Skip to content

Compliance Manager

Note

Most of the fields on this page enable you to configure default settings that a user can change on certifications they are reviewing or scheduling. Those fields that behave differently are described as such.

From the Navigation bar, click the gear icon and then select Compliance Manager. Use the Compliance Manager page to configure control and default settings for certifications.

Lifecycle

Notify Users of Revocations
Select to enable email notifications to users that have items revoked.

Certification Escalation Rule
Select a rule from the dropdown list as the default rule that the system uses when an access review is escalated.

When Exceptions Expire
Select the action performed on a mitigation when it expires

Active Period Duration
Input the number of units and unit type (hours, days, weeks or months) to use as the default active period duration.

Enable Challenge Period
Select to enable default challenge period and its default duration.
The challenge period enables users to challenge requests from certifiers to remove access privileges.

Enable Revocation Period

Note

Select to enable the default revocation period and its default duration. The revocation period places a limit on the amount of time a revoker has to act on a revocation request before that request work item is escalated.

If the revocation period is disabled, the certification is not scanned for completed revocations and revocation status might not be accurately reflected throughout the product.

Default Revoker
Select the user to whom all bulk remediation requests are to be sent.
Bulk revocation requests are made during the certification process. You can select an item from the Select Bulk Action dropdown list on the Certification Report worksheet view or click Revoke All on the Certifications Decision tab.
If this field is left blank, the remediator is specified as part of the request process.

Enable Automatic Closing
Specifies that the remediation period should be enabled, during which IdentityIQ periodically scans users to determine whether the requested remediations have been carried out. Use the following options to configure the details of this process.

  • Time After Certification Expiration – select the amount of time following this access review expiration date that IdentityIQ should wait before attempting to automatically close it.

  • Closing Rule – select the rule that IdentityIQ runs at the beginning of the automatic closing process.

  • Action Taken On Undecided Items – the action that IdentityIQ assigns to any undecided items when automatically closing this access review. Choose from Approve, Revoke, or Allow Exception.

  • Comments – input the comments that IdentityIQ adds to any undecided items when automatically closing this access review.

  • Signer – select the identity who signs off on automatically closed access reviews. This setting is only configurable at the system setup level. Individuals who are scheduling certifications cannot define the signer.

Behavior

Selection Count Requiring Bulk Revoke Confirmation
Input the number of selected items which require additional confirmation for bulk revocations.

Prompt for Sign Off
Select to display a pop-up window when an access review is complete and ready for sign off.

Require Electronic Signature
Select to require that, by default, all certifications require an electronic signature.

Require Subordinate Completion
Require that, by default, all subordinate access reviews be completed before the parent access review can be completed.

Automatically Sign Off When Nothing to Certify
Automatically sign off the certification when assignee has nothing to certify.

Suppress Notification When Nothing to Certify
Suppress notification of certification when assignee has nothing to certify.

Require Reassignment Completion
Require that, by default, all reassigned access review items be completed before the parent access review can be completed.

Return Reassignments to Original Access Review
Specify that, by default, the content of reassigned access reviews be returned to the parent access review upon sign off. Use this option to ensure that the original content of an access review request is preserved for tracking and reporting purposes.

Automatically Sign Off When All Items Are Reassigned

Note

This item is not available if the Required Reassignment Completion or the Return Reassignments to Original Access Review options are selected.

Specify that an access review be automatically signed off on when all items in that access review are reassigned.

Require Comments for Approval
Require that all certifiers enter comments for each item they approve in an access review request.

Require Comments When Allowing Exceptions
Require certifier to include comments when a certification decision is made.

  • Require Comments For Revocation
    Require certifier to include comments when a certification decision is made.

Require a review on delegated certification items
Select to require that all access review approvers review the decision made on any user, role, entitlement, or policy violation that they delegated to another approver before they can complete the access review containing that delegation.

Require delegated certification items to be completed
Select to require that all items in a delegation work item have a decision associated with them before the work item can be marked as complete. This setting is only configurable at the system setup level. Individuals cannot change the value of this setting for a single certification.

