Working with certifications
Your administrator may create a certification campaign containing access items or identities you're responsible for. When this happens, you'll receive a notification that certifications are ready for your review.
Select Certifications from the navigation menu.
In the Active tab, select the certification you want to work on.
Review the contents of the certification. The page will differ based on the type of certification:
Identity access certifications
Select Identities and choose an identity from the list. You'll see a list of access items for that user. Review their access within the Roles, Access Profiles, or Entitlements tabs. Select an access item to view its details.
Role composition certifications
Uncorrelated accounts certifications
An uncorrelated account is a source account that is not matched to an authoritative identity in IdentityNow. A single uncorrelated account is generally represented by an uncorrelated identity. In rare cases, multiple uncorrelated accounts may belong to the same uncorrelated identity and be grouped together.
To review these certifications, select Uncorrelated Identities and choose the uncorrelated identity you want to certify from the list. Review the access items associated with the uncorrelated identity.
You can also select Access Items and choose an access item from the list. Review the uncorrelated accounts associated with that access item.
In each section, beside each item, select Approve () to approve access or Revoke () to revoke access. If the decision requires a comment, enter a comment and select Submit.
You can only acknowledge a role that was automatically assigned to the identity through membership criteria. Select the Acknowledge button to do so.
If you choose to revoke an item in a role composition certification, include a comment explaining the change. IdentityNow will then send a task with these comments to the role owner to update the associated role.
Tips for reviewing certifications
- Your certifications may contain access flags and additional data from other SailPoint products and services your organization has licensed. This information can help you make more informed decisions about whether to approve or revoke each access item.
- If configured by your administrator, you can also view additional attributes for entitlements to help make decisions on access. To do so, select an entitlement and view the Additional Attributes section within its details. You can also select individual entitlements within an access profile to view their additional attributes.
Select More Options to leave comments with your decision, reassign the certification, or choose a revocation date. In the new window, enter the revocation date or comments about the certification and submit your decision.
- You cannot set a revocation date for entitlements.
You can change your decision, add or modify a revocation date, or add additional comments until you sign off on the certification. In the Completed tab of an identity or access item, select Revisit Decision for the decision you want to update. After you complete a certification, you can add or modify a revocation date, add additional comments, or change your decision by selecting More Options .
To save your changes, select Exit Campaign in the upper-right corner of the page. You can return at any time to continue your work.
If you've completed all decisions, you'll see a sign-off page when you select Exit Campaign. Select Sign off to mark the certifications as complete. The certification moves to the Completed tab on the Certifications page.
If you need to save and review your decisions later, select Save and return later.
When you review an access item for a certification, an icon may display in the Flags column. This icon alerts you of information you should consider when approving access. You may encounter the following flags:
|New Access||The access has not been certified previously.|
|Privileged Access||This access includes sensitive data. Admin, payroll, and HR are potential examples of privileged access.|
|Birthright Access||The access has been granted by automated rules, such as lifecycle states.|
|Comments||There are comments associated with this access.|
|Timebound Access||The access has a set end date.|
|Cloud Enabled||This access relates to cloud infrastructure.|
Viewing Last Account Activity
If your organization has SailPoint SaaS Management, you can review the Last Account Activity column for each access item to determine when the user last accessed the account associated with the access.
This data describes when a user last accessed the account with that access profile or entitlement. The data does not describe when the access profile or entitlement was last used.
If your organization has the Recommendations service, select the Recommended or Not Recommended icon in the Decision column to view the reasons behind the recommendation. You can use this data to help guide your decision-making process.