Manager, Application Owner, and Advanced Access Reviews
Access reviews for Manager, Application Owner, and Advanced Access Certifications share a common user interface. The access review might look different in your instance of IdentityIQ depending on the configuration and the options selected when the certification was defined. These are all identity list-type certifications.
For detailed information on certifications and access reviews, see About Certifications(LINK IN DOC).
For detailed information on completing an access review, see Access Review Decisions / Operations(LINK IN DOC).
Access Review Details – Identity List
The identity list is composed of all identities containing roles, entitlements and policy violations that are part of this access review.
The identity list page contains three tabs:
-
Important – contains items that require immediate attention, such as returned delegations.
-
Open – all of the other access review items that have yet to be acted upon.
-
Review – the items on which a decision has been made.
By default the page opens with the Important tab displayed, if there are issues that require immediate action.
Identity List Page Features
The following features are available for all of the tabs:
-
Identity list icon – click the icon to display a list of the identities that make up the access review.
-
Download to CSV icon – click the icon to download the access review list to a CSV file.
-
Information icon – click the information icon to get details about the access review, including due date, phase, and subordinate access reviews.
-
Columns – add, remove, or rearrange the columns displayed on the page.
-
Group By – rearrange the sort order of items on the page.
-
Filter – use a filter to limit the items displayed.
Note
The access recommendations icon is only displayed If SailPoint AI-Driven Identity Security was purchased and activated for your installation of IdentityIQ. See About SailPoint AI-Driven Identity Security(LINK IN DOC) for more information.
-
Access Recommendations – display the Decision Recommendation popup
-
Bulk Decision button – make the same decision for multiple items. If only one action is applicable, that action appears on the button.
-
Bulk select / deselect – click the box on the header line and choose to select or deselect multiple items.
Important Tab
The Important tab contains the following information:
Note
The Important tab is not displayed if no violations exist.
Identity List – Important Tab
| Column | Description |
|---|---|
| First Name | The first name associated with the identity that requires access review. |
| Last Name | The last name associated with the identity that requires access review. |
| Policy Name | The policy in violation. |
| Policy Description | Description of the policy. |
| Rule | The rule from the policy in violation. |
| Owner | The owner of the policy. |
| Account Name | The account name for the application with which the item is associated and the account status, enabled or disabled. |
| Application | The application with which the item is associated. |
| Compensating Control | Any compensating controls associated the policy. For example, in some cases managers may be exempt for certain separation of duty policies. |
| Conflict | For separation of duties policy violations, the conflict that is causing the violation of the policy. |
| Description | Description of the violation from the Policy Configuration page. |
| Remediation Advice | Any correction advice associated with the policy. This advice is added when the policy is created. |
| Rule Description | The description of the rule that has been broken. |
| Changes Detected | This column flags any changes made to this access item for this identity, since the last time it was included in a certification of this type. For example, changes can be detected in an identity between one Manager certification and the next, but are not detected between a Manager certification and an Advanced certification for the same identity. Values can be: |
Use the Decision column to Allow the violation, or click the menu icon to display additional options; Delegate, Comment, History, Details.
Delegated items are still part of this access review and must be acted upon before it is complete.
Use Reassign to reassign the policy violation decision to another user.
Open Tab
The Open tab contains the following information:
Identity List – Open Tab
| Column | Description |
|---|---|
| First Name | The first name associated with the identity that requires access review. |
| Last Name | The last name associated with the identity that requires access review. |
| Type | The type of item being certified, Role or Entitlement. |
| Display Name | The item name as it appears throughout the product. |
| Description | The description associated with the item. |
| Classifications | This column appears only if "Show Classifications" was enabled for the certification. If an entitlement has classification data associated with it, to flag that the permission gives access to potentially sensitive or otherwise protected data, a classification icon appears in this column. Click the icon to see details about the classification. |
| Application | The application with which the item is associated. |
| Account Name | The account name for the application with which the item is associated and the account status, enabled or disabled. |
| Account ID | The login ID of this identity on the application. |
| Risk Score | The risk score associated with this role or entitlement, for this identity. |
| Role Account Name | For roles, the name of the account. |
| Role Application | For roles, the application this role applies to. |
| Changes Detected | This column flags any changes made to this access item for this identity, since the last time it was included in a certification of this type. For example, changes can be detected in an identity between one Manager certification and the next, but are not detected between a Manager certification and an Advanced certification for the same identity. Values can be: |
Review Tab
The Review tab contains all of the items upon which a decision has been made. Click the menu icon in the Decision column to change or undo a decision.
Click the automatic approval icon for details about the approval. The the automatic approval icon is only displayed If SailPoint AI-Driven Identity Security was purchased and activated for your installation of IdentityIQ. See About SailPoint AI-Driven Identity Security(LINK IN DOC) for more information.
How To Perform an Identity List Access Review
Note
The options available in an access review are dependent on the configuration of IdentityIQ and the option defined when the certification was scheduled.
Note
Use Bulk Decisions to reassign items to another decision maker.
-
Access the identity list access review from the My Access Reviews page or directly from your Home page.
-
Select items individually and select an action in the Decision column.
— OR —
Select multiple items and select an action from Bulk Decision list.
-
Click Save Decisions to move the completed items to the Review tab.
Note
Automatically approved items are displayed on the Review tab where you can accept the approval or change the decision as needed.
-
Review your decisions on the Review tab and make any required changes.
-
When all decisions have been made, click Sign-Off Decision to display the Sign Off on Certification dialog.