Skip to content

Access Review Decisions / Operations

Note

The terms account group and application object are use interchangeably in this document but have the same meaning. Some applications can have multiple application objects. An account group can be the name of one of those objects.

There are many ways to move through the IdentityIQ application. As you become familiar with IdentityIQ, you can configure the product to fit the functions of your job. To take action, you must be the owner or delegated approver of an access review. You might be able to view another user's access review; however, the reviews are read-only files.

Note

System Administrators and Certification Administrators can take action on all access review items whether they own the certification or not.

Basic Access Review Procedure

Access Reviews are performed from the Access Review Page Overview(LINK IN DOC) page.

  1. Go to your My Access Review page.

  2. Perform one of the following actions on each item included in the Access Review Request:

    Note: Not all of the decision options are available at all times.

    • Reassign -- see Reassign Access Reviews (LINK IN DOC)

    • Approve -- Approve Access Reviews(LINK IN DOC)

    • Delegate -- Delegate Access Reviews(LINK IN DOC)

    • Allow Exception -- Allow Exceptions on Access Reviews(LINK IN DOC)

    • Revoke or Edit Access -- Revoke or Edit Access From Access Reviews(LINK IN DOC)

    • Revoke Account -- Revoke an Account on Access Reviews(LINK IN DOC)

    • Allow Violation -- Allow Policy Violations on Access Reviews(LINK IN DOC)

  3. Save your changes. Any decision made on the Access Review Details page or the Decisions tab must be saved before to moving to a different page. A warning prompts for any unsaved changes.

    Decisions are not committed at this point, however, and can still be changed before the access review is signed off on.

    Note

    Changing the decisions might revoke one or more line item delegations. Any changes made during the delegation will be lost.

  4. Sign off a periodic certification task before it is overdue.

    Note

    All items must be in the complete state before the sign off option is available.

    You must sign off a periodic certification before it is considered complete. Click Sign Off on the Access Review Details page and select Finish on the Sign Off Access Review screen.

    If the challenge period for revocations is active, you cannot sign off an access review until one of the following conditions is met:

    • All items are complete and the challenge period is not active or no revocation decisions were made.

    • The access review is in the challenge phase and all items are completed and any revocation decisions have progressed through the challenge procedure.

    • The challenge period has expired.

  5. OPTIONAL: If an electronic signature is required, you must authenticate in order to complete the electronic signature. Electronic signature requirements are configured when the certification is scheduled. Use the same credentials for the electronic signature that you use to sign in to IdentityIQ.

Access Review Decisions

Perform one of the following actions on each item included in the Access Review Request:

Note: Not all of the decision options are available at all times.

  • Reassign -- see Reassign Access Reviews(LINK IN DOC)

  • Approve -- Approve Access Reviews(LINK IN DOC)

  • Delegate -- Delegate Access Reviews(LINK IN DOC)

  • Allow Exception -- Allow Exceptions on Access Reviews(LINK IN DOC)

  • Revoke or Edit Access -- Revoke or Edit Access From Access Reviews(LINK IN DOC)

  • Revoke Account -- Revoke an Account on Access Reviews(LINK IN DOC)

  • Allow Violation -- Allow Policy Violations on Access Reviews(LINK IN DOC)

Reassign Access Reviews

You can reassign items individually or use:

  • Bulk reassignment to reduce access review lists. For example, if you are the assigned approver of an application with thousands of identities, you can use this feature to reassign identities by department or manager.

  • Automatic reassignment or forwarding of all access reviews assigned to you. You can use the Forwarding User field on the Edit Preferences page. If you select a forwarding user, all work items including access review requests are sent to that user.

When you choose to reassign, you will see the Reassign Items dialog.

Enter the following information in the reassignment dialog.

Recipient

Type the full name of the approver to whom you are reassigning this work item. The recipient can be an identity or a workgroup. Typing the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string. Click the arrow next to the field to display all users.

