7 Identity Certification

This chapter describes the identity certification user interface pages and includes information about how to complete identity certifications. An overview of identity certification is presented first.

This chapter contains the following sections:

7.1 Identity Certification Overview

This section describes what, why, and how identity certifications are conducted. It also discusses who is typically involved in the identity certification process.

7.1.1 What Is Identity Certification?

Identity certification is the process of reviewing user entitlements to ensure that users have not acquired entitlements that they are not authorized to have. Certifications can be scheduled to run on a regular basis to meet compliance requirements. Managers use the Oracle Identity Analytics (OIA) Identity Certification module to review their employees' entitlements to access applications and data. Based on changes reported by Oracle Identity Analytics, managers can authorize or revoke employee access, as needed.

The following table lists the four types of identity certification that are possible in Oracle Identity Analytics.

Table 7-1 The Four Types of Identity Certification

Identity Certification Type Description

User Entitlement Certification

Allows managers to certify employee access to roles, accounts, and entitlements. This is the most common and most sweeping type of certification. Typically, each manager in an organization reviews the access-privileges of the people who report directly to that manager. Each reviewer in a certification of this type is focused on his or her direct-reports, but is expected to review all of the access-privileges for each of those people.

Role Entitlement Certification

Allows role owners to certify role content and role members. This certification is used in organizations that have implemented role-based access control (RBAC). Typically, the owner of a role is the person responsible for reviewing its definition (that is, the set of access-privileges that it conveys) as well as its membership (the set of users to whom the role has been assigned). Each reviewer in a certification of this type is focused on a particular enterprise role.

Resource Entitlement Certification

This certification allows the person who is responsible for a particular system or application to review the set of users who have accounts on that system or application. The reviewer can drill down and view the details of the access-privileges of each account. Each reviewer in a certification of this type is focused on one specific system or application.

Data Owner Certification

Allows data owners to certify user accounts that have a particular privilege. This certification is used if a specific person is responsible for a particular entitlement (that is, an Attribute Value or a group membership that confers a specific access-privilege). The data owner can review the set of user accounts that have that particular entitlement. Each reviewer in a certification of this type is focused on one specific privilege within one specific resource.

Business administrators are tasked with creating certifications for their organizations. For information about creating certifications, see the "Oracle Identity Analytics Identity Certifications" chapter in the Administrator's Guide for Oracle Identity Analytics.

7.1.2 What is Closed-Loop Remediation?

Closed-loop remediation is a feature that utilizes a separate provisioning system to automatically revoke roles and entitlements based on the results of the Oracle Identity Analytics certification process. Closed-loop remediation is only available if the provisioning solution is either Oracle Identity Manager or Oracle Waveset (Sun Identity Manager).

For non-managed applications, you can manually revoke roles and entitlements by using the information stored in the remediation configuration module.

For information about how to de-provision accounts during a certification process, see Section 7.4.7, "To De-provision Accounts During The Certification Process." Because OIA is the authoritative source for roles, when roles are revoked, Oracle Identity Analytics directly de-provisions them.

7.1.3 Who Is Involved in Completing Identity Certifications?

The identity certification module in Oracle Identity Analytics allows personnel in an organization to review and certify user entitlement data, role content data, and application access data. Following are descriptions of the types of users that are typically involved in the identity certification process, as well as the certifications that each user type can authorize or revoke. In Oracle Identity Analytics, personnel who participate in the identity certification process are called actors.

Table 7-2 Identity Certification Actors

Actor Name Description Certification Types That Can Be Accessed

Certifier

A generic term that signifies a person who is responsible for reviewing and completing any kind of certification.

  • User entitlement certification

  • Role entitlement certification

  • Resource entitlement certification

  • Data owner certification

User manager

A manager with direct reports. Users report to a user manager.

  • User entitlement

Access reviewer

Designated personnel responsible for reviewing user access.

