Skip to content

Completing a Certification Campaign

As a certification campaign comes to an end, there are several things you can do to ensure that all decisions are made and any undecided access items are resolved in a timely manner.

Each certification campaign has a deadline. You can set this date yourself, or select the default deadline of two weeks after the creation date. In the days leading up to the campaign's deadline, you can monitor your reviewers' progress as decisions come in and remind them to complete the campaign as the due date nears.

Reminding Reviewers to Complete Certifications

Identity Security Cloud automatically sends customizable certification reminder emails:

  • At the time the campaign is activated.
  • Every seven days after the campaign begins until they sign off, the certification expires, or you complete the campaign for them by choosing to maintain or revoke remaining decisions.

    Important

    If email notifications were disabled upon campaign creation, reviewers will not receive these reminder emails.

For more information about these automatic emails, refer to the documentation on the Certification and Certification Due email templates.

You can also manually send emails to remind reviewers to complete their certifications.

  1. Go to Admin > Certifications > Campaigns.
  2. In Cards view, select Details for a campaign. Select the Email button on the reviewer's card.

    Alternatively, in Table view, select the campaign's name. On the Campaign Reviewers page, select Actions > Email for the reviewer.

    This launches your default email app with the reviewer’s email address pre-populated.

    To email multiple reviewers, select the checkboxes for those reviewers and then select the Email button above the list of reviewers.

Handling Post-Deadline Reviews

If the deadline has passed and access decisions still need to be made, you have the following options:

  • Maintain access to undecided items - If this campaign has been configured to maintain access to undecided items upon completion, select Actions > Complete. You will be prompted to confirm that all undecided access items will be maintained and users will keep their access. Select Complete Campaign to confirm your decision.

  • Choose to approve or revoke access to undecided items - If this campaign has been configured for you to choose between maintaining or revoking access to undecided items, make your selection from the Actions dropdown list.

    • If you select Complete & Maintain Access, you will follow the same steps outlined above.

    • If you select Complete & Revoke Access, you will be prompted to confirm that your decision is final and that all undecided access items will be revoked. Select Complete Campaign to confirm your decision. After you have revoked access, you must verify remediation to ensure that the revoked items in the campaign have been removed.

    Caution

    SailPoint strongly recommends you choose to maintain access to undecided items due to the difficulty of reinstating access after it is revoked.

    Note

    If a manager has made decisions but not signed off on the certification, their decisions are preserved. For example, an admin completes a campaign even though a manager didn't sign off on their approvals. In this case, the manager's approvals are maintained, and the admin revokes all other access.

  • Wait for reviewers to complete their decisions - You can also leave decisions open until reviewers approve or revoke all items and sign off on the campaign. After the reviewers have completed and signed off on their decisions, the campaign is moved to the Completed tab.

    If all reviewers have made their decisions and signed off on their certifications by the deadline, no action is needed for approved decisions, and the campaign automatically moves to the Completed tab.

Requested vs. Automatically Assigned Roles

Certifiers can approve or revoke an identity's access to a role if the role was granted to the identity through an access request. If the role was assigned to the identity automatically through membership criteria, the certifier can only acknowledge this access. Identity Security Cloud evaluates the role's membership criteria daily and would add the identity back to the role.

To remove the identity from an automatically assigned role, you need to either change the role's membership criteria so it doesn't match the identity or change the identity's data so it doesn't match the membership criteria.

Best Practices

  • Before selecting Complete on a campaign, review the reports to ensure that the campaign accurately reflects appropriate access rights for all listed identities.
  • Aggregate from the appropriate source (or import the updated flat file, which includes the changes you made to users' accounts) to complete the process.
  • Verify remediation as described in the Verifying that Revoked Access Items Have Been Removed section.

Verifying that Revoked Access Items Have Been Removed

After you've completed a certification campaign, you may need to track the progress of items that need to be revoked and manually remove access to those items. You will always need to verify remediation in these scenarios:

  • A certification campaign has been run and is either complete or overdue.

  • At least one reviewer in the campaign has selected Revoke on at least one access item.

  • A campaign has been completed by an admin where access to undecided items have been revoked.

Your tenant responds to revoked items differently depending on the type of source they belong to. Some sources add a manual access removal task to the source owner's Task Manager if the items can't be removed automatically. If the source is a direct connect source, Identity Security Cloud can remove the access from the identity automatically.

Manual Remediation

The Campaign Remediation Status Report shows access items that were marked as revoked in a certification and couldn't be deprovisioned automatically from the identity.

  1. Go to Admin > Certifications > Campaigns.

  2. Find a campaign that is either complete or overdue.

  3. Select Actions > Download Reports for that campaign.

  4. In the Download Campaign Reports window, select the Download icon beside the Campaign Remediation Status Report.

  5. Select CSV or PDF to generate the report in your preferred file type. The report automatically generates with the latest data.

    Note

    PDF reports may display additional information, such as a summary or chart of your data.

  6. Select Download to download and view the file. The file will show access items that have been marked as disapproved in the certification.

You can generate this report again to ensure that revoked items have been removed from identities.

Direct Connect Source Remediation

Your provisioning activity report tells you if access has been removed from users on direct connect sources.

  1. Go to Admin > Identities > Activities. Access that has been automatically revoked because of a certification is displayed. You can view the status of the action in the badge on the right.

  2. For details about a particular action, select the Info icon.

Deleting a Campaign

You can delete certification campaigns. However, if reviewers have made approvals or revoked access on any items in a certification, these decisions will be lost. The certification will no longer appear in participants' certification views, and they will not be notified that the certification has been deleted.

  1. Go to Admin > Certifications > Campaigns.

  2. Select Actions > Delete for the campaign you want to delete.

    Note

    You can also delete a campaign from its preview page.

    To delete multiple certification campaigns, select the checkboxes for the campaigns you want to delete from the list and then select Delete.

  3. In the confirmation message, select Delete Campaign.

Documentation Feedback