|The new Certifications experience is currently in Early Access. Please keep the Early Access Terms and Conditions in mind while using this feature.|
If your company has purchased the Certifications module in IdentityNow, you will be able to review and certify users' access from within the Certifications menu of IdentityNow. You will be able to review your users' roles, access profiles, entitlements, and apps. This functionality, known as a certification, allows you to see the data and accounts people are entitled to so that you can approve or reject those items.
For more info on switching between the new and legacy experience, see [EA] Switch between the new and classic certifications experience.
Reviewing a Certification
Your administrator will typically create certification campaigns for all reviewers in your organization. When your administrator creates a certification campaign that contains access items or people you're responsible for, you'll receive a notification that certifications are ready for your review. You can see all your certifications by clicking Certifications in IdentityNow's main menu.
- Your administrator has created a certification campaign
Complete the following steps:
1. Sign in to IdentityNow and go to Certifications.
2. Under the Active tab, find and click the certification you want to work on.
Each card contains the following details:
3. Click the identity you want to certify.
You'll see a list of access items for that user.
4. In each section, beside each access item, choose the Check or X icon to Approve or Revoke access.
You can click each access item listed to see additional details about that item. You can also click Details next to the name of the identity to see additional details about that identity.
When you make all the decisions for each identity, it will disappear from the list on the left, leaving only the remaining identities you need to work on.
5. When you have certified each user and the campaign is ready for signoff, click the banner at the top of the page.
7. Click Complete Certification to mark the certification as complete.
The certification moves to the Completed tab where you can view all your completed certification campaigns.
Because they are assigned according to user attributes or other business logic, roles cannot be approved or revoked in an access certification campaign. They can only be acknowledged. Click Acknowledge to verify that you have reviewed the role's contents. All roles must be acknowledged in order to sign off on a certification campaign.
Additionally, any access profiles, applications, or entitlements associated with the role also cannot be approved or revoked. To see these items, click the number in the corresponding column. In the dialog box, click the tabs to view all of the role's contents.
What happens when I revoke an entitlement or access profile?
When you revoke an access profile or entitlement from a user, one of two things happens:
- The access is automatically removed from the user
- A task is sent to the owner of the source that the access comes from, and the source owner removes the access manually
In some cases, two different access profiles might have some overlapping entitlements. If you approve one access profile and revoke another, the user keeps all access that was approved, even though it was revoked somewhere else.
For example, a user has Access Profile #1, which contains entitlements A, B, and C. The user also has Access Profile #2, which contains entitlements A, D, and E. If you approve Access Profile #1 and revoke Access Profile #2, the user will still have entitlement A.