Use the flexibility of search to dynamically and accurately create certification campaigns for the users you have loaded into IdentityNow. Start your certification campaign from either the access items, identities, or roles. your query returns.
See the following sections for more details:
- Getting Started
- Best Practices
- Prerequisites
- Configuring Certification Campaign Details
- Previewing and Starting a Certification Campaign
- Scheduling a Saved Certification Campaign
- Managing a Certification Campaign in Search
Getting Started
Before you get started creating certifications campaigns in search, there are a few important things you need to know.
Best Practices
To ensure that the wizard includes meaningful results for your certification campaign, you should:
- Be familiar with all entitlements assigned to the identities returned by your search query. After launching your campaign, you can certify either the access of the identities returned or the access items returned.
- Be familiar with how those entitlements are used in access profiles and roles. Entitlements can be granted to identities on a standalone basis (that is, individually), or as part of a granted access profile or role.
- Be aware that each night, IdentityNow evaluates the access items that identities have access to and makes updates. If an identity has access to all of the individual entitlements that comprise an access profile, the identity is automatically granted that access profile and no longer has the individual entitlements.
- Be aware that protected users are allowed in Search indexing. However, SPadmin and Cloudadmin are specifically excluded from Search so they are never included in a campaign.
Prerequisites
- Your IdentityNow site has been set up for Certifications. For more information, see Setting Up IdentityNow for Certifications.
-
If certifying entitlements on Active Directory, be aware of your company's preferred method for revoking access and meet the related prerequisites:
- Automated Revocations - By default, IdentityNow automatically removes entitlements for direct connect sources after the reviewer revokes those items on a user's certification and then signs off the system. To support the default behavior for sources that require IQService, ensure that you have IQService installed and configured as described in Integration Service IQService as a Prerequisite.
- Manual Revocations - Direct connect sources can be configured to generate manual tasks that remind people to remove entitlements when they are revoked. To support this behavior, request assistance from Expert Services to configure sources to generate these tasks. You will not install IQService for sources that would normally require it. For more information about revocations, see Verify that revoked certification access items have been removed.
- Automated Revocations - By default, IdentityNow automatically removes entitlements for direct connect sources after the reviewer revokes those items on a user's certification and then signs off the system. To support the default behavior for sources that require IQService, ensure that you have IQService installed and configured as described in Integration Service IQService as a Prerequisite.
Configuring Certification Campaign Details
Before you can preview, start, or schedule a campaign, you'll need to enter your campaign information.
1. In the vertical Search toolbar, select the Certification Campaigns 
2. Select the New Campaign button to start the certification campaign wizard.
3. Select what you want to certify in your campaign: Identities, Access Items, or Roles.
4. On the next page, select one of the two options to further refine your selection:
- All Identities/Access Items/Roles Returned by a Query - Select this option if you want to certify all of the results returned by that query. If you make this selection, you will be unable to further filter or refine your results by selecting them individually.
- Specific Identities/Access Items/Roles that I Select - Select this option if you want to continue to refine or add to your campaign using the checkbox for each item, individually adding each one to your certification.
5. Create a very precise search query to limit the certification to a specific set of people. The more refined your query, the more refined your results will be. How you refine the access items determines which identities are included in the certification campaign. If you chose to select specific items in step 4, you can refine by the following access items:
- Entitlements - Identities that were granted the individual entitlement you select as a standalone entitlement will be included in this campaign. If the selected entitlements were granted as part of an access profile or role, that access profile or role must be selected to include those identities in the campaign.
- Access Profiles - All identities that were granted the selected access profile will be included in the campaign.
- Roles - All identities that were granted the selected role will be included in the campaign.
6. If you chose to certify all of your results, simply run your query and select Next. If you chose to add them individually, after you run your query, select the specific access you want to include in the campaign, and then select Next.
7. For Identity and Access item-based campaigns, you have the option to further refine the contents of your campaign at this point. If you choose to refine, use the checkboxes to select the specific access items or identities you want to include in the campaign, and then select Next. If you choose to include all, no additional action is needed and you can move on to the next step.
8. Enter a name and description for your campaign. Be specific. Use the toggle to choose whether reviewers will receive notification emails about this campaign's progress.
9. Select who will review and remediate access, and choose what happens to undecided access when the campaign ends.
CAUTION: The undecided access selection determines what your options will be when you complete any open decisions at the end of the campaign. We strongly recommend that you choose to maintain access to undecided items due to the difficulty of reinstating access after it is revoked.
