Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to certify the contents of a role

How to certify the contents of a role


In IdentityIQ, the Role Composition certification gives you a way to verify that your roles include the right permissions and entitlements. Making sure that roles are accurate and up-to-date lets you be confident that when roles are assigned to users, they allow the intended access, and also that your reviewers are evaluating correct access information when they review access. Roles that are missing critical components or that include invalid entitlements for the role can be at best inefficient and at worst a source of business risk.

Roles should be certified by business experts, who can evaluate the role’s makeup and make adjustments as needed to validate that roles comprise the correct, expected access.


Scheduling a role composition certification

To schedule a Role Composition Certification:

  1. Click Setup > Certifications

  2. Select Role Composition from the New Certification list


  3. Most of the configuration options you will choose are standard for IdentityIQ certifications, and you can use the UI tool tips or the product documentation to get information. However, in particular look at these options:

    • On the Basic tab, choose What to Certify. You can manually select specific roles, or select specific role type(s) to certify; you can also opt to certify all roles. On this tab, you also choose whether to include each role’s hierarchy in the certification


    • On the Behavior tab you have the option to require comments for both revocations and approvals (Revocations in a Role Composition certification mean requesting the removal of an access item from the role)


    • On the Advanced tab, choose the Certifier(s).  The default is for each role to be certified by its owner, but the entire set in a given certification can instead be assigned to a specific certifier. Choose a certifier who is knowledgeable about what the role composition should be

  4. Choose your other parameters as needed, and click Schedule Certification


Reviewing the role composition

Once the certification has been scheduled, the user(s) responsible for certifying can perform their reviews. Some general guidance on how users do reviews can be found in Access reviews - A guide for end users.

The reviewer will see all the roles awaiting review in the Open tab. Users can click Read More to expand the description of the role, or use the three-line menu to open a Role Details pane and see more about about the role, its hierarchy, and its entitlements.



Click Role Details from the three-line menu to see more about the role.

If the role is part of a hierarchy, you can see hierarchy details on the Role Hierarchy pane.



The Allowed Roles tab shows details about required and permitted roles that are part of this role's hierarchy.



The Entitlements tab lists the entitlements included in this role. Mouse over the "info" icon for any entitlement to see an expanded description.



Making review decisions on roles

In the access view UI, the reviewer approves items that belong in the role, and revokes items that do not.

If the option to require comments for approval or revocation were set when the certification was scheduled, reviewers are prompted to enter a comment about their decision when they make it.

Other configuration options set during the certification scheduling will control things like whether reviewers can make decisions in bulk, delegate the review to a different user, et cetera. Refer to the 8.1 IdentityIQ certification access review guide for complete details.

Revoking an item in the access review does not remove it from the role immediately; when the review is complete and has been signed off, IdentityIQ creates work items to let the role owners know what changes need to be made to the roles.


Making corrections to roles

Once a reviewer has completed and signed off on a role composition review, IdentityIQ creates work items to track the work of making changes to roles based on items the reviewer has revoked in the role. 

While the work for making changes to roles is tracked in the Work Items area of the UI, actual changes to roles are made in the Role Modeler area of the UI.  IdentityIQ users need the Role Administrator user right in order to access the Role Modeler and make changes to a role. When a user is designated as a role owner, they may not necessarily have this user right; check with your IdentityIQ system administrator to make sure that any user who is responsible for making changes to a role has the required Role Administrator user right. User rights can be set in Identities > Identity Warehouse on the identity's User Rights tab.


Tracking role change work in the work items UI

To view and update role remediation work items:

  1. Click My Work > Work Items

  2. Remediation work items are labeled "Remediation". Click View to see the work item details.


  3. Making changes to the role as described in the section below.  When the changes are complete, return to the work item, select the item(s) in the Role Name section, and click Mark Remediations Complete.



Making changes to roles in the role modeler

  1. Click Setup > Roles

  2. In the Role Finder, find and select the role you want to modify

  3. Click Edit Role. The Edit Role button is in the Role Information section, and you may have to scroll down in this section to see the button


  4. In the Role Editor, scroll down to the Roles sections. Each section has a Modify button that you can click to make the required changes to the role


  5. Save then Submit your changes

Labels (2)


May i please know that this document is applicable for which IdentityIQ version. I am not getting proper information in 'Role Details' section.  My version is 8.0p1.


'Role Hierarchy', 'Allowed Roles', 'Entitlements', any of these are not appearing in 'Role Details' section.



Is it possible to flag or indicate, if the role is composed of conflicting entitlements?




Hi @pradeep_kumar54  we're you able to resolve the issue. Even am facing the same. Thanks 

Hi @rajeshs 

It's a bug in 8.0p1. It is properly displayed in 8.1p1. So if you upgrade then it will be fixed.


Is it possible to run a role review/certification prior to a role being enabled to where it is granting access for users? We work with the business to build roles with access they need but for our audit we are looking for a better process to show this was approved through the IDN system.

Is it possible to create a rule which can close these manual workitems and automatically remove the entitlements from IT role or IT roles from BR, using the remediation plan attached inthe remediation workitem?


//Execute the remediation plan
Provisioner prv = new Provisioner(context);
ProvisioningProject pr =prv.compile(rItem.getRemediationDetails());

But when I try the above, the provisioning transaction is success but nothing happens. Am i missing something?

Version history
Revision #:
8 of 8
Last update:
‎May 02, 2023 02:45 PM
Updated by: