If your company has purchased the Certifications module in IdentityNow, you will be able to review and certify users' access from within the Certifications menu of IdentityNow. You will be able to review your users' roles, access profiles, entitlements, and apps. This functionality, known as a certification, allows you to see the data and accounts people are entitled to so that you can approve or reject those items.
Reviewing a Certification
Your administrator will typically create certification campaigns for all reviewers in your organization. When your administrator creates a certification campaign that contains access items or people you're responsible for, you'll receive a notification that certifications are ready for your review. You can see all your certifications by clicking Certifications in IdentityNow's main menu.
- Your administrator has created a certification campaign
Complete the following steps:
1. Sign in to IdentityNow and go to Certifications.
2. Click Start next to the certification you want to work on.
A list of identities that are included in this certification is displayed. For each identity, you'll see the following:
NOTE: The first time your company runs certifications, all access items are considered new.
3. Click the person you want to certify.
You'll see a list of access items for that user. For a tour of this screen, see Take a tour of Certifications.
4. In each section, beside each access item, choose Approve if the user still needs access to that item or Revoke if they don't.
To see any apps associated with the access profile, click the number in the corresponding column. In the dialog box, click the tabs to view all of the access profile's contents.
Click Show Details to view additional account information for each access item listed. You can also click Hide Details to minimize this list.
5. Click Save Decisions to save your decisions.
6. Page through each person using the arrows at the top of the page to certify their access items, or click Users to return to the list of users. For each user in the campaign, repeat steps 3, 4, and 5.
When you have certified each user, the Sign Off button is displayed at the top of the page.
7. Click Sign Off to mark the certification as complete.
A confirmation prompt is displayed.
8. Click Continue.
You'll see a confirmation that you signed off successfully.
Because they are assigned according to user attributes or other business logic, roles cannot be approved or revoked in an access certification campaign. They can only be acknowledged. Click Acknowledge to verify that you have reviewed the role's contents. All roles must be acknowledged in order to sign off on a certification campaign.
Additionally, any access profiles, applications, or entitlements associated with the role also cannot be approved or revoked. To see these items, click the number in the corresponding column. In the dialog box, click the tabs to view all of the role's contents.
What happens when I revoke an entitlement or access profile?
When you revoke an access profile or entitlement from a user, one of two things happens:
- The access is automatically removed from the user
- A task is sent to the owner of the source that the access comes from, and the source owner removes the access manually
In some cases, two different access profiles might have some overlapping entitlements. If you approve one access profile and revoke another, the user keeps all access that was approved, even though it was revoked somewhere else.
For example, a user has Access Profile #1, which contains entitlements A, B, and C. The user also has Access Profile #2, which contains entitlements A, D, and E. If you approve Access Profile #1 and revoke Access Profile #2, the user will still have entitlement A.
For more information, see: