Skip to content

Working with certifications

Your administrator may create a certification campaign containing access items or identities you're responsible for. When this happens, you'll receive a notification that certifications are ready for your review.

Reviewing certifications

  1. Select Certifications from the navigation menu.

  2. In the Active tab, select the certification you want to work on.

  3. Review the contents of the certification. The page will differ based on the type of certification:

    • Identity access certifications

      Select Identities and choose an identity from the list. You'll see a list of access items for that user. Review their access within the Roles, Access Profiles, or Entitlements tabs. Select an access item to view its details.

      A list of identities in a certification campaign.

      You can also select Access Items and choose a role, access profile, or entitlement from the list. Review the identities who have that access.

      A list of access items in a certification campaign.

    • Role composition certifications

      Select the role you want to review from the list of roles. Review the role's associated access profiles, membership criteria, and details.

      A list of roles in a certification campaign.

    • Uncorrelated accounts certifications

      An uncorrelated account is a source account that is not matched to an authoritative identity in IdentityNow. A single uncorrelated account is generally represented by an uncorrelated identity. In rare cases, multiple uncorrelated accounts may belong to the same uncorrelated identity and be grouped together.

      To review these certifications, select Uncorrelated Identities and choose the uncorrelated identity you want to certify from the list. Review the access items associated with the uncorrelated identity.

      A list of uncorrelated identities in a certification campaign.

      You can also select Access Items and choose an access item from the list. Review the uncorrelated accounts associated with that access item.

  4. In each section, beside each item, select Approve (Approve icon) to approve access or Revoke (Revoke icon) to revoke access. If the decision requires a comment, enter a comment and select Submit.

    Notes

    • You can only acknowledge a role that was automatically assigned to the identity through membership criteria. Select the Acknowledge button to do so.

    • If you choose to revoke an item in a role composition certification, include a comment explaining the change. IdentityNow will then send a task with these comments to the role owner to update the associated role.

    Tips for reviewing certifications
    • Your certifications may contain access flags and additional data from other SailPoint products and services your organization has licensed. This information can help you make more informed decisions about whether to approve or revoke each access item.
    • If configured by your administrator, you can also view additional attributes for entitlements to help make decisions on access. To do so, select an entitlement and view the Additional Attributes section within its details. You can also select individual entitlements within an access profile to view their additional attributes.

    Select More Options More Options icon to leave comments with your decision, reassign the certification, or choose a revocation date. In the new window, enter the revocation date or comments about the certification and submit your decision.

    Note

    • You cannot set a revocation date for entitlements.

    You can change your decision, add or modify a revocation date, or add additional comments until you sign off on the certification. In the Completed tab of an identity or access item, select Revisit Decision Revisit Decision icon for the decision you want to update. After you complete a certification, you can add or modify a revocation date, add additional comments, or change your decision by selecting More Options More Options icon.

  5. To save your changes, select Exit Campaign in the upper-right corner of the page. You can return at any time to continue your work.

    If you've completed all decisions, you'll see a sign-off page when you select Exit Campaign. Select Sign off to mark the certifications as complete. The certification moves to the Completed tab on the Certifications page.

    If you need to save and review your decisions later, select Save and return later.

Access flags

When you review an access item for a certification, an icon may display in the Flags column. This icon alerts you of information you should consider when approving access. You may encounter the following flags:

Name    Icon Definition
New Access     New Access icon The access has not been certified previously.
Privileged Access     Privileged Access icon This access includes sensitive data. Admin, payroll, and HR are potential examples of privileged access.
Birthright Access     Birthright Access icon The access has been granted by automated rules, such as lifecycle states.
Comments     Comments icon There are comments associated with this access.
Timebound Access     Timebound Access icon The access has a set end date.
Cloud Enabled     Cloud Enabled icon This access relates to cloud infrastructure.

Viewing Last Account Activity

If your organization has SailPoint SaaS Management, you can review the Last Account Activity column for each access item to determine when the user last accessed the account associated with the access.

This data describes when a user last accessed the account with that access profile or entitlement. The data does not describe when the access profile or entitlement was last used.

Viewing Recommendations

If your organization has the Recommendations service, select the Recommended or Not Recommended icon in the Decision column to view the reasons behind the recommendation. You can use this data to help guide your decision-making process.