  • User entitlement

  • Resource entitlement

Application owner

Designated personnel responsible for reviewing user access on a particular target system.

  • User entitlement

  • Resource entitlement

Role owner

Designated personnel responsible for reviewing role and its content.

  • Role entitlement

Data owner

Designated personnel responsible for reviewing access to an attribute value.

  • Data owner

Oracle Identity Analytics administrator

An administrator with full access to the Oracle Identity Analytics application and who can create and view the progress of all certifications.

  • User entitlement

  • Role entitlement

  • Resource entitlement

  • Data owner

Auditor or Audit analyst

Designated personnel who can view the Identity Certification Dashboard to view the progress of each certification. Can view reports from completed certifications.

  • Identity certification dashboard

  • Certification reports

Certification administrator

Administrator with limited access to the Oracle Identity Analytics application and who can only create and view the progress of certifications.

  • User entitlement

  • Role entitlement

  • Resource entitlement

  • Data owner

7.2 Understanding the Identity Certification User Interface

This section provides help using the identity certification portion of the user interface, which you access by clicking Identity Certification on the main menu.

7.2.1 The Dashboard

To open the identity certification dashboard, choose Identity Certification > Dashboard from the main menu.

The identity certification dashboard summarizes status information for certifications in progress. The information presented is customized based on your user access. For example, if you are logged in as an administrator with global access, the dashboard presents certification data for the entire organization. If you are logged in as a manager, however, the dashboard only presents information relevant to your particular business units.

The identity certification dashboard presents the following information.

Table 7-3 Certification Dashboard UI Descriptions

Dashboard Panel Description

Certifications by Status

This bar graph compares certification statuses (new, in progress, complete, and expired) for each of the four certification types (user, role, resource, and data owner).

Summary

Provides the total number of users, accounts, resource types, and resources that are defined in Oracle Identity Analytics for your organization.

User Accounts Certification Status

This pie chart shows how many user accounts are marked as certified, revoked, and incomplete.

Notifications Issued in Last Week

This bar graph shows how many reminders have been sent in the last week to managers, senior managers, and the IT security department.

Statistics

Provides the average number of certifications per business structure, the average number of roles per user, the average number of accounts per user, and the average number of users in the average business structure.

User Roles Certification Status

This pie chart shows how many user roles are marked as certified, revoked, or incomplete.

7.2.2 Remediation Tracking

This page is visible only to administrators. To open the Remediation Tracking page, choose Identity Certification > Remediation Tracking from the main menu.

Use the Remediation Tracking page to track the remediation status of revoked accounts, access within accounts, or roles.

For details and instructions about using the Remediation Tracking page, see the Understanding Remediation Tracking section in the "Oracle Identity Analytics Identity Certifications" chapter in the Oracle Identity Analytics 11gR1 Business Administrations Guide.

7.2.3 Certification Jobs

This page is visible only to administrators. To open the Certifications Jobs page, choose Identity Certification > Certification Jobs from the main menu.

Use the Certification Jobs page to view the status of certification jobs and delete certification jobs.

For details and instructions about using the Certification Jobs page, see "Scheduling Certifications" in the "Oracle Identity Analytics Identity Certifications" chapter in the Administrator's Guide for Oracle Identity Analytics.

7.2.4 My Certifications

To open the My Certifications page, choose Identity Certification > My Certifications on the main menu.

Use the My Certifications page to view and search for certifications. If you are an administrator, you can create new access certifications from this page by clicking New Certification at the top of the page.

The My Certifications page displays new and in-progress certifications. Filters are provided to view all certifications, or any combination of new, in-progress, complete, or expired certifications. Click any column header to sort the table by the column type. Click again to reverse-sort the table.

In the Certification Name column, click a certification to view progress and to conduct employee verification on the selected certification.

  • Click Complete Certification to complete a certification process.

  • Click View Reports to view a report of a completed certification.

