Working with certifications

To be successful and secure within your organization, you need to know who has access to what and whether that access is correct. You can review your users' access to roles, access profiles, entitlements, and apps through certifications.

Reviewing certifications

Your administrator may create a certification campaign containing access items or identities you're responsible for. You'll receive a notification that certifications are ready for your review.

1. Select Certifications from the navigation menu.

2. In the Active tab, select the certification you want to work on.

3. Review the certification by:

   • Identities - Select the identity you want to certify from the list of identities. You'll see a list of access items for that user. Select an access item to view its details.
     
     

   • Access items - Select Access to view certifications by access items. From the list on the left, choose Roles, Access Profiles, or Entitlements to see a list of pending access items for that category.
     
     

   • Role Compositions - Select the role you want to certify from the list of roles. Review the role's associated access profiles, membership criteria, and details.
     
     

4. In each section, beside each access item, select Approve () to approve access or Revoke () to revoke access.

   Note

   You can only acknowledge a role that was automatically assigned to the identity through membership criteria. Select the Acknowledge button to do so.

   You can leave comments with your decision, reassign the certification or select a revocation date for the access by selecting More Options (). In the new window, enter the revocation date or any comments about the certification and submit your decision.

   Note

   You cannot set a revocation date for entitlements.

   If you choose to revoke an item in a role composition certification, you’ll need to add a comment explaining the change. IdentityNow will then send a task with these comments to the role owner to update the associated role.

   If your organization has other SailPoint services, you can view additional information to help you make decisions about your certifications.

   SailPoint Service	Feature
   Recommendations	Use recommendations to help guide your decision-making process.
   SaaS Management	Review the Last Account Activity column for each access item to determine when the user last accessed the account associated with the access. This data describes when a user last accessed the account with that access profile or entitlement. The data does not describe when the access profile or entitlement was last used.
   Cloud Access Management	Select View Details in the Cloud Enabled column to view information that’ll help you make decisions on cloud resource access, such as access type and access paths.

   After you complete a certification, you can add or modify a revocation date, add additional comments, or change your decision by selecting More Options ().

5. To save your changes, select Exit Campaign in the upper right corner of the page. You can return at any time to continue your work. When you're completely finished with all certifications in this campaign, you'll see a sign-off page when you select this button.

6. Select Sign off on campaign to mark the certification campaign as complete.

The certification campaign moves to the Completed tab where you can view all your completed certification campaigns.

Access flags

When you review an access item for a certification, an icon may display in the Flags column. This icon alerts you of information you should consider when approving access. You may encounter the following flags:

Name	Icon	Definition
New Access		The access has not been certified previously.
Privileged Access		The user has access to more sensitive data. Admin, payroll, and HR are just a few examples of privileged access.
Birthright Access		The access has been granted by automated rules, such as lifecycle states.
Comments		There are comments associated with this access.
Timebound Access		The access has a set end date.
Cloud Enabled		The entitlement is marked as cloud enabled. You may view additional information about this entitlement based on data from Cloud Access Management.

Reassigning certifications

If you need to reassign certifications to a user who is better suited to review that access, you can do so on the Certifications page. You can review and reassign certifications by users, known as identities, or by access items.

1. Select Certifications from the navigation menu.

2. In the Active tab, select the certification you want to reassign.

3. Choose how you want to reassign the certification:

   • By Identity – From the list of identities, select the checkbox for the identity you want to reassign and select Reassign.

   • By Access Item – Select Access to view certifications by access items. From the list on the left, choose either Roles, Access Profiles, or Entitlements to see a list of access items for that category. In the Identities tab, select the identity related to the access item you want to reassign. Select the Options menu () in the Decision column and then select Reassign.

     Note

     If you reassign an item in the Identities tab, you are only reassigning that specific access item. Select Identities to reassign the entire identity.

4. In the Reassign To field, enter the name or email address of the new reviewer. You can reassign the certification to multiple users.

5. In the Add Comments field, enter the reason you're reassigning this certification and any other comments related to the certification.

   Best practice

   Include your name as well as the reason for the reassignment. The new reviewer may need to contact you with questions.

6. Select Reassign Decision to reassign the certification.

Repeat these steps for additional certifications that you want to reassign. Reviewers will receive an email about the reassignment and can see the certification in their list of active certifications.