Contents of a Certification: Policies, Roles, and Entitlements

Policies govern access and can be defined for your enterprise. You can use certifications to monitor users that are in violation of those policies. For example, a separation-of-duties policy may dictate that one person can not both request and approve purchase orders, or an activity policy might dictate that a user with the Human Resource role should not be able to update the payroll application.

In access reviews, Policy Violations show any violations of policy for an identity. The access reviewer(s) must take action on these violations before the certification can be completed.

There is a Policy Violations page in IdentityIQ that is separate from the access review page. Policy violations can be viewed and acted upon from this page, or as part of another access review.

Decisions made on a violation that come from another page or review are displayed within the access review, below the summary information, or in the revocation dialog.

Roles are essentially collections of permissions. Through roles, system entitlements can be grouped together and presented as a logical unit, such as a job function, rather than as a detailed and often difficult-to-interpret list of access rights. Within IdentityIQ, users are granted permissions through the roles that are assigned to them, or through roles they inherit through a role hierarchy.

In an access review, only the top-level roles are displayed in the roles section. For example, if a role contains required and permitted roles, only the top-level role is displayed and the required and permitted roles are certified as part of that role. You can click Details in the three-line menu for the item to expand the role information and view the role details and hierarchy. Both assigned and detected roles are displayed in the roles section.

If an identity has a role assigned to it multiple times – for example, to grant the same access to multiple accounts the user holds – that role is displayed multiple times, and each one must be reviewed and acted on individually.

Entitlements are either permissions or specific values for an account attribute, such as group membership. In the context of certifications, entitlements refer to all the entitlements an identity has access to that are not included as part of a role that is assigned to the identity.

Certifications can also include IdentityIQ capabilities and scopes; if the certification includes capabilities and scopes, these appear as additional entitlements on the IdentityIQ application, as Capabilities and Authorized Scopes attributes. Revoking these entitlements has auto-remediation enabled by default. This means that when the revocation is processed (either when the access review is signed, or immediately, based on the certification configuration) the capabilities and authorized scopes are removed from the identity.