  • Click View Reminder Logs to view notifications sent for a particular certification.

7.3 Understanding the Certification Pages

The following help topics document the pages that you use when completing a certification.

This section includes the following topics:

7.3.1 Certification Pages Overview

When you open a certification, a summary page displays that lists the certification items needing review. From the summary page you can navigate deeper into the certification and get a detailed view of each certification item. Both the summary and the detail pages include controls for filtering which certification items are displayed.

This section describes the user interface elements that are common to the certification pages.

The Certification Name

The top of the page displays the certification name. Certifications use the following naming convention:

Name-of-the-certification_Certifier's-last name_Certifier's-first-name

The Status Bar and More Info Icon

If the certification page is open to a summary page, a status bar and a certification details More Info icon also display.

  • The Completed bar shows the percentage of the certification that is complete.

  • Click the More Info icon to open a pop-up window that contains detailed information about the certification. See the topic for more information about the Certification Details pop-up window.

The Export-To Section

The Export To options enable you to work on the certification offline. You have to return to Oracle Identity Analytics, however, to complete the certification. You can export the certification to PDF or .xls formats.

Note:

The Export To options are only available on certification summary pages, not certification detail pages.

The Filter-Data-By Menu

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Note:

Filter expressions with multiple criteria are evaluated using the "AND" operator.

The following filter controls may be available:

+ and -

Click to add and remove additional filter criteria.

Apply

Click to apply the filter and refresh the page.

Reset

Click Reset to remove all filtering and refresh the page.

If a filter is active, use the First, Previous, Next, and Last buttons to navigate from one record to the next.

Risk Level

In OIA, three red bars signifies high risk, two yellow bars signifies medium risk, one green bar signifies low risk.

7.3.2 User Entitlement Certification Help

User entitlement certification enables managers to certify employee access to roles, accounts, and entitlements. For step-by-step instructions about how to complete a user entitlement certification, see To Complete a User Entitlement Certification.

User Entitlement Certification Help is organized as follows:

7.3.2.1 User Entitlement Certification - Summary Page

Filter-Data-By Menu (User Entitlement Certification - Summary Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

All

Display all users.

Risk Summary

Display users by High, Medium, or Low risk levels. Risk Summary levels are based on the combined risk level of the roles, accounts, and entitlements that the user holds.

Entitlement Summary Risk

Display all users where the highest contributing Item-Risk or Risk-Factor level for any entitlement assigned to the user is High, Medium, or Low.

Role Summary Risk

Display all users where the highest contributing Item-Risk or Risk-Factor level for any role assigned to the user is High, Medium, or Low.

Note - Filtering by Low Role-Summary Risk could return users who do not have any assigned roles. This is because the Low Role-Summary Risk filter excludes all users who have High-risk and/or Medium-risk roles assigned. Users who have only Low-risk roles assigned, and users who have no roles assigned, are returned.

Account Summary Risk

Display all users where the highest contributing Item-Risk or Risk-Factor level for any account assigned to the user is High, Medium, or Low.

Role Name

Display users with the role name that matches the search string provided. The asterisk ( * ) can be used as a wildcard.

Resource Name

Display users with a resource name that matches the search string provided. The asterisk ( * ) can be used as a wildcard.

Status

Display users by Claim, Decline, Delegate, or Disclaim status.Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.

  • Claim - The user works for you and you are the correct person to complete the certification

  • Decline - The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.

  • Delegate - The user reports to another manager who is responsible for verifying this user's assigned roles and entitlements. You will not approve or revoke roles and entitlements for this user.

  • Disclaim - The user is no longer part of the organization. The user is removed from the certification process and you will not approve or revoke roles and entitlements for this user.

User Attribute

Display users who meet the attribute criteria that you supply.

The Actions Menu (User Entitlement Certification - Summary Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Claim

The user works for you and you are the correct person to complete the certification.

Decline

The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.