--- OR ---

Select an assignee from the dropdown menu. The dropdown menu can contain options such as assign to self, assign to manager, or assign to application owner.

Description

(optional) A brief description of the item being reassigned.

Comment

(optional) Any additional information needed.

Click Reassign to reassign the item and return to the Access Review Details page.

The Percentage complete bar is updated to show the changes and the selected items are removed from the list and do not show as part of the completion status for this access review. If configured, all reassigned items must be acted upon before you can sign off a periodic certification.

Approve Access Reviews

You cannot approve policy violations. Warning messages are displayed if you attempt to include policy violations when performing an approval.

If provisioning is enabled from the access review pages and you approve a role that contains required roles to which the identity does not have access, a dialog displays enabling you to request provisioning for those roles. If you perform a bulk approval, this function is overwritten and the roles are approved in their current state.

If you perform bulk approval and the access review has missing roles, you do not have the option to provision required roles. The provisioning function is only available if you approve roles individually and provisioning is enabled for this access review.

If the provisioning dialog displays, review the missing information and make a provisioning decision.

If you choose to request that the missing roles be added, you must select a recipient for the request and click Provision Required Roles again. The recipient you specify is used if automatic provisioning is not configured or there is no default remediator for the application. Or click Do Not Provision and return to the access review page.

When you perform an approve at the top level you are approving all of the items that are included in the identity, role, entitlement, or account group/application object. Access Reviews performed at this level are logged for auditing purposes.

Delegate Access Reviews

Delegation can be performed automatically based on rules specified when the certification request is generated. Items delegated automatically display in the access review details and behave exactly like items delegated manually.

The Enable Line Item Delegation option must be selected when the certification was created to delegate certification items from the Access Review Details page.

Type the following information in the Delegate Access Review dialog.

Recipient

Type the full name of the approver to whom you are delegating this work item. The recipient can be an identity or a workgroup. Typing the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string.

Description

A description of the work item being delegated. You can edit the description as required.

Comment

(optional) any additional information needed for this delegation.

Changing the decisions may revoke one or more line item delegations. Any changes made during the delegation that be lost.

You cannot delegate account groups from the account group list.

When you delegate at the top level you are also delegating all of the items that are included in the identity or role.

Allow Exceptions on Access Reviews

Note

This option is only available if it was turned on in the global settings at the time of your configuration.

Use Allow Exception to put an expiration date on access to a particular entitlement, role, or account group. For example, if one employee must temporarily assume the duties of another during a vacation, you can allow them access to that role for the length of the vacation.

Decisions made in access reviews are shown on the Policy Violations page for the affected policy violation.

Allow exceptions on individual items that make up the identity.

Type the following information in the Allow Exception dialog.

Expiration

Manually type an expiration date, or click the icon and select a date. A 4-digit year is required if you type the date manually. For example, mm/dd/yyyy.

Comment

(Optional) Any additional information needed for this exception.

Revoke or Edit Access From Access Reviews

This section has information on the following:

  • Request the removal of an identity access to a specified role or entitlement

  • Remove a permission of member from an account group

  • Remove access to a managed entitlement from an identity

  • Remove a profile or included role from a role

  • Edit the values of specific entitlement attributes or permission on identity-type access reviews

Note

Entitlements must be configured on the application to enable editing from the access review pages.

For revocation on individual roles, if a role contains required or permitted roles that are not used in any other roles for this identity, a dialog displays enabling you to make revocation decision on each of those included roles. By default all included roles, that are not used in other roles for this identity, are marked for removal. If you perform bulk revocation this function is overwritten.

On periodic access reviews, by default, no action is taken on a revocation request until the access review containing this item is signed off or the challenge period expires, if the challenge period is active. This is done to ensure that no entitlement is removed until final confirmation is received from the requestor. This default behavior can be overwritten when the access review schedule is created.

Revocation is done automatically if your provisioning provider is configured for automatic revocation through help ticket generation or if your implementation is configured to work with a help desk solution. Without the automatic configurations, revocations are done manually using a work request assigned to a IdentityIQ user or workgroup. If an access review requires that multiple revocation requests be sent to the same IdentityIQ user or workgroup they are rolled up into one work item.

For identity-type access reviews, the revocation process can also include the challenge and revocation periods. The challenge phase is the period during which all revocation requests can be challenged by the user from whom the role or entitlement is being removed or modified. The revocation phase is the period during which all revocation work must be completed. The revocation phase is entered when an access review is signed off or when the active and challenge phases have ended.

Type the following information in the revocation dialog and click Revoke.

Note

This dialog is not displayed if a default revoker was specified as part of the IdentityIQ configuration.

Recipient

Type the full name of the revoker to whom you are assigning this work item. The recipient can be an identity or a workgroup. Typing the first few letters of a name displays a pop-up menu of IdentityIQ users and workgroups with names containing that letter string.\ If automatic remediation is enabled or a default revoker was specified for the application to which the entitlements are associated, the recipient specified here is overwritten.

Comment

(Optional) Any additional information needed for this revocation.

Edit Revocation Details

Only available if the entitlement is configured for modification. One line displays for each entitlement contained in this revocation request. Operation -- select the operation to perform, Remove or Modify. Attribute -- attribute name that the attribute or permission is associated. Value -- if are modifying the entitlement, select or type the new value. Application -- application to which the entitlement is associated. Account ID -- login ID of this identity on the application specified.

Revoke an Account on Access Reviews

When you select Revoke Account for one entitlement, all other entitlements associated with the same account for the item being certified are marked for revocation.

On periodic certifications, by default, no action is taken on a revocation request until the certification containing the account is signed off or the challenge period expires, if the challenge period is active. This is done to ensure that no account is removed until final confirmation is received from the requestor. When the certification schedule is created, this default behavior can be overwritten allowing revocation requests to be processed immediately.

Revocation is done automatically if your provisioning provider is configured for automatic revocation through help ticket generation or if your implementation is configured to work with a help desk solution. Without the automatic configurations, revocations are done manually using a work request assigned to a IdentityIQ user or workgroup. If a certification requires that multiple revocation requests be sent to the same IdentityIQ user or workgroup they are rolled up into one work item.

For identity-type certifications, the revocation process can also include the challenge and revocation periods. The challenge phase is the period during which all revocation requests can be challenged by the user from which the account is being removed. The revocation phase is the period during which all revocation work must be completed. The revocation phase is entered when a certification is signed off or when the active and challenge phases have ended.

Respond to a Challenged Revocation

For identity-type certifications, the revocation process can include the challenge and revocation periods. The challenge phase is the period when a user whose role or entitlements are being removed can challenge those revocation requests.

When a revocation request is challenged, the status of the item associated with the revocation request displays as Challenged. You must take action on all challenged revocations before a certification is complete.

From the Challenge Decision drop-down menu select either Accept or Reject.

All comments are kept with the certification item and can be viewed below the certification decision information for that item. Click comments to view the comments added by the challenger and accepted / rejected to view the comments associated with the decision.

Based on your decision one of the following occurs:

Reject

The revocation process proceeds as normal when the certification is signed off or the challenge period ends.

Accept

The item is moved to the open status and you must make another certification decision.

Allow Policy Violations on Access Reviews

Use this to allow an identity to retain conflicting roles, accounts, or entitlements for a specific period of time. For example, if one employee must temporarily assume the duties of another, you can allow them access to a role that creates a policy violation for the length of the vacation.

To display detailed information about the policy, click the violation name on the Decisions tab.

Type the following information in the Allow Violation dialog.

Expiration

Manually type an expiration date, or click the [...] icon and select a date. A 4-digit year is required if you type the date manually. For example, mm/dd/yyyy.

Comment

(Optional) Any additional information needed for this exception.