Completing a Certification Campaign
As a certification campaign comes to an end, there are several things you can do to ensure that all decisions are made and any undecided access items are resolved in a timely manner.
Each certification campaign has a deadline. You can set this date yourself, or select the default deadline of two weeks after the creation date. In the days leading up to the campaign's deadline, you can monitor your reviewers' progress as decisions come in and remind them to complete the campaign as the due date nears.
Handling Post-Deadline Reviews
If the deadline has passed and access decisions still need to be made, you have the following options:
Maintain access to undecided items - If this campaign has been configured to maintain access to undecided items upon completion, select Complete from the actions dropdown menu . You will be prompted to confirm that all undecided access items will be maintained and users will keep their access. Select Complete Campaign to confirm your decision.
Choose to approve or revoke access to undecided items - If this campaign has been configured for you to choose between maintaining or revoking access to undecided items, make your selection from the actions dropdown menu .
If you select Complete & Maintain Access, you will follow the same steps outlined above.
If you select Complete & Revoke Access, you will be prompted to confirm that your decision is final and that all undecided access items will be revoked. Select Complete Campaign to confirm your decision. After you have revoked access, you must verify remediation to ensure that the revoked items in the campaign have been removed.
SailPoint strongly recommends you choose to maintain access to undecided items due to the difficulty of reinstating access after it is revoked.
If a manager has made decisions but not signed off on the certification, their decisions are preserved. For example, an admin completes a campaign even though a manager didn't sign off on their approvals. In this case, the manager's approvals are maintained, and the admin revokes all other access.
Wait for reviewers to complete their decisions - You can also leave decisions open until reviewers approve or revoke all items and sign off on the campaign. After the reviewers have completed and signed off on their decisions, the campaign is moved to the Completed tab.
If all reviewers have made their decisions and signed off on their certifications by the deadline, no action is needed for approved decisions, and the campaign automatically moves to the Completed tab.
Requested vs. Automatically Assigned Roles
Certifiers can approve or revoke an identity's access to a role if the role was granted to the identity through an access request. If the role was assigned to the identity automatically through membership criteria, the certifier can only acknowledge this access. IdentityNow evaluates the role's membership criteria daily and would add the identity back to the role.
To remove the identity from an automatically assigned role, you need to either change the role's membership criteria so it doesn't match the identity or change the identity's data so it doesn't match the membership criteria, as described in Removing Entitlements.
- Before selecting Complete on a campaign, review the reports to ensure that the campaign accurately reflects appropriate access rights for all listed identities.
- Aggregate from the appropriate source (or import the updated flat file, which includes the changes you made to users' accounts) to complete the process.
- Verify remediation as described in the Verifying that Revoked Access Items Have Been Removed section.
Verifying that Revoked Access Items Have Been Removed
After you've completed a certification campaign, you may need to track the progress of items that need to be revoked and manually remove access to those items. You will always need to verify remediation in these scenarios:
A certification campaign has been run and is either complete or overdue.
At least one reviewer in the campaign has selected Revoke on at least one access item.
A campaign has been completed by an admin where access to undecided items have been revoked.
IdentityNow responds to revoked items differently depending on the type of source they belong to. Some sources add a manual access removal task to the source owner's Task Manager if the items can't be removed automatically. If the source is a direct connect source, IdentityNow can remove the access from the identity automatically.
The Campaign Remediation Status Report shows access items that were marked as revoked in a certification and couldn't be deprovisioned automatically from the identity.
Go to Admin > Certifications > Campaigns.
Find a campaign that is either complete or overdue.
Select the actions dropdown menu > Download Reports for that campaign.
In the Download Campaign Reports window, select the download icon beside the Campaign Remediation Status Report.
Select CSV or PDF to generate the report in your preferred file type. The report automatically generates with the latest data.
Select Download to download and view the file. The file will show access items that have been marked as disapproved in the certification.
Give the report to source owners and users responsible for performing access remediation.
You can generate this report again to ensure that revoked items have been removed from identities.
Direct Connect Source Remediation
Your provisioning activity report tells you if access has been removed from users on direct connect sources.
Go to Admin > Identities > Activities. Access that has been automatically revoked because of a certification is displayed. You can view the status of the action in the badge on the right.
For details about a particular action, select the Info icon.
Reminding Reviewers to Complete a Certification
IdentityNow automatically sends customizable certification reminder emails:
- At the time the campaign is activated.
Every seven days after the campaign begins until they sign off, the certification expires, or you complete the campaign for them by choosing to maintain or revoke remaining decisions.
If email notifications were disabled upon campaign creation, IdentityNow does not send reminder emails.
You can also manually send emails to communicate with reviewers about their certifications.
- Go to Admin > Certifications > Campaigns.
- In Cards view, select Details for a campaign.
Select the Email button on a reviewer's card. This launches your default email app with the reviewer’s email address pre-populated.
To email multiple reviewers, select the checkboxes for those reviewers and then select the Email button at the top of the page.
Deleting a Campaign
You can delete certification campaigns. However, if reviewers have made approvals or revoked access on any items in a certification, these decisions will be lost. The certification will no longer appear in participants' certification views, and they will not be notified that the certification has been deleted.
Go to Admin > Certifications > Campaigns.
Select the actions dropdown menu > Delete for the campaign you want to delete.
You can also delete a campaign from its preview page.
To delete multiple certification campaigns, select the checkboxes for the campaigns you want to delete from the list and then select Delete.
In the confirmation message, select Delete Campaign.