Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best practices: Planning your IdentityIQ certification campaign

Best practices: Planning your IdentityIQ certification campaign


"To be prepared is half the victory." - Miguel de Cervantes

Certifying user access is an essential component of good identity governance. Careful planning before you launch a certification will help ensure that your certification is accurate, manageable, and effective.

Here are some best practices for planning a successful certification campaign.


Evaluate, cleanse, and organize your data before setting up certifications

Starting your certification campaign with data that is clean, free of errors, well-organized, and easy for users to understand is one of the most important things you can do to ensure that your certification runs smoothly, without confusion or errors.

Here are some general best practices for getting your data into its best condition before you begin. Each of the recommendations in this section is described in more detail in the Best practices: Avoiding "certification fatigue" document. That document has other pointers on making your certifications user-friendly for your reviewers, so it's a good idea to review that document as well, as you plan your campaign.


Cleanse your data before you begin

Most people are familiar with the phrase "garbage in, garbage out." Before launching a certification campaign, it's important to clean up or get rid of any unnecessary "garbage" in the data that will be reviewed. Working with clean data means your certification will target the right users and the right access. Get tips on cleansing data.


Use meaningful names and descriptions for access

Access reviewers may be looking at lists of hundreds or thousands of individual roles or entitlements in the UI. Too often, reviewers don’t fully understand the access and entitlements they are asked to approve. Consistent, meaningful names for roles and entitlements help these users quickly grasp important information about the access under review. Find quick tips on naming conventions for roles and entitlements.


Encapsulate access into roles

Because roles can include many entitlements, a good role model can help reduce the number of individual access items a reviewer needs to process. You can include user-friendly descriptions with your roles to help reviewers understand what access is appropriate for and granted by the role. Read about best practices for building roles.


Flag high-risk access

It’s a given that some access carries higher risk than others. Elevated administrator privileges and access to sensitive financial or personal data are common examples of high-risk access. This is the type of access you want to be very sure your reviewers pay particular attention to - but how do you protect against high-risk access getting overlooked in a long list of access items?

Flagging high-risk access is a simple way to alert reviewers to which access items need an especially close look. You may also want to plan to certify high-risk access more frequently than lower-risk access.

Learn how to flag high-risk access in IdentityIQ with Classifications.


Consider what you may not need to certify

Most organizations have some kind of “birthright” access – access that every employee has simply by virtue of being an employee. An email address with an account on the company’s email system, a login to the payroll application, or a standard Active Directory account are all examples of common birthright access. 

You may want to exclude birthright access from certification, or simply certify birthright access less frequently than other access. In IdentityIQ, you can use classifications or extended attributes to flag birthright access. Then you can use filters or rules to exclude this access from any given certification.

Learn more about birthright access.


Understand the phases of a certification

Certifications progress through phases as they move through their lifecycle. Some phases are part of every certification, while others are optional and can be configured and used according to your specific needs. Understanding the purpose of each phase, and which  activities can take place within each, can help you decide on the best configuration for each of your certification campaigns.


Some things you might consider using phases for in your certification include:


  • Do you need to model or test the certification campaign before launching it?
  • How much time will you give reviewers to complete their reviews?
  • Will you let users challenge review decisions that revoke their access?
  • How much time will you allow for access to be revoked, if it is revoked manually?
  • Do you need to monitor revocation activity?

The certification phases in IdentityIQ are described briefly below. For more detailed information, see the 8.1 IdentityIQ certification access review guide, and the Lifecycle of a certification technical white paper.

Staging — use this optional phase to test or validate a certification before sending it to reviewers. The staging phase lets you create and preview a certification and its associated access reviews. You can review how the certification and access reviews will look to your users with the current configuration options, before the certification is activated. If the certification does not fit your needs or appear as you expected, you can cancel it and redefine it as needed. If the certification is accurate, you can activate it. Using a staging period for each newly-configured certification is a recommended best practice.

Active — the active phase is the review period when the reviews are performed. During this phase, reviewers make their decisions about access; changes can be made to these decisions as frequently as required, until the access period expires (or until the reviewer signs off on the review, or until the entire certification is closed). The active period lasts either for a scheduled amount of time, or until all the access reviews for the certification have been signed off.

Challenge — this optional phase is used if you want to let users challenge any revocation decisions that will revoke roles, entitlements, or account group access. With a challenge phase, users are notified if an access reviewer has decided to revoke any of their access, offering them an opportunity to make their case for why they need to retain that access before it gets revoked.  You can set up a variety of automated emails for the challenge period, including ones that can give users instructions on how to challenge decisions, and ones that give reviewers information on what to do in case of challenges. You also set a specific duration for the challenge period, to limit the window during which users can challenge decisions.

Revocation — this optional phase sets a specific time period for when the work of revoking access is performed and completed. An important thing to understand about the revocation phase is that when you enable the revocation phase, revocation activity is monitored in IdentityIQ to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. Revocation activity can still take place if you don't enable this phase; however in this case the revocation work won't be monitored automatically in IdentityIQ.  You can view detailed revocation information by clicking the “information” icon in the access review, then clicking the Details button on the information dialog.

End – The end period indicates when the certification is complete. If you didn't enable a revocation phase, revocations can be done during the end period.  Note that certifications are not closed until all the access reviews have been signed off or an auto-close setting was specified


Plan your notifications, reminders, and escalations

IdentityIQ lets you send custom, automated notifications and reminders to your reviewers and to the users whose access is under review.You can set up notifications that trigger emails when:
  • A user's access is revoked
  • An exception, which allows a user to keep access only temporarily, expires
  • A challenge period has begun
Reminders can be configured to start a certain number of days after the start or before the end of the Active phase. They can be sent as one-time messages, or on a recurring basis at intervals you choose. When you set up reminders, you can choose email templates for these messages, using a different email template for each reminder. You can also copy other users on the reminder messages.Escalations can be used to transfer responsibility to someone else (typically, the reviewer’s manager or the certification owner) when a reviewer has not completed the access review and the end of the Active phase is near. Escalations can be triggered after a particular number of reminders, or based on a number of days after the start of or before the end of the Active phase. Escalations use rules to determine who becomes the new owner. You can choose an email template to use for notifying the new owner of the escalation as part of the certification setup.To learn more about configuring notifications and escalations, and about IdentityIQ's email templates, see:

Understand how to use rules in certifications

Certifications can use rules to customize certification content and behavior, allowing you to insert your own logic to control the content and behavior of the certification. For example, you could write a rule to exclude your executive management team from certifications, or to add an additional level of sign-off approval to an access review.Other examples how you can use rules are:
  • Exclude inactive identities from the certification
  • Automatically delegate a manager review from the CEO to an executive assistant
  • Exclude birthright access from the certification
  • Transfer ownership of the access review to a different reviewer if the original reviewer fails to complete it on time
Rules are written using BeanShell, a lightweight Java-based scripting language. IdentityIQ provides a standard set of example rules that you can import to use as starting points for developing your own rules, in the examplerules.xml file. You can implement custom rules in IdentityIQ by importing the rules as XML objects or, in some of the certification scheduling UIs, by using the UI's rule editor.
When you set up a certification, there are numerous places where you can choose rules to modify the certification's behavior. Every rule has a type that categorizes its purpose, and in certifications, the rule type determines where and how in the certification the rule can be used, and what kind of effect or purpose it has.
A caveat for using rules in certifications: rules offer powerful processing, but rules that use complex logic can add a lot of performance overhead, particularly in large certifications. Make sure you have considered all the out-of-the-box configuration options that can tailor the behavior of your certification before turning to rules.
To learn more about how to use rules in certifications, see:

Decide who can self-certify

Self-certification means a user is allowed to be the certifier for his or her own access. Self-certification is often considered a security risk because it allows a user to approve and permit his or her own access, whether or not it is appropriate to his or her job - so by default, IdentityIQ does not allow self-certification for anyone other than System Administrators. However, some organizations have business reasons for allowing self-certification, so there are configuration options to permit it.An common real-world example of a when you might want to allow users to self-certify is a scenario where you let users review their own access initially, and indicate which access they think they do or do not need, before routing the review on to a manager or other decision-maker for a final review. In this case, you could create a Manager certification, use a rule to pre-delegate access to the user for self-certification, and then require that the results go back to the manager for review.  In this example the end result is a manager review, not purely a self-certification, but the self-certification step is a useful component of the overall campaign.You must at minimum allow System Administrators to self-certify, since excluding everyone, even your System Administrators, from self-certifying can potentially lead to certifications that are impossible to complete. Learn more about your options for self-certification.

Test using production data

In your test phase, you should use full production data in order to do real, meaningful scale testing. The test phase should also encompass the entire certification process: generation, decisions/approvals, and resolution.

Prepare and educate your reviewers

The success of your certification campaign will depend in large part on the careful, accurate, and timely decisions made by your reviewers. You can help your reviewers understand the review process and how to make the right access decisions by giving them instructions that are specific to your organization’s policies, practices, and UI. Keep in mind that if reviewers use the access reviews UI only occasionally, they may not remember important details about what to do, and how to use the UI.You may want to create your own documentation, screen shots, and/or video clips, to reflect the look and feel of your own instance of IdentityIQ, your organization's policies, and the specific options you configure for your certifications and access reviews. SailPoint offers an Access review guide for end users for IdentityIQ, that you can use as a template for developing your own custom end user training.
Labels (2)


Can we create a quick link for certification ?


Kavya Salian

Version history
Revision #:
16 of 16
Last update:
‎Apr 28, 2023 09:44 PM
Updated by: