Skip to content

How to Complete Access Review Work Items

The following procedures list the steps to complete Access Review work items that were originally assigned to a different approver, but now require you, as a member of the workgroup, or the other members of a workgroup to take action. Access review work items include items that were delegated, reassigned, forwarded, require your approval, or require you to take revocation actions.

  • How to Complete Delegated Access Reviews(LINK IN DOC)

  • How to Complete Revocation Work Items(LINK IN DOC)

  • How to Complete Reassigned or Forwarded Access Reviews(LINK IN DOC)

  • How to Perform Multi-Level Sign Off on Access Reviews(LINK IN DOC)

  • How to Challenge a Revocation Request(LINK IN DOC)

How to Complete Delegated Access Reviews

You can complete delegated access reviews items from access reviews that were assigned to a different certifier that the original approver delegated to you. For example, if an employee does work for you but reports to a different manager, that manager might not be familiar with all of the entitlements or roles listed in the employee's Identity Cube.

To display the Manage Work Item page, click a delegation work item.

Required Authorization

To take action on a delegated work item, you must be the owner of that work item.

Note

A System Administrator or Certification Administrator can also take action on work items.

Complete Delegated Access Reviews

  1. Open a delegated work item.

  2. Review the work item information in the Summary section.

  3. Review the Comments section for any information associated with this work item. Use the Add Comment button to add additional information to the work item.

  4. Make an access review decision on each item listed for the identity. See Making Access Decisions(LINK IN DOC) for detailed information.

  5. Click Complete to display the Completion Comments dialog and mark the work item as complete.

Note

If your deployment is configured to require a decision on each item in the work item before it is marked complete and you do not take action on all items in the work item, an alert displays when you attempt to complete a work item.

Delegation Review -- Optional

If the access review was originally configured to require a delegation review, you can perform this review after the delegate completes their portion of the access review. The items awaiting review are listed on the Important tab of the access review.

  1. In the access review, click the Important tab. Delegated items that have been completed and are awaiting review are listed in the Returned Items section.

  2. To view the comments of the delegated decision maker, click the three-line menu and choose History,

  3. Click Agree to accept the delegated decision; if you don't accept the delegated decision, you can override the delegated decision with any of the available options -- Revoke, Revoke Account, Allow, etc. You can also delegate the line item again.

Note

If the identity who originally delegated the work item overrides a delegated decision, an audit shows the delegation of the work item was never assigned.

How to Complete Revocation Work Items

You can confirm that you have completed the requested revocation. Revocation requests are sent after the access review for the associated item is completed and signed off or when the access review enters the challenge phase, if the challenge period feature is active. This process ensures that nothing is removed until the final decision is made on the access review. When you select Complete on this work item, you are stating that you acted on the revocation request.

Required Authorization

You must have authorization on the specified application to perform the required revocation.

Note

A System Administrator or Certification Administrator can also take action on work items.

Completing Revocation Work Items

  1. Navigate to My Work > Work Items to view your current work items.

  2. Select the View button to the right of a revocation work item to display the Manage Work Item page.

  3. Review the work item information in the Summary section.

  4. Review the Comments section for any information associated with this work item.

    Use the Add Comment button to add additional information to the work item if necessary.

  5. Review and perform the operations necessary to revoke the privileges specified. See Making Access Decisions(LINK IN DOC).

    Select a line item to view the details of the revocation request for that item.

    Note

    The revocation of application privileges is not performed as part of IdentityIQ. The revocation is performed on the specific application from which the entitlements are to be removed. For information on how to remove entitlements, refer to the documentation associated with the specific application

  6. If this work item was assigned to a workgroup, use the Assign Selected Items button to assign specific revocation requests to members of that workgroup. The name of the workgroup member is displayed in the Assignee column. Any member of the workgroup can change the assignee status.

  7. Select the checkmark next to a name, or the checkmark at the top of the column to select all items in the list, then select an action button: CompleteForwardSave, or Cancel.

    • Select Complete to display the Completion Comments dialog and mark the work item as complete. --- OR --- If there are multiple revocation requests in the work item, you can select multiple revocations and use the Mark Revocation Complete button to mark complete. Alternatively, you can click on the revocation item and complete each item individually.

    • Select Forward to forward the selected work item(s) to another user.

    • Save saves any updates you made without completing nor forwarding the work item.

    • Cancel removes any updates and returns you to the prior screen.

How to Complete Reassigned or Forwarded Access Reviews

You can reassign or forward access reviews. Reassigned work items are designated as reassigned in the Description columns on pages on which they are displayed. Forwarded work item descriptions maintain the name of the original owner or the name of the application to which the access review applies.

You use the same procedure to complete access reviews that were reassigned or forwarded to you that you use for access reviews that were originally assigned to you. See Access Review Decisions / Operations(LINK IN DOC).

How to Perform Multi-Level Sign Off on Access Reviews

You can perform multi-level sign-off access reviews that require more than one person to review before sign off. Multi-level sign-off access reviews are access reviews that an assigned certifier completed and signed off and require other users to review before the access reviews are complete. When an access review is assigned to you for additional sign off, you receive an email notification and the access review request is sent to you.

You can access the access review request the same way as any other access review, make changes or add comments as required, and click Sign Off when you are finished.

After you sign off, the multi-level sign off rule runs again to determine if the access review is complete or if additional sign off actions are required. This process is repeated until the rule determines that no further sign-off actions are required for the access review.

How to Challenge a Revocation Request

The challenge phase is the period when the user whose role or entitlement is being removed, can challenge all revocation requests.

For identity-type access reviews, the revocation process can include the challenge and revocation periods.

If a role or entitlement is removed from your Identity Cube, you are assigned a work item that enables you to accept or challenge the revocation.

To accept the revocation, do not respond to this challenge work item.

To challenge the revocation request, type your reasons for the challenge in the Reason for Challenge field and click Challenge. Or, click Cancel to close the work item without taking action.