Completing a Certification Campaign
As a certification campaign comes to an end, there are several things you can do to ensure that all decisions are made and any undecided access items are resolved in a timely manner.
Each certification campaign has a deadline. You either set this date yourself, or select the default deadline of two weeks after the creation date. In the days leading up to the campaign's deadline, you can monitor your reviewers' progress as decisions come in and remind them to complete the campaign as the due date nears.
Handling Post-Deadline Reviews
If the deadline has passed and access decisions still need to be made, you have the following options:
Approve access to undecided items - If this campaign has been configured to maintain access to undecided items upon completion, select Complete from the Actions dropdown menu. You will see a confirmation window with a check box indicating that the status of all undecided access items will be maintained and users keep the access. Select the check box to agree, and select Complete.
Choose to approve or revoke access to undecided items - If this campaign has been configured for you to choose between approving or revoking access to undecided items at this time, make your selection from the Actions dropdown menu.
If you select Complete & Approve Access, you will follow the same steps outlined above.
If you select Complete & Revoke Access, you will see a confirmation window indicating that your decision is final regarding these users' access rights and all undecided access items will be revoked. Select the check box to agree and select Complete.
Approving access is the recommended selection for undecided items in general due to the difficulty of reinstating access once it is revoked.
- Wait for reviewers to complete their decisions - You can also leave the decisions open indefinitely until reviewers approve or revoke them and sign off on the campaign themselves. Once all undecided access items are maintained or revoked, the campaign is considered complete and moves to the Completed tab. If all of your reviewers have made their decisions and signed off on their certifications by the deadline, no action is needed for approved decisions and the campaign automatically moves to the Completed tab. For complete and revoke decisions, you must verify remediation to ensure that the revoked items in the campaign have been removed.
If a manager has made decisions but not signed off on the certification, the completion code preserves those decisions. For example, if a manager performs approvals but never signs off, then the admin completes the campaign. The manager's approvals are maintained and the admin revokes all other access.
Requested vs. Automatically Assigned Roles
The approve and revoke options described above are available to the certifier when the role was granted to the identity via access request.
If the role was assigned to the identity automatically via membership criteria, the certifier only has the Acknowledge option in access reviews. Automatically assigned roles do not have Approve or Revoke options. The reason why an automatically assigned role doesn't have these options is because IdentityNow evaluates the role's membership criteria on a daily basis and would just add the user back to the role and grant the entitlements again.
To remove the identity from an automatically assigned role, you need to either change the role's membership criteria so it doesn't match the identity or change the identity's data so it doesn't match the membership criteria, as described in Removing Entitlements.
Access cannot be revoked from an access profile if the entitlement in question is shared with another access profile.
- Before selecting Complete on a campaign, review the reports to ensure that the campaign accurately reflects appropriate access rights for all listed identities.
- Aggregate from the appropriate source (or import the updated flat file, which includes the changes you made to users' accounts) to complete the process.
- Verify remediation as described in the Verifying that Revoked Access Items Have Been Removed section.
Verifying that Revoked Access Items Have Been Removed
Once you've completed a certification campaign, you need to track the progress of items that need to be revoked and manually remove access to those items. You will always need to verify remediation in these scenarios:
A certification campaign has been run and is either complete or overdue.
At least one reviewer in the campaign has selected Revoke on at least one access item.
A campaign has been completed by an admin where access to undecided items have been revoked.
IdentityNow responds to revoked items differently depending on the type of source they belong to. Some sources add a manual access removal task to the source owner's Task Manager if the items can't be removed automatically. If the source is a direct connect source, IdentityNow can remove the access from the identity automatically.
The campaign remediation status report includes all access that needs to be manually removed from a user in a source.
In the Admin interface, go to Certifications > Campaigns.
Find a campaign that is either complete or overdue.
Under Reports, select View to see a list of reports available for that campaign.
Before generating a report, select Verify Remediation in the Actions column to run a remediation scan. This ensures that all items in the report reflect their current status.
In the Generate column, select PDF or CSV beside the campaign remediation status report. This report shows any access items that have been marked as disapproved in the certification.
Give the report to source owners and users responsible for performing access remediation. You can run this report again as necessary to ensure that revoked items are removed from users.
Direct Connect Source Remediation
Your provisioning activity report tells you if access has been removed from users on direct connect sources.
In the Admin interface, go to Identities > Activities. If access has been automatically revoked because of a certification, you'll see that action here. You can see the status of the action in the badge on the right.
For details about a particular action, select the Info icon.
Reminding Reviewers to Complete a Certification
IdentityNow automatically sends customizable certification reminder emails:
- At the time the campaign is activated.
- One week after a certification campaign begins.
- Every seven days after the campaign begins until they sign off, the certification expires, or you complete the campaign for them by choosing to maintain or revoke remaining decisions.
You can also manually send emails to communicate with reviewers about their certifications.
Go to Certifications > Campaigns and select a campaign.
From the list of campaign approvers, select the Email icon of the person you want to contact. This launches your default email app.
Deleting a Campaign
You can delete certification campaigns.
If any reviewers have made approvals or revoked access on any items in a certification, these decisions will be lost. The certification will no longer appear in participants' certification views, and they will not be notified that the certification has been deleted.
In the Admin interface, go to Certifications > Campaigns.
In the list of certification campaigns, select the check box for one or more items.
Select the Actions icon and choose Delete.
Select Continue in the confirmation message window.