Disable Delegation Forwarding
Select to disallow the forwarding of a work item that a different user delegated.

Allow Self Certification For
Choose which users may self-certify – that is, be the certifier for their own access, either by forwarding or reassigning an access review: All certifiers, Certification and System Administrators, System Administrators only.

Self Certification Violation Owner
For users that are not allowed to self-certify, this is the identity or workgroup that will receive any items that would require a self-certification – that is, when the reviewer and the user whose access is under review are the same person. If a Self Certification Violation Owner is not specified, any items that require self-certification will be read-only to the reviewer.

Limit Reassignments
The limit reassignment feature allows you to limit the number of times the users within the certification campaign can reassign a certification item.

Reassignment Limit

Note

Certification is not forwarded or reassigned when the reassignment limit is reached.

Set the number of reassignments allowed.

Show Classifications
Set the global default to show classification data in certification access reviews. Classifications can be shown in Manager, Application Owner, Advanced, Role Membership, and Targeted certifications. This setting also determines whether classification information is shown in Separation of Duties (SOD) policy violations, in the dialog for correcting violations by revoking access.

Decisions

Enable Provisioning Of Missing Role Requirements
Enable the certifier to provision missing role requirements from within an access review.

Enable Line Item Delegation
Enables certifiers to delegate individual access review items, such as a single role or entitlement, rather than the entire identity to be reviewed.
This option also enables the delegation of policy violations, either from inside an access certification or from the Manage > Policy Violations page.

Enable Account Revocation
Allow users to bulk revoke all entitlements for a given account.

Enable Identity Delegation
Enable certifiers to delegate entire identities from a certification request.

Enable Allow Exceptions (applies only to non-policy violation items)
Enables certifiers to allow exceptions on access review items such as roles or entitlements, that are not policy violations. Allowing an exception means the user should not have access indefinitely, but can retain access for a specified period of time.

Deprovision Items When Exception Expires (applies only to non-policy violation items)
Enables automatic deprovisioning of access when the allowed exception period has expired. This setting applies only to items such as roles or entitlements, that are not policy violations.

Enable Allow Exception Popup
Enables certifiers to view the Allow Exception pop-up and manually set expiration dates.

Default Duration for Exceptions
Set the time period during which exceptions should be allowed. Input the number of units and unit type (hours, days, weeks or months) to use as the exception duration.

Default Operation for Remediation Modifiable Attributes
Set the default operation shown on the revocation dialog for remediation-modifiable attributes.

Show Access Recommendations

Note

This option is only visible if you have purchased and activated the SailPoint AI-Driven Identity Security product.

Enable recommendations from AI-Driven Identity Security to display in access reviews.

Automatically Approve Recommended Items

Note

This option is only visible if you have purchased and activated the SailPoint AI-Driven Identity Security product.

Enable access review items to be automatically marked as approved by AI-Driven Identity Security and move to the Access Certification Review tab for final approval.

Bulk Actions

Select the actions to enable from the Worksheet / Identity view and the Detail view. The actions include the following:

  • Enable Bulk Approve

  • Enable Bulk Revocation

  • Enable Bulk Allow Exceptions

  • Enable Bulk Reassignment

  • Enable Bulk Account Revocation

  • Enable Bulk Clear Decisions

Certification Contents

Exclude Logical Tier Entitlements
Exclude entitlements on tier application accounts from the access review.
This only applies to logical applications. Tier applications are those application that make up a logical application.

Generate Certification(s)
Specify whether, by default, access review requests should generate an access review request for the specified managers, or for the specified managers and all employees below them in the reporting hierarchy.
If you select For the specified manager(s) only, the Flatten Hierarchy option is displayed. Select the Flatten Hierarchy option to include all of the employees that report directory to the selected managers and the employees that report to their subordinate managers on the access review request.

Notification Templates

Much of the communication performed during the access review process is done through notifications that are sent automatically by IdentityIQ as an access review proceeds through its lifecycle. Notifications can be sent as emails, or as notifications in Microsoft Teams.

Use this section to choose the template to use for each certification-related notification.