Delegate

The user reports to another manager. Select the manager who is responsible for verifying this user's assigned roles and entitlements. You will not approve or revoke roles and entitlements for this user.

Disclaim

The user is no longer part of the organization. The user is removed from the certification process and you will not approve or revoke roles and entitlements for this user.

Complete User

The users are valid for this certification.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Summary Table (User Entitlement Certification - Summary Page)

The table on the summary page lists the certification items needing review.

User Name

The user's user ID. This is a unique value that identifies the user in your IT environment.

First Name

The user's first name.

Last Name

The user's surname.

Primary Email

The user's e-mail address.

Status

Displays Decline, Delegate, or Disclaim if that status was selected for the user. Otherwise, this field shows the percentage of the certification that is complete for this user. Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.

Decline - The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements

Delegate - The user reports to another manager and you are not responsible for approving or revoking roles and entitlements for this user.

Disclaim Worker - The user is no longer part of the organization. The user will be removed from the certification process and you will not approve or revoke roles and entitlements for this user.

Risk Summary

The risk level (High, Medium, or Low) assigned to the user based on the combined risk level of the roles and entitlements that the user holds.

  • High-risk users hold one or more high-risk roles/entitlements.

  • Medium-risk users hold one or more medium-risk roles/entitlements, and no high-risk roles/entitlements.

  • Low-risk users do not hold any high-risk or medium-risk roles/entitlements.

Roles

The total number of roles that the user holds.

Accounts

The total number of accounts that the user holds.

Entitlements

The total number of entitlements that the user holds.

Certification Comments

Reviewer comments entered about the user certification.

7.3.2.2 User Entitlement Certification - Roles Detail Page

The role detail page lists a user's assigned roles. To open the Roles Detail page, open a user entitlement certification and click the Roles tab.

Filter-Data-By Menu (User Entitlement Certification - Roles Detail Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

Risk Summary

Display a user's roles based on the value recorded in the Risk Summary column.

Item Risk

Display the user's roles that have a matching risk value recorded in the Item Risk column.

Policy Violation

Display the user's roles that have a policy violation.

Last Certification

Display the user's roles based on the previous certification status.

Provisioning Methods

Display the user's roles based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Role Name

Display the user's roles that match the search string provided. The asterisk ( * ) character can be used as a wildcard.

The Actions Menu (User Entitlement Certification - Roles Detail Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Certify

The role is valid for this user for this certification.

Revoke

The role is not valid for this user for this certification.

Abstain

The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.

Certify Conditionally

You temporarily certify the role even though the role might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Roles Detail Table (User Entitlement Certification - Roles Detail Page)

The table on the roles detail page lists a user's assigned roles.

Role Name

The name of the assigned role being certified.

Description

A description of the role.

Decision

One of the following:

  • Certify - The role is valid for this user for this certification.

  • Revoke - The role is not valid for this user for this certification.

  • Certify Conditionally - You temporarily certify the role even though the role might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Risk Summary

The overall risk level for the role. This value is determined by choosing the highest risk level across the next four columns.

Item Risk

The risk level associated with the role as determined by an Oracle Identity Analytics administrator during the role configuration process.

Policy Violations

Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk.

Last Certification

The status of the previous certification of this role assignment. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New.

Provisioning Method

The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Comments

Comments entered about this role by a reviewer.

7.3.2.3 User Entitlement Certification - Entitlements Detail Page

The entitlements detail page lists a user's accounts and entitlements that are assigned outside of any assigned roles. To open the Entitlements Detail page, open a user entitlement certification and click the Entitlements tab.

Filter-Data-By Menu (User Entitlement Certification - Entitlements Detail Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

Risk Summary

Display a user's accounts and entitlements based on the value recorded in the Risk Summary column.

Item Risk

Display the user's roles that have a matching risk value recorded in the Item Risk column.

Policy Violation

Display the user's accounts and entitlements that have a policy violation.

Last Certification

Display the user's accounts and entitlements based on the previous certification status.

Provisioning Methods

Display the user's accounts and entitlements based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Resource Name

Display the user's accounts and entitlements by resource name. The asterisk ( * ) character can be used as a wildcard.

Resource Type

Display the user's accounts and entitlements by resource category.

Attribute

Display the user's entitlements by attribute name. The asterisk ( * ) character can be used as a wildcard.

Attribute Value

Display the user's entitlements by attribute value. The asterisk ( * ) character can be used as a wildcard.

The Actions Menu (User Entitlement Certification - Entitlements Detail Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Certify

The entitlement is valid for this user for this certification.

Revoke

The entitlement is not valid for this user for this certification.

Abstain

The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.

Certify Conditionally

You temporarily certify the entitlement even though the entitlement might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Note:

If you select all of the listed roles and entitlements when you choose an action, the system asks you to confirm if you want to "Select only entitlements that are displayed on the current page," or if you want to "Select all entitlements from this certification." Note that the "Select all entitlements from this certification" option applies only to the selection of roles and entitlements for the current user only. It does not apply to all of the roles and entitlements assigned to all of the users in the certification.

Entitlements Detail Table (User Entitlement Certification - Entitlements Detail Page)

The table on the entitlements detail page lists a user's assigned accounts and entitlements.

Note:

Rows representing accounts are labeled (Account Only) in the Attribute Name column.

Resource Name

The name of the resource that has the accounts and entitlements that are being certified. (A resource is an application or some other enterprise information asset that users need to do their jobs.)

Resource Type

The resource category that the resource belongs to.

Account Name

The name of the user's account on the resource. Click the More-Info icon to see additional account details.

Attribute

Attributes are entitlements that map to different objects on a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on.

Note - (Account Only) rows represent accounts.

Attribute Value

The value of the attribute listed.

Note - Account rows do not have attribute values.

Decision

One of the following:

  • Certify - The entitlement is valid for this user.

  • Revoke - The entitlement is not valid for this user.

  • Certify Conditionally - You temporarily certify the entitlement even though the entitlement might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

  • Abstain - The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.

Risk Summary

The overall risk level for the account or entitlement. This value is determined by choosing the highest risk level across the next four columns.

Item Risk

The assigned attribute-value risk or entitlement risk. The risk level is determined by an Oracle Identity Analytics administrator during the resource configuration process.

Policy Violations

Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk.

Last Certification

The status of the previous certification of this entitlement. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New.

Provisioning Method

The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Comments

Comments entered about the account or entitlement by a reviewer.

7.3.3 Role Entitlement Certification Help

A role entitlement certification enables role owners to certify roles and role content, such as polices, entitlements, and users assigned to roles. For step-by-step instructions about how to complete a role certification, see To Complete a Role Entitlement Certification.

Role Entitlement Certification Help is organized as follows:

7.3.3.1 Role Entitlement Certification - Summary Page

Filter-Data-By Menu (Role Entitlement Certification - Summary Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

All

Display all roles.

Risk Level

Display the user's roles that have a matching role risk value recorded in the Risk Level column.

Role Name

Display roles that match the search string provided. The asterisk ( * ) character can be used as a wildcard.

Status

Display roles by Claim or Decline status.

  • Claim - The role belongs to you and you are the correct person to certify the content of the role.

  • Decline - The role does not belong to you and you are not responsible for verifying the content of the role.

Policy Violations

Display roles that have open identity auditing violations.

Actions Menu (Role Entitlement Certification - Summary Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Claim

The role belongs to you and you are the correct person to complete the certification.

Decline

The role does not belong to you and you are not responsible for verifying it.

Complete Roles

The remaining roles are valid for this certification.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Summary Table (Role Entitlement Certification - Summary Page)

The table on the summary page lists the certification items needing review.

Role Name

The name of the role being certified.

Description

A description of the role.

Status

Either shows the percentage of the certification that is complete for this role, or Decline.

