Reviewing a Certification
Reviewers can use the Certifications menu to:
- Review each item a user has access to.
- Track and review users' approve and revoke decisions.
- Reassign certifications to other reviewers as needed.
Reviewing by Identity or Access Item
When your administrator creates a certification campaign that contains access items or people you're responsible for, you'll receive a notification that certifications are ready for your review. You can see all of your active and completed certifications by selecting Certifications in the main menu.
1. Sign in and go to Certifications.
2. Under the Active tab, each card represents an active certification campaign. You will also see any certification campaigns that have been reassigned to you. You can select a card to see details about the campaign and any information or comments about reassignment.
Select Start or Continue for the campaign you want to work on.
3. From the list of identities on the left, select the identity you want to certify. You'll see a list of access items for that user. Select an access item to view details about it.
To review the campaign based on access items instead of identities, select the View as Access toggle at the top of the screen. Then choose either Roles, Access Profiles, or Entitlements from the list on the left to see a list of pending access items for that category.
You can select the toggle to switch back to View as Identity at any time.
4. In each section, beside each access item, select the check mark icon to approve access or the X icon to revoke access.
You can approve or revoke all access items in bulk using the check boxes next to the access items.
You can select each access item listed to see additional details about that item.
To leave comments with your decision, select the three dots next to the Approve and Revoke buttons. Enter your comments about the certification in the menu that appears and select Submit.
When you have made all the decisions for each identity, it will disappear from the list on the left, leaving only the remaining identities you need to work on.
5. When you have certified each user and the campaign is ready for sign off, select the banner at the top of the page.
6. Select Complete Certification to mark the certification as complete.
The certification moves to the Completed tab, where all of your completed campaigns appear as cards. You can select Review to look at the contents of the certification in detail.
- If you approve an access profile or entitlement, the user will keep that access, even if you revoke the same entitlements somewhere else in this certification.
- When reviewing roles, you can only acknowledge the access, not approve it, if the role was assigned from membership criteria. If you see an access profile, app, or entitlement that is contained within the role that is not appropriate for the identity in question, and you are unable to revoke it, contact the role owner to have it removed. For more details, see the Reviewing Assigned Roles section.
About Access Flags
- New Access: The access has not been certified previously.
- Privileged Access: The user has access to more sensitive data. Privileged access is based on source-level entitlements that were marked as privileged during source configuration. Admin, payroll, and HR are just a few examples of privileged access.
- Birthright Access: The access has been granted by automated rules, such as lifecycle states.
- Comments: There are comments associated with this access.
Reviewing Assigned Roles
Because they are assigned according to user membership criteria or other business logic, automatically assigned roles cannot be approved or revoked in an access certification campaign like a requested role can. Assigned roles can only be acknowledged. Select Acknowledge to verify that you have reviewed the role's contents. All roles must be acknowledged before you can sign off on a certification campaign.
Additionally, any access profiles, applications, or entitlements associated with the assigned role cannot be approved or revoked. To see these items, select the corresponding column. In the dialog box, select the tabs to view all of the role's contents.
Revoking Entitlements and Access Profiles
When you revoke an access profile or entitlement from a user, one of two things happens:
The access is automatically removed from the user.
A task is sent to the owner of the source that the access comes from, and the source owner removes the access manually.
In some cases, two different access profiles might have some overlapping entitlements. If you approve one access profile and revoke another, the user keeps all access that was approved, even though it was revoked somewhere else.
For example, a user has Access Profile #1, which contains entitlements A, B, and C. The user also has Access Profile #2, which contains entitlements A, D, and E. If you approve Access Profile #1 and revoke Access Profile #2, the user will still have entitlement A.
Reassign a Certification
When you are certifying people's access to data and applications in your organization, you might need to assign your certifications to another user for a number of reasons, such as:
There might be someone on your list who officially reports to you but actually works in a cross-departmental team headed by another manager.
You might be on vacation during a certification review or otherwise unable to certify a person's access to applications and data.
There might be a specific access item for an identity that someone else knows more about.
1. In Certifications, select the active certification you want to reassign and select Continue.
2. Choose how you want to reassign.
Reassign by Identity: Select the person you want to reassign from the list of users by selecting the check box next to their name. To reassign multiple people, select multiple check boxes and select Reassign.
Reassign by Access Item: Select the View as Access toggle at the top of the screen. In the list of access items on the left, select the access item you want to reassign.
A list of identities with that access is displayed in the Identities tab to the right. Select the identity related to the access item you want to reassign by selecting the check box next to their name.
Select the three dots in the decision column and choose Reassign.
While the reassign selection for access items is in the Identities tab, you are not reassigning the whole identity, just the specific access item you selected. You can select the View as Identity toggle to return to full identity reassignment.
3. In the Reassign menu, type or select the name of the reviewer you want to reassign the certification to.
4. In the Add Comments box, enter any comments about the reassignment.
Include your name as well as the reason for the reassignment so that the new reviewer can contact you with any questions.
5. Select Reassign.
Repeat these steps for any additional users you want to reassign.
Reviewers will see certifications reassigned to them in their list of active certifications.