Access Certification

The Access Certification feature allows administrators to create and manage certification campaigns, in order to better control access for people in your organizations.

At the moment, campaigns can only be created for entitlements. Additional options will be added in the future.

Managing Access Certification campaigns

In the Management Portal at Access Certification, create and manage certification campaigns for entitlements in your environment.

To edit an existing campaign, click on its name.

Starting with Identity Director 2022.4, you can also duplicate an existing campaign after opening it, by using the Duplicate button, at the bottom of the page.

To create a new campaign, click Add. This will take you to the New Certification Campaign page, where you can customize the following tabs:

Properties tab

Field Explanation and Tips
Name

Specify a name of the access certification campaign.

The name must be unique for each campaign.

Description Specify a description of the campaign.
Identity Director column description

Specify a custom header for this column.

Leave this field empty if you want the default From Identity Director header to be displayed.

Connector column description

Specify a custom header for this column.

Leave this field empty if you want the default From Connector header to be displayed. 

Image

Specify a campaign image. This is displayed for your reviewers in the Web Portal.

  • You can upload an image from your computer. Supported file types:

    • Images (BMP, GIF, JPG, PNG)

    • Icon files (ICO)

  • After the upload, the image can be moved and then cropped to the desired size. The format, however, needs to be square.

This feature is available starting with Identity Director 2022.2.

Type

Select the type of campaign from the drop down list.

Click Add Entitlement to select the entitlement for which you want access to be reviewed.

If a service has the Use as template option enabled, you will not be able to create access campaigns for it. Enabling this option after a campaign was already created for a service will lead to issues in the environment.

Campaign Owner

Select the campaign owner type from the drop down list.

The campaign owner is a person that, alongside reviewers, receives updates on campaign progress.

  • If you select the People option, clicking Add will open a list of people from your environment.

  • If you select the Organization option, clicking Add will open a list of organizations from your environment.

Both lists allow you to select multiple people or organizations.

Reviewer tab

Field Explanation and Tips
Review type

Select the review type from the drop down list.
The Individual reviewers option allows you to pick a single reviewer for your campaign.

The Multiple reviewers option allows you to pick multiple reviewers.

For both Individual reviewers and Multiple reviewers you must manually add people by clicking Add person.

The Smart rule option allows you to select an existing List of people smart rule. You can only pick from the smart rules that have the Used for Access Certification option enabled at Data Model > Smart Rules.

Schedule tab

Field Explanation and Tips
Specify recurrence of review

Specify the recurrence of the access certification campaign.

You can only select the one of the following options from the drop down list: OneTime, Weekly, Monthly, Quarterly, Semi-annually, Annually.

For recurring campaigns, the status of each instance is updated independently, while the campaign is shown as Active until the end of its schedule.

To avoid instance overlapping, the value set for the duration must be lower than the maximum number of days allowed by the interval.

For recurring campaigns, reviewers can be changed between instances, by following the steps below:

  1. Set the status of the campaign to On Hold.

  2. Remove people from the Reviewer tab.
    Reviewers who still have a campaign instance running will no longer be able to access it in the Web Portal and the instance status will change to Expired.

  3. Add new people in the Reviewer tab.
    The new reviewers will be able to access the campaign in the Web Portal starting with the next scheduled instance.

  4. Resume the campaign.

Duration (in days)

Specify the duration of your campaign.

Once you choose a start date using the calendar button, the expiration date is automatically calculated using the duration provided in the Duration (in days) field.

For recurring campaigns, you can select one of the following options from the END drop down list:

  • Never

  • End on specific date

  • End after number of occurrences

Settings tab

Field Explanation and Tips

Campaign friendly name for email notifications

Optionally, provide a title that is displayed in email notifications.

If you do not provide it, the campaign name is displayed instead.

Enable email notifications

Send out emails to notify people about access certification campaign changes. This option notifies all owners and reviewers every time the status of the campaign changes.

Before enabling email notifications, make sure you have enabled E-mail Integration (at Setup > E-mail Integration).

Email notifications are disabled by default.

Also notify managers of reviewers

Send out notifications to managers of reviewers as well.

To notify the appropriate managers, use the Select a Smart Rule to determine the managers drop down list.

Notify additional people

Send out notification to additional people that need to be informed about the campaign.
Click Add person to select people from your environment.

Email notification text (send to all campaign stakeholders)

Specify a custom message for the email notification.

Reason for action

Display an additional field in the Web Portal, where reviewers can motivate their choice.

By default, this option is disabled and the field is not displayed in the Web Portal.

If you select Optional, reviewers are free to decide if they want to provide an explanation for their decision or not.

If you select Mandatory, reviewers must provide an explanation to support their decision.

Email reminders

Send out additional reminders to your reviewers.

The first option can be customized to send out notifications to reviewers if they have not started the review after the specified number of days from the campaign start.

The second option can be customized to send out notifications to reviewers if they have not started the review and there is a specified number of remaining days for the campaign.

The messages for both options can be customized and, optionally, sent out to the managers of the reviewers as well.

Reports tab

This tab is only available for existing certification campaigns. It allows you to view campaign-related information such as reviewer name, items reviewed, and campaign status.

Field Explanation and Tips
Export to CSV File

Click Download resx service properties to export the data available in this tab to CSV. The file will contain the following columns:

  • Reviewer Name

  • Items Reviewed

  • out of

  • Status

  • Qualified People

Translations tab

Field Explanation and Tips
Default language

This is the language set as default at Setup > Translation.
Click Download resx service properties to export the RESX of the default language and use it as the basis for translations for the other supported languages.

Other supported

language(s)

List of other languages that have been enabled at Setup > Translations.

  • Each supported language uses the default language if you do not upload a RESX file.
  • Click Reapply default language to reapply the default language.
  • Click Download resx service properties to export the RESX of the language to make adjustments to the translation.
  • Click Import resx file to import the RESX of the language. This ensures that custom labels are translated in the correct language.

Reconciliation tab

Field Explanation and Tips

Reconciliation

Enable the Add data connections for entitlement reconciliation option to import information about Security Groups and Organizational Units to perform an Access Reviews reconciliation.

Click Add data connection to select one or more People and Classifications data connections from your environment.
People data connections should use an Active Directory Data Source of type People, while the Classifications data connections should use an Active Directory Data Source of type Group Membership.

For Classifications connections, people's names are extracted from their people identifier.

Click Insert OR to trigger intersection or union operations between data connections. In this context, you can use the same data connection more than once, without having duplicates listed in the Web Portal for the campaign reviewers.

All connections are processed at the same time. If any of them fails, they all fail. The error is logged into the trace file (if enabled) and no information is imported for reconciliation.

The Reconciliation status displays the progress and the duration of the current reconciliation process.

Qualified people

View the qualified people and their corresponding state.

See also