Skip to content

Working with certifications

To be successful and secure within your organization, you need to know who has access to what and whether that access is correct. You can review this access through certifications. Certifications allow you to review your users' roles, access profiles, entitlements, and apps to keep your organization safe and secure.

Reviewing certifications

When your administrator creates a certification campaign containing access items or identities (users) you're responsible for, you'll receive a notification that certifications are ready for your review. You can review your active certifications by identities or access items.

To review certifications:

  1. Select Certifications from the navigation menu.

  2. In the Active tab, select the certification you want to work on.

  3. Review the certification by identity or access items:

    • Identities: From the list of identities, select the identity you want to certify. You'll see a list of access items for that user. Select an access item to view its details.

      A list of identities in a certification campaign.

    • Access items: Select Access to view certifications by access items. From the list on the left, choose either Roles, Access Profiles, or Entitlements to see a list of pending access items for that category.

      A list of access items in a certification campaign.

  4. In each section, beside each access item, select Approve (Approve icon) to approve access or Revoke (Revoke icon) to revoke access.

    Note

    You can only acknowledge a role that was automatically assigned to the identity through membership criteria. Select the Acknowledge button to do so.

    You can leave comments with your decision, reassign the certification or select a revocation date for the access by selecting More Options (Options icon). In the new window, enter the revocation date or any comments about the certification and submit your decision.

    If your organization has SailPoint's Recommendations service, you can use the recommendations to help guide your decision-making process.

    An example of SailPoint's recommendations feature.

    If your organization has SailPoint SaaS Management, you can review the Last Activity column for each access item to determine when the user last accessed the account associated with the access. This data describes when a user last accessed the account that has that specific access profile or entitlement. The data does not describe when the access profile or entitlement was last used.

    An example of data in the Last Activity column.

    After you complete a certification, you can add or modify a revocation date, add additional comments, or change your decision by selecting More Options (Options icon).

  5. To save your changes, select Exit Campaign in the upper right corner of the page. You can return at any time to continue your work. When you're completely finished with all certifications in this campaign, you'll see a sign-off page when you select this button.

  6. Select Sign off on campaign to mark the certification campaign as complete.

The certification campaign moves to the Completed tab where you can view all your completed certification campaigns.

Access flags

When you review an access item for a certification, you may see an icon under the Flags column. This icon alerts you of any information you should consider when approving access. You may encounter the following flags:

Name Icon Definition
New Access New Access icon The access has not been certified previously.
Privileged Access Privileged Access icon The user has access to more sensitive data. Admin, payroll, and HR are just a few examples of privileged access.
Birthright Access Birthright Access icon The access has been granted by automated rules, such as lifecycle states.
Comments Comments icon There are comments associated with this access.
Timebound Access Comments icon The access has a set end date.

Reassigning certifications

Sometimes, you may need to reassign certifications to another user if they are better suited for reviewing that access. In any case, you can reassign your certifications to ensure your organization remains safe and secure.

On the Certifications page, you can review and reassign certifications by users, known as identities, or by access items.

To reassign a certification:

  1. Select Certifications from the navigation menu.

  2. In the Active tab, select the certification you want to reassign.

  3. Choose how you want to reassign the certification:

    • By Identity – From the list of identities, select the check box for the identity you want to reassign and select Reassign.

    • By Access Item – Select Access to view certifications by access items. From the list on the left, choose either Roles, Access Profiles, or Entitlements to see a list of access items for that category. In the Identities tab, select the identity related to the access item you want to reassign. Select the Options menu (Options icon) in the Decision column and then select Reassign.

      Note

      If you reassign an item in the Identities tab, you are only reassigning that specific access item. Select Identities to reassign the entire identity.

  4. In the Reassign To field, enter the name or email address of the new reviewer. You can reassign the certification to multiple users.

  5. In the Add Comments field, enter the reason you're reassigning this certification and any other comments related to the certification.

    Best practice

    Include your name as well as the reason for the reassignment. The new reviewer may need to contact you with questions.

  6. Select Reassign Decision to reassign the certification.

Repeat these steps for any additional certifications you want to reassign.

Reviewers will receive an email about the reassignment and can see the certification in their list of active certifications.