10. Campaign Recommendation - Choose whether or not to include recommendations in your campaign (this option is only available if your company has AI enabled).
11. Select whether you want to generate a preview of the campaign now, schedule generation at another date and time, or save it for later. Select a due date for the campaign.
If you choose to schedule a campaign, select a time zone, an end date, and whether you want the campaign preview to run on a specific date or on a recurring cadence of weekly, monthly, or annually.
NOTE: A campaign cannot be scheduled to start on the current day.
12. Select Continue.
13. Review the campaign details on the Summary page. The creation of a certification campaign is a critical governance process that should be double and triple-checked before it is sent to reviewers.
14. Select the blue button at the top of the page to Save, Schedule, or Generate your campaign (depending on what you chose in step 9).
You will see a green success banner and your campaign is now listed on the Certification Campaigns
NOTES:
- The larger the campaign, the longer it will take to generate.
- If your query returned more than 3,000 identities and/or access items and you wish to refine the access, you must edit your query so it returns 3,000 or fewer identities or access items. If you do not choose to further refine the access, there is no limitation on the number of identities to include in the campaign.
- Privileged entitlements are marked with a gold badge.
- Anything that you enter in the Filter Access Items field will persist across the Access Profiles and Roles pages and could cause some access items to not show up on those pages.
Previewing and Starting a Certification Campaign
After configuring your campaign details, you will leave the search interface to double-check the contents and reviewers of your campaign before starting it.
1. In the vertical Search toolbar, select the Certification Campaigns
2. Select one of your campaigns under Saved/Scheduled.
3. On the Campaign Summary page, select Generate Preview.
4. Once your preview is generated, you still need to manually start it. Go to Admin > Certifications > Campaigns and find your campaign in the list. Select the campaign to preview it. The creation of a certification campaign is a critical governance process that should be double and triple-checked before it is sent to reviewers.
5. Select Start at the top of the page. Return to Search. Your campaign is now listed under Previewed/Active.
Scheduling a Saved Certification Campaign
If you have already configured and saved a campaign but would like to set up a schedule for it, you do so from the Certification Campaigns screen.
1. In the vertical Search toolbar, select the Certification Campaigns
2. Select one of your saved campaigns under Saved/Scheduled Campaigns.
3. On the Preview page, select Schedule Campaign to start the scheduling process.
4. Select your time zone, and schedule your preview using the calendar.
NOTE: To schedule quarterly campaigns, select Annually and check multiple boxes for each month you want to schedule.
5. Select Next. You will see a summary of your scheduled campaign information. Select Schedule. On the main search page, you will see a success message indicating your choice. Your campaign is now listed in the Scheduled Campaigns menu.
An email will be sent to the campaign owner one week before the scheduled campaign generation date to remind them to manually start the campaign.
Once a campaign is created and scheduled you can Edit, Delete Schedule, or Delete it by selecting the three dots in the bottom left of the campaign preview page.
Managing a Certification Campaign in Search
After you've started or scheduled a campaign, follow these tips to monitor, maintain, and manage the campaign:
- In the vertical Search toolbar, select the Certification Campaigns
- Previewed/Active Campaigns - These campaigns have been both previewed and started from the Admin menu. Campaigns that only have a preview generated will not show up here until they are started.
- Saved/Scheduled Campaigns - These campaigns have already been either configured and saved, or scheduled to run on a specific date or cadence.
- Previewed/Active Campaigns - These campaigns have been both previewed and started from the Admin menu. Campaigns that only have a preview generated will not show up here until they are started.
- You can select a campaign to see summary campaign information. From the summary, you have the following options based on what stage the campaign is in:
- For Scheduled campaigns, select Generate Preview to move the campaign into a preview state.
- For Saved campaigns, select Schedule to configure a schedule for the campaign or Generate Preview.
- For Previewed/Active campaigns, select View to open the certification campaign preview page.
- You can also manage the campaign from the main menu by selecting Certifications > Campaigns, where you have several options to view and manage your various campaigns. See Managing My Certification Assignments for more information.
- As a certification campaign deadline approaches, there are several things you can do to ensure that all decisions are made and that any undecided access items are resolved in a timely manner. See Certification Campaign Completion Options for details on completing a campaign.
Did you find the information you needed? If not, please let us know in the Forums. There's also much more on Compass you might find helpful.
