Working with certifications
To be successful and secure within your organization, you need to know who has access to what and whether that access is correct. You can review this access through certifications. Certifications allow you to review your users' roles, access profiles, entitlements, and apps to keep your organization safe and secure.
When your administrator creates a certification campaign containing access items or identities (users) you're responsible for, you'll receive a notification that certifications are ready for your review. You can review your active certifications by identities or access items.
To review certifications:
Select Certifications from the navigation menu.
In the Active tab, select the certification you want to work on.
Review the certification by identity or access items:
Access items: Select Access to view certifications by access items. From the list on the left, choose either Roles, Access Profiles, or Entitlements to see a list of pending access items for that category.
In each section, beside each access item, select Approve () to approve access or Revoke () to revoke access.
You can only acknowledge a role that was automatically assigned to the identity through membership criteria. Select the Acknowledge button to do so.
You can leave comments with your decision, reassign the certification or select a revocation date for the access by selecting More Options (). In the new window, enter the revocation date or any comments about the certification and submit your decision.
If your organization has SailPoint SaaS Management, you can review the Last Activity column for each access item to determine when the user last accessed the account associated with the access. This data describes when a user last accessed the account that has that specific access profile or entitlement. The data does not describe when the access profile or entitlement was last used.
After you complete a certification, you can add or modify a revocation date, add additional comments, or change your decision by selecting More Options ().
To save your changes, select Exit Campaign in the upper right corner of the page. You can return at any time to continue your work. When you're completely finished with all certifications in this campaign, you'll see a sign-off page when you select this button.
Select Sign off on campaign to mark the certification campaign as complete.
The certification campaign moves to the Completed tab where you can view all your completed certification campaigns.
When you review an access item for a certification, you may see an icon under the Flags column. This icon alerts you of any information you should consider when approving access. You may encounter the following flags:
|New Access||The access has not been certified previously.|
|Privileged Access||The user has access to more sensitive data. Admin, payroll, and HR are just a few examples of privileged access.|
|Birthright Access||The access has been granted by automated rules, such as lifecycle states.|
|Comments||There are comments associated with this access.|
|Timebound Access||The access has a set end date.|
Sometimes, you may need to reassign certifications to another user if they are better suited for reviewing that access. In any case, you can reassign your certifications to ensure your organization remains safe and secure.
On the Certifications page, you can review and reassign certifications by users, known as identities, or by access items.
To reassign a certification:
Select Certifications from the navigation menu.
In the Active tab, select the certification you want to reassign.
Choose how you want to reassign the certification:
By Identity – From the list of identities, select the check box for the identity you want to reassign and select Reassign.
By Access Item – Select Access to view certifications by access items. From the list on the left, choose either Roles, Access Profiles, or Entitlements to see a list of access items for that category. In the Identities tab, select the identity related to the access item you want to reassign. Select the Options menu () in the Decision column and then select Reassign.
If you reassign an item in the Identities tab, you are only reassigning that specific access item. Select Identities to reassign the entire identity.
In the Reassign To field, enter the name or email address of the new reviewer. You can reassign the certification to multiple users.
In the Add Comments field, enter the reason you're reassigning this certification and any other comments related to the certification.
Include your name as well as the reason for the reassignment. The new reviewer may need to contact you with questions.
Select Reassign Decision to reassign the certification.
Repeat these steps for any additional certifications you want to reassign.
Reviewers will receive an email about the reassignment and can see the certification in their list of active certifications.