Risk Level

The risk level associated with the role as determined by an administrator during the role configuration process.

Policy Violations

Indicates if any open identity auditing violations are caused by this role. The identity audit component checks for identity relationships that go against policy, including segregation of duties (SoD) violations.

Policies

Shows the number of policies assigned to the role. Policies define account attributes and privileges that users have on different platforms or applications. A policy has a specific privilege on a specific data resource. Policies are assigned to roles, and roles are assigned to users.

Comments

Comments entered about this role certification by a reviewer.

7.3.3.2 Role Entitlement Certification - Policies Detail Page

The policies detail page shows policies that belong to this role, as well as attributes of the policy. To open this page, open a role entitlement certification and click the Policies tab.

Filter-Data-By Menu (Role Entitlement Certification - Policies Detail Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

Resource Name

Display policies and attributes that have resource names that match the search string provided. The asterisk ( * ) character can be used as a wildcard.

Resource Type

Display policies and attributes that match the selected resource category.

Policy Name

Display policies and attributes that match the selected policy name.

Attribute Name

Display the attributes that match the attribute name search string provided. The asterisk ( * ) character can be used as a wildcard.

Attribute Value

Display the attributes that match the attribute value search string provided. The asterisk ( * ) character can be used as a wildcard.

Risk Summary

Display policies and attributes based on combined risk levels.

Item Risk

Display policies based on resource risk, and display attributes based on either the assigned attribute value risk or the entitlement risk.

Last Certification

Display policies and attributes based on the previous certification status.

Actions Menu (Role Entitlement Certification - Policies Detail Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Certify

The policy, entitlement, or user assigned to this role is valid for this certification.

Revoke

The policy, entitlement, or user assigned to this role is not valid for this certification.

Abstain

The policy, entitlement, or user does not belong to you and you are not responsible for verifying it.

Certify Conditionally

You temporarily certify the policy, entitlement, or user assigned to this role even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Note:

If you select all of the listed policies and entitlements when you choose an action, the system asks you to confirm if you want to "Select only policies that are displayed on the current page," or if you want to "Select all policies from this certification." Note that the "Select all policies from this certification" option applies only to the policies and entitlements assigned to the current role. It does not apply to all of the policies and entitlements assigned to all of the roles in the certification.

Policies Detail Table (Role Entitlement Certification - Policies Detail Page)

Note - Rows representing policies are labeled (Policy Only) in the Attribute Name column.

Resource Name

The name of the resource that the policy or the policy attribute relates to.

Resource Type

The resource category that the resource belongs to.

Policy Name

The name of the policy or the policy attribute that belongs to the role.

Attribute Name

Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. Rows representing policies display as (Policy Only).

Attribute Value

The value of the attribute listed. Rows representing policies do not have attribute values.

Decision

One of the following:

  • Abstain - The policy or policy attribute does not belong to you and you are not responsible for verifying it

  • Certify - The policy or policy attribute is valid for this certification.

  • Revoke - The policy or policy attribute is not valid for this certification.

  • Certify Conditionally - You temporarily certify the policy or policy attribute even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Last Certification

The status of the previous certification of this policy or attribute. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New.

Comments

Comments entered about this policy or policy attribute by a reviewer.

7.3.3.3 Role Entitlement Certification - Members Detail Page

The members detail tab shows all of the members that belong to this role. To open this page, open a role entitlement certification and click the Members tab.

Filter-Data-By Menu (Role Entitlement Certification - Members Detail Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

User ID

Display role members who have account names that match the search string provided. The asterisk ( * ) character can be used as a wildcard.

Risk Summary

Display role members by High, Medium, or Low risk level. The Risk Summary level is based on the combined risk level of the roles, accounts, and entitlements that the user holds.

Policy Violation

Display role members who have one or more policy violations resulting from this role assignment.

Provisioning Method

Display role members based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Last Certification

Display role members based on the previous certification status.

Actions Menu (Role Entitlement Certification - Members Detail Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Certify

The policy, entitlement, or user assigned to this role is valid for this certification.

Revoke

The policy, entitlement, or user assigned to this role is not valid for this certification.

Abstain

The role does not belong to you and you are not responsible for verifying it.

Certify Conditionally

You temporarily certify the policy, entitlement, or user even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Members Detail Table (Role Entitlement Certification - Members Detail Page)

User ID

The employee's user ID. This is a unique value that identifies the employee in your IT environment.

First Name

The user's first name.

Last Name

The user's surname.

Primary Email

The user's e-mail address.

Decision

One of the following:

  • Abstain - The role does not belong to you and you are not responsible for verifying it.

  • Certify - The user is valid for this role for this certification.

  • Revoke - The user is not valid for this role for this certification.

  • Certify Conditionally - You temporarily certify the user even though the user assignment might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Risk Summary

The overall risk level for the user for this role. This value is determined by choosing the highest risk level across the next three columns.

Policy Violations

Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk.

Last Certification

The status of the previous certification of the user for this role. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New.

Provisioning Method

The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Comments

Comments entered about this role user by a reviewer.

7.3.4 Resource Entitlement Certification Help

Resource entitlement certification involves certifying or revoking employee entitlements on one or more resources. Resource entitlements are entitlements that are assigned directly to an employee and are not assigned to an employee as part of a role. For step-by-step instructions about how to complete a resource certification, see Section 7.4.5, "To Complete a Resource Entitlement Certification."

Resource Entitlement Certification Help is organized as follows:

7.3.4.1 Resource Entitlement Certification - Summary Page

Filter-Data-By Menu (Resource Entitlement Certification - Summary Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

All

Display all users.

Risk Level

Display resources by High, Medium, or Low risk level.

Resource Name

Display resources that match the search string provided. The asterisk ( * ) can be used as a wildcard.

Status

Display resources by Claim or Decline status.

Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.

  • Claim - The resource belongs to you and you are the correct person to complete the certification

  • Decline - The resource does not belong to you and you are not responsible for completing the certification.

Actions Menu (Resource Entitlement Certification - Summary Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Claim

Restores a disclaimed user, role, resource, or data source to your verification queue for certification.

Decline

Either the user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements, or the role, resource, or data source does not belong to you and you are not responsible for verifying it.

Complete Resource

The remaining open accounts and entitlements for this resource are valid.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Summary Table (Resource Entitlement Certification - Summary Page)

The table on the summary page lists the certification items needing review.

Resource Type

The resource category that the resource belongs to.

Resource Name

The name of the resource for which accounts and entitlements are being certified. Click the Resource Name link to open the Accounts and Entitlements Detail page.

Status

Shows Certify or Revoke if this resource certification is complete. Otherwise, this field shows the percentage of the certification that is complete for this resource.

Risk Level

The risk level of the named resource as determined by an Oracle Identity Analytics administrator during the resource configuration process.

Accounts

The total number of accounts that the named resource has.

Entitlements

The total number of entitlements that the named resource has.

Certification Comments

Comments entered about the resource certification by a reviewer.

7.3.4.2 Resource Entitlement Certification - Accounts and Entitlements Detail Page

The accounts and entitlements detail page shows the accounts and entitlements on the named resource. Click a Resource name on the Resource Entitlement Certification page to open this detail page.

Note - The rows representing accounts have Attribute Name labeled as (Account Only).

Filter-Data-By Menu (Resource Entitlement Certification - Accounts and Entitlements Detail Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

Attribute name

Display the entitlements that match the entitlement (attribute) name search string provided. The asterisk ( * ) character can be used as a wildcard.

Attribute Value

Display the entitlements that match the entitlement (attribute) value search string provided. The asterisk ( * ) character can be used as a wildcard.

Risk Summary

Display accounts and entