Access Certification
The Access Certification feature allows administrators to create and manage certification campaigns, in order to better control access for people in your organizations.
At the moment, campaigns can only be created for entitlements. Additional options will be added in the future.
Each of the tabs in this section corresponds to a campaign status.
-
Preview: campaigns that have been created and saved, but have not been launched yet;
-
Scheduled: campaigns that have been launched, but have not yet reached their start date;
-
Active: campaigns that have been sent out to reviewers;
-
On Hold: campaigns that have been manually put on hold by the administrator;
-
Completed: campaigns that have been completed by reviewers;
-
Closed: campaigns that have been closed, either automatically or manually, and are no longer displayed in the Web Portal;
-
All: all campaigns, regardless of status.
In the main Access Certification screen, click Add to create a new campaign and click Delete to delete the selected campaign.
Note that Active campaigns cannot be deleted.
To modify the status of existing campaigns, click on Campaigns and select one of the following actions:
-
Launch: launch the campaign.
The status of the campaign first changes to Scheduled and then to Active. -
Cancel: change the status of a campaign from Scheduled to Preview.
Canceled campaigns are displayed as completed to reviewers. -
On Hold: pause the campaign for all reviewers and set its status to On Hold in the Web Portal.
-
Resume: resume the campaign for all reviewers and set its status to Active in the Web Portal.
-
Close: close the campaign for all reviewers and remove it from the Web Portal.
Closed campaigns can no longer be accessed by reviewers.
Managing Access Certification campaigns
In the Management Portal at Access Certification, create and manage certification campaigns for entitlements in your environment.
To edit an existing campaign, click on its name.
Starting with Identity Director 2022.4, you can also duplicate an existing campaign after opening it, by using the Duplicate button, at the bottom of the page.
To create a new campaign, click Add. This will take you to the New Certification Campaign page, where you can customize the following tabs:
Properties tab
Field | Explanation and Tips |
---|---|
Name |
Specify a name of the access certification campaign. The name must be unique for each campaign. |
Description | Specify a description of the campaign. |
Identity Director column description |
Specify a custom header for this column. Leave this field empty if you want the default From Identity Director header to be displayed. |
Connector column description |
Specify a custom header for this column. Leave this field empty if you want the default From Connector header to be displayed. |
Image |
Specify a campaign image. This is displayed for your reviewers in the Web Portal.
This feature is available starting with Identity Director 2022.2. |
Type |
Select the type of campaign from the drop down list. Click Add Entitlement to select the entitlement for which you want access to be reviewed. If a service has the Use as template option enabled, you will not be able to create access campaigns for it. Enabling this option after a campaign was already created for a service will lead to issues in the environment. |
Campaign Owner |
Select the campaign owner type from the drop down list. The campaign owner is a person that, alongside reviewers, receives updates on campaign progress.
Both lists allow you to select multiple people or organizations. |
Reviewer tab
Field | Explanation and Tips |
---|---|
Review type |
Select the review type from the drop down list. The Multiple reviewers option allows you to pick multiple reviewers. For both Individual reviewers and Multiple reviewers you must manually add people by clicking Add person. The Smart rule option allows you to select an existing List of people smart rule. You can only pick from the smart rules that have the Used for Access Certification option enabled at Data Model > Smart Rules. |
Schedule tab
Field | Explanation and Tips |
---|---|
Specify recurrence of review |
Specify the recurrence of the access certification campaign. You can only select the one of the following options from the drop down list: OneTime, Weekly, Monthly, Quarterly, Semi-annually, Annually. For recurring campaigns, the status of each instance is updated independently, while the campaign is shown as Active until the end of its schedule. To avoid instance overlapping, the value set for the duration must be lower than the maximum number of days allowed by the interval. Example
Consider the following scenario:
In this scenario, a warning message is displayed, informing you of the maximum number of days that can be set for the campaign instance duration. Values above the one specified in the message are not valid. For recurring campaigns, reviewers can be changed between instances, by following the steps below:
|
Duration (in days) |
Specify the duration of your campaign. Once you choose a start date using the calendar button, the expiration date is automatically calculated using the duration provided in the Duration (in days) field. For recurring campaigns, you can select one of the following options from the END drop down list:
|
Settings tab
Field | Explanation and Tips |
---|---|
Campaign friendly name for email notifications |
Optionally, provide a title that is displayed in email notifications. If you do not provide it, the campaign name is displayed instead. |
Enable email notifications |
Send out emails to notify people about access certification campaign changes. This option notifies all owners and reviewers every time the status of the campaign changes. Before enabling email notifications, make sure you have enabled E-mail Integration (at Setup > E-mail Integration). Email notifications are disabled by default. |
Also notify managers of reviewers |
Send out notifications to managers of reviewers as well. To notify the appropriate managers, use the Select a Smart Rule to determine the managers drop down list. |
Notify additional people |
Send out notification to additional people that need to be informed about the campaign. |
Email notification text (send to all campaign stakeholders) |
Specify a custom message for the email notification. |
Reason for action |
Display an additional field in the Web Portal, where reviewers can motivate their choice. By default, this option is disabled and the field is not displayed in the Web Portal. If you select Optional, reviewers are free to decide if they want to provide an explanation for their decision or not. If you select Mandatory, reviewers must provide an explanation to support their decision. |
Email reminders |
Send out additional reminders to your reviewers. The first option can be customized to send out notifications to reviewers if they have not started the review after the specified number of days from the campaign start. The second option can be customized to send out notifications to reviewers if they have not started the review and there is a specified number of remaining days for the campaign. The messages for both options can be customized and, optionally, sent out to the managers of the reviewers as well. |
Reports tab
This tab is only available for existing certification campaigns. It allows you to view campaign-related information such as reviewer name, items reviewed, and campaign status.
Field | Explanation and Tips |
---|---|
Export to CSV File |
Click to export the data available in this tab to CSV. The file will contain the following columns:
|
Translations tab
Field | Explanation and Tips |
---|---|
Default language |
This is the language set as default at Setup > Translation. |
Other supported language(s) |
List of other languages that have been enabled at Setup > Translations.
|
Reconciliation tab
Field | Explanation and Tips |
---|---|
Reconciliation |
Enable the Add data connections for entitlement reconciliation option to import information about Security Groups and Organizational Units to perform an Access Reviews reconciliation. Click Add data connection to select one or more People and Classifications data connections from your environment. For Classifications connections, people's names are extracted from their people identifier. Click Insert OR to trigger intersection or union operations between data connections. In this context, you can use the same data connection more than once, without having duplicates listed in the Web Portal for the campaign reviewers. All connections are processed at the same time. If any of them fails, they all fail. The error is logged into the trace file (if enabled) and no information is imported for reconciliation. The Reconciliation status displays the progress and the duration of the current reconciliation process. |
Qualified people |
View the qualified people and their corresponding state. |