If your company has purchased the Certifications module in IdentityNow, you will be able to review and certify users' access from within the Certifications menu of IdentityNow. You will be able to review your users' roles, access profiles, entitlements, and apps. This functionality, known as a certification, allows you to see the data and accounts people are entitled to so that you can approve or reject those items.
Your administrator will typically create certification campaigns for all reviewers in your organization. When your administrator creates a certification campaign that contains access items or people you're responsible for, you'll receive a notification that certifications are ready for your review. You can see all your certifications by clicking Certifications in IdentityNow's main menu.
Your administrator has created a certification campaign
Complete the following steps:
1. Sign in to IdentityNow and go to Certifications.
2. Under the Active tab, find and click the certification you want to work on.
Each card contains the following details:
Progress - The progress of the campaign as a percentage.
Due By - The campaign due date.
NOTE: If a campaign is overdue, this date is the only place to tell on the card. Days Overdue is shown during the certification process next to the calendar icon.
Owner - The campaign owner.
Continue - The existing button to continue an in-progress campaign is now included in the card.
3. Click the identity you want to certify.
You'll see a list of access items for that user.
4. In each section, beside each access item, choose the Check or X icon to Approve or Revoke access.
You can click each access item listed to see additional details about that item. You can also click Details next to the name of the identity to see additional details about that identity.
When you make all the decisions for each identity, it will disappear from the list on the left, leaving only the remaining identities you need to work on.
If you approve an access profile or entitlement, the user will keep that access, even if you revoke the same entitlements somewhere else in this certification.
You can also approve or revoke all access items in bulk using the checkboxes next to the access items.
When reviewing Roles, you can only Acknowledge, not approve. If you see an access profile, app, or entitlement that is contained within the role that is not appropriate for the identity in question, contact the Role Owner to have it removed. For more details, see Reviewing Roles.
5. When you have certified each user and the campaign is ready for signoff, click the banner at the top of the page.
7. Click Complete Certification to mark the certification as complete.
The certification moves to the Completed tab where you can view all your completed certification campaigns.
Because they are assigned according to user attributes or other business logic, roles cannot be approved or revoked in an access certification campaign. They can only be acknowledged. Click Acknowledge to verify that you have reviewed the role's contents. All roles must be acknowledged in order to sign off on a certification campaign.
Additionally, any access profiles, applications, or entitlements associated with the role also cannot be approved or revoked. To see these items, click the number in the corresponding column. In the dialog box, click the tabs to view all of the role's contents.
What happens when I revoke an entitlement or access profile?
When you revoke an access profile or entitlement from a user, one of two things happens:
The access is automatically removed from the user
A task is sent to the owner of the source that the access comes from, and the source owner removes the access manually
In some cases, two different access profiles might have some overlapping entitlements. If you approve one access profile and revoke another, the user keeps all access that was approved, even though it was revoked somewhere else.
For example, a user has Access Profile #1, which contains entitlements A, B, and C. The user also has Access Profile #2, which contains entitlements A, D, and E. If you approve Access Profile #1 and revoke Access Profile #2, the user will still have entitlement A.