocation is considered to be processed as soon as a reviewer makes and saves a Revoke decision, and the decision can not be changed. Note that this does not affect Approve decisions; those can be changed even after saving, but if an Approve decision is change to Revoke and saved, it can no longer be changed.
-
Revocation during a revocation phase: The revocation phase is entered when a certification is signed off, or when the active and challenge phases have ended. Until the certification enters this phase, reviewers can make changes to their approve and revoke decisions (unless the Process Revokes Immediately option described above was selected for the certification). Once the certification is in this phase, reviewers can no longer change their decisions.
Escalations and Reminders
When a person who has been assigned a manual work item for revoking access does not complete the work in a timely manner, IdentityIQ can send that person email reminders or can even escalate the work to the next level, such as to their manager. Revocation reminders and escalations are used only when revocation is being handled through manual work items assigned to the application's revoker or owner, and not when revocation is processed automatically.
The remediation parameters that are set in the certification configuration tell IdentityIQ what reminders and escalations to perform, and when.
Revocation reminder emails can be automatically sent to the person assigned the revocation work item if the work item is not completed within a specified timeframe. Reminders can configured to be sent once, or at scheduled intervals, beginning a specified number of days before the end of the Revocation period.
Escalations can also be automated to notify and transfer control to someone else, for example, the revoker's manager or the application owner, if the person originally responsible for the revocation has not completed it, and the end of the Revocation period is near. Escalation triggers, email templates, and rules for determining who the item is escalated to are all part of the Certification configuration.
See Compliance Manager Setup(LINK IN DOC) for more information on configuring reminders and escalations.
Phases of a Certification
Certifications progress through phases as they move through their lifecycle. The phases associated with each certification are determined when the certification is set up. Some phases are part of every certification, while others are optional phases that can be configured as needed according to your organization's business processes.
Staging
This is an optional phase you can use to test or validate a certification before sending it to reviewers. The staging phase lets you create a certification and associated access reviews, but not send the access reviews to the certifiers. You can view what the certification schedule definition produces before the certification is activated. If the generated certification does not match your needs, you can cancel the certification and redefine it as needed. If the certification is accurate, you can activate it. If you want to use a staging period, you enable it as part of the certification's configuration parameters at the time you set up the certification.
Active
The active phase is the review period when the reviews are performed – that is, when all decisions that are required for the access review are made. During this phase, reviewers make decisions about access, and changes can be made to these decisions as frequently as required, until the access period expires. The active period lasts either for a scheduled amount of time or until all the access reviews for the certification have been signed off. You can sign off on the active stage if no roles or entitlements were revoked, or if the optional challenge period has not been enabled. When you sign off on a periodic certification it enters either an end phase, or, if enabled, a revocation phase. To enter the revocation phase, the revocation period must be enabled, and at least one revocation decision must exist.
Challenge
The challenge phase is an optional period when users can challenge all revocation requests if any of their roles, entitlements, or account group access are being removed. When the challenge phase begins, a work item and email are sent to each user affected by a revocation decision. The notifications contain the details of the revocation request and any comments added by the reviewer. The affected user has the duration of the challenge period to accept the loss of access, or challenge that decision. If you want to allow a challenge period, you enable it as part of the certification's configuration parameters at the time you set up the certification.
You can sign off on a certification in the challenge phase if all challenges are complete and no open decisions remain for the access review. When you sign off on an access review, it enters either the end phase, or, if enabled, the revocation phase. To enter the revocation phase, the revocation period must be enabled, and at least one revocation decision must exist.
Revocation
The revocation phase is the period when all revocation work is completed. When the revocation phase is entered, revocation can be done either automatically or manually. Automatic revocation can happen if your provisioning provider is configured for automatic revocation or if your implementation is configured to work with a help desk solution and a help ticket is generated. If you don't have an automatic revocation process enabled, revocation is done manually via work requests assigned to the relevant users in IdentityIQ. For periodic certifications, the revocation phase starts when a periodic certification is signed off, or when the active and challenge phases have ended.
Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. Revocation completion status is updated at an interval specified during the deployment of IdentityIQ. By default this is performed daily. You can view detailed revocation information by clicking the information icon in the access review then clicking the Details button on the information dialog. Revocation requests that are not acted upon during the revocation phase can be escalated as needed.
End
If a Revocation phase is not enabled for the certification, revocations can be done during the end period. The end period also indicated when the access review is complete.
Automatic Closing of Certifications
Automatic closing is an option you can enable in your certifications to handle access reviews that have not been completed by the time the certification's designated active period has ended. With automatic closing, you can automatically make decisions on the open line items – either to revoke, allow, or mark as an exception – or you can run a rule to perform more complex analyses or other actions.
If you choose to enable automatic closing, there are several configuration options you will set, including the amount of time to allow after the expiration date before automatic closing is invoked, any closing rule that will be run at that time, which action to take on uncompleted Access Review items, and any comment to add to each item for which the automatic action is taken. These can be set as global defaults and also can be set or changed from the global defaults at the individual certification level. See Compliance Manager Setup(LINK IN DOC).
Rules in Certifications
Certifications can use rules to customize certification behavior. Rules enable you to insert your own logic to modify the behavior of the certification; for example, you could write a rule to exclude your executive management team from certifications, or to add an additional level of sign-off approval to an access review. Rules are written using BeanShell, a lightweight Java-based scripting language. IdentityIQ provides a standard set of example rules that you can import to use as starting points for developing your own rules, in an examplerules.xml file.
When you set up a certification, there are numerous places where you can choose rules to modify the certification's behavior. Every rule has a type that categorizes it, and in certifications, the rule type determines where and how in the certification the rule can be used, and what kind of effect or purpose it has. Rules that are applicable to certifications are listed here, in the order in which they would be run in a certification.
For an overview of developing and using rules in IdentityIQ, see Rules and Scripts in IdentityIQ(LINK IN DOC).
| User Interface Field Name | Rule Type | How/When Triggered | Effect/Purpose |
|---|---|---|---|
| Exclusion Rule | CertificationExclusion | Run as a part of the certification generation process | Excludes entitlements from the certification based on the rule's logic |
| Pre-delegation Rule | CertificationPreDelegation | Run as a part of the certification generation process | Automatically delegates access reviews based on the rule's logic |
| Who Do You Want to Certify Rule (Targeted Certifications Only) | CertificationScheduleEntitySelector | Run as a part of the certification generation process | Select identities to certify in a Targeted certification. |
| Group Factory: Certifier | Certifier | Run as a part of the Advanced certification generation process for Group Factory certifications | Assigns certifier for each group's access review |
| Active Period Enter Rule | CertificationPhaseChange | Run at the start of the Active period; the Active period is the period during which certifiers can examine their access reviews and make access decisions | Open-ended; depends on rule logic |
| Certification Escalation Rule | WorkItemEscalationRule | If the access review has not yet been finished and signed-off by the certifier at the time specified by the Escalation Trigger in the certification definition, this rule is run at that time | Transfers ownership of the access review to a different identity (often the certifier's manager or the certification owner) |
| Challenge Period Enter Rule | CertificationPhaseChange | Run at the start of the Challenge period (if enabled), which follows immediately after the Active Period ends;If Process Revokes Immediately is selected, Challenge period begins for each entitlement at the moment it is revoked and this rule runs once for each revocation | Open-ended; depends on rule logic |
| Closing Rule | CertificationAutomaticClosing | Run according to the timeframe specified in the Automatic Closing configuration in the certification definition (after the end of the Active phase -- or Challenge phase if enabled) | Open-ended; depends on rule logic |
| Sign-off Approver Rule | CertificationSignOffApprover | Triggered by certifier sign-off on an access review | Transfers ownership of the access review to a next-level approver who needs to approve the certification decisions made by the certifier; this rule enables two-level (or multi-level) signoff on an access review. Exception: When a challenge period is included, the sign-off approver can only override approval decisions; revocation decisions made by the original certifier and seen by the access holder in a challenge work item (whether they challenge the decision or not) will not be changeable in the sign-off approver's certification view. |
| Revocation Period Enter Rule | CertificationPhaseChange | Run at the start of the Revocation period; the Revocation period immediately follows the Active period (or the Challenge period if it is enabled) | Open-ended; depends on rule logic |
| Revocation Escalation Rule | WorkItemEscalationRule | If the revocation work item has not yet been completed by the assigned revoker at the time specified by the Revocation Escalation Trigger in the certification definition, this rule is run at that time | Transfers ownership of the revocation to a different identity (often the revoker's manager or the application owner) |
| End Period Enter Rule | CertificationPhaseChange | Run at the beginning of the End period, which starts after all other periods configured for the certification are complete | Open-ended; depends on rule logic |
Self-Certification
Self-certification means a user is allowed to be the certifier for his or her own access. Self-certification is often considered a security risk because it allows a user to approve and permit his or her own access, whether or not it is appropriate to his or her job. By default, IdentityIQ does not allow self-certification, other than for System Administrators. However, some organizations have business reasons for allowing self-certification, so there are configuration options to permit it. These can be set at the global level, or at the individual certification level.
Globally, self-certification options are set in the gear menu > Compliance Manager page's Behavior section. Global settings set the default configuration values for individual certifications, but these defaults can be changed when you configure individual certifications.
At the individual certification level, self-certification options are set on the Advanced page of the Certification configuration options for most types of certification; for Targeted certifications this option is set in the Choose Certifier section, under Advanced Options.
When allowing self-certification, you can choose who is allowed to self-certify: All certifiers, System and Certification Administrators, or System Administrators only. Which users are **considered System Administrators or Certification Administrators is determined by the IdentityIQ capabilities the user has. Capabilities can be assigned directly to users, and also to workgroups. The System Administrator capability defines who is considered a System Administrator. For Certification Administrators, any IdentityIQ capability that includes the CertifyAllCertifications SPRight (such as the standard Certification Administrator capability) defines the user or workgroup as a Certification Administrator, for purposes of being allowed to self-certify.
You can not configure IdentityIQ to exclude all users from self-certification, since excluding even your System Administrators from self-certifying can potentially lead to certifications that are impossible to complete.
When you allow users to self-certify, you can also choose an identity or workgroup to be the Self Certification Violation Owner. For users that are not allowed to self-certify, this is the identity or workgroup that will receive any items that would require a self-certification – that is, when the reviewer and the user whose access is under review are the same person. If a Self Certification Violation Owner is not chosen, any items that require self-certification will be shown as read-only to the reviewer in the access review.