Certification helps to review the access that are assigned to users to your enterprise systems and data. The designated people (approvers) can review, approve and revoke or reassign the certification that are assigned or requested.
Certification can be created in two ways -using Search Query and Certification campaign.
In search based certification, we can create the certificate for identity, role composition, access item and uncorrelated accounts. Certification can be saved/scheduled for later use. Saved searches can be edited according to our need.
Using Certification Campaign, we can create Source Owner Campaign or Manager Campaign.
Source Owner Campaign
The owners can review the campaign only from the sources they own. Owner can have campaign from multiple sources. Source owner must be verified before starting the campaign.
When administrators create certification, it will be notified through the mail to the manager of the identities whose access is reviewed and it will be displayed in their certification menu. Mangers can validate the campaign from the menu. Identities added to the manager campaign must have a manager identity linked to it before starting the campaign. The managers added after the campaign has been started will not be included in the current campaign.
Certification Campaign Filter
There are two types of Certification Campaign Filters, Exclusion and Inclusion filter. Filters help to include/exclude the identities and entitlements. Filter criteria are connected by OR operator.
Filters can be used in these criteria,
o Access profile
o Account attribute
o Identity attribute
A certificate can be reassigned to another person under situations such as when the designated approver is unavailable but the certification has to be launched or the campaign needs approval other than the assigned user.
While reassigning, specifying the reason for reassignment will help the new approver/reviewer to know the context about the reassignment.
The campaign that have started cannot be reassigned. If the certifier account is removed from the source, IdentityNow displays the error – USER REMOVED so that we can reassign the campaign.
Reports can be generated only when the campaign is in the active/completed stage.
Composition Report – This report displays the campaign details which includes the name, description, due date, email settings and campaign filters.
Campaign Exclusion Report – This report displays the entitlements that are excluded using the campaign filter.
Campaign Status Report – This displays the status of the access items.
Campaign Remediation Report – This report will be generated only after the completion of the campaign. This displays the current state of any items that were disapproved during the certification campaign.
Certification Sign Off Report – This report displays the approved ones in the top and it also contains the reviewer and the date signed off the particular report.
There are Email templates available for certifications notification. They are Campaign regeneration, certification email, certification due and certification reassignment. We can also view the charts of the decision for a certification in the dashboard.
IdentityNow does not permit users to certify their own access.