Showing results for 
Show  only  | Search instead for 
Did you mean: 

[Classic Experience] How do I review a certification?

[Classic Experience] How do I review a certification?

If your company has purchased the Certifications module in IdentityNow, you will be able to review and certify users' access from within the Certifications menu of IdentityNow. You will be able to review your users' roles, access profiles, entitlements, and apps. This functionality, known as a certification, allows you to see the data and accounts people are entitled to so that you can approve or reject those items.

Reviewing a Certification

Your administrator will typically create certification campaigns for all reviewers in your organization. When your administrator creates a certification campaign that contains access items or people you're responsible for, you'll receive a notification that certifications are ready for your review. You can see all your certifications by clicking Certifications in IdentityNow's main menu.


  • Your administrator has created a certification campaign

Complete the following steps:

1. Sign in to IdentityNow and go to Certifications.

2. Click Start next to the certification you want to work on.

A list of identities that are included in this certification is displayed. For each identity, you'll see the following:

  • Exceptions - This is a count of any access items that are either new or marked as privileged.

NOTE: The first time your company runs certifications, all access items are considered new.

  • Reassigned - If the employee was reassigned to you from someone else, an Information icon is show here. Click it to see why it was reassigned.
  • Decisions Left - This indicates how many access items still need to be reviewed by you.
  • Status - This indicates whether the certification has been completed for that person.

3. Click the person you want to certify.

You'll see a list of access items for that user. For a tour of this screen, see Take a tour of Certifications​.

list of users to certify.png

4. In each section, beside each access item, choose Approve if the user still needs access to that item or Revoke if they don't.

To see any apps associated with the access profile, click the number in the corresponding column. In the dialog box, click the tabs to view all of the access profile's contents.

Click Show Details to view additional account information for each access item listed. You can also click Hide Details to minimize this list.


  • If you approve an access profile or entitlement, the user will keep that access, even if you revoke the same entitlements somewhere else in this certification.
  • You can also approve or revoke all access items in bulk.
  • When reviewing the Roles table, you can only Acknowledge the roles for that person. If you see an access profile, app, or entitlement that is contained within the role that is not appropriate for the identity in question, contact the Role Owner to have it removed. For more details, see Reviewing Roles.

5. Click Save Decisions to save your decisions.

6. Page through each person using the arrows at the top of the page to certify their access items, or click Users to return to the list of users. For each user in the campaign, repeat steps 3, 4, and 5.

When you have certified each user, the Sign Off button is displayed at the top of the page.

7. Click Sign Off to mark the certification as complete.

A confirmation prompt is displayed.

8. Click Continue.

You'll see a confirmation that you signed off successfully.

certs review show details.png

Reviewing Roles

Because they are assigned according to user attributes or other business logic, roles cannot be approved or revoked in an access certification campaign. They can only be acknowledged. Click Acknowledge to verify that you have reviewed the role's contents. All roles must be acknowledged in order to sign off on a certification campaign.

Additionally, any access profiles, applications, or entitlements associated with the role also cannot be approved or revoked. To see these items, click the number in the corresponding column. In the dialog box, click the tabs to view all of the role's contents.

What happens when I revoke an entitlement or access profile?

When you revoke an access profile or entitlement from a user, one of two things happens:

  • The access is automatically removed from the user
  • A task is sent to the owner of the source that the access comes from, and the source owner removes the access manually

In some cases, two different access profiles might have some overlapping entitlements. If you approve one access profile and revoke another, the user keeps all access that was approved, even though it was revoked somewhere else.

For example, a user has Access Profile #1, which contains entitlements A, B, and C. The user also has Access Profile #2, which contains entitlements A, D, and E. If you approve Access Profile #1 and revoke Access Profile #2, the user will still have entitlement A.

For more information, see:

Labels (1)
Version history
Revision #:
1 of 1
Last update:
‎04-10-2013 02:03 PM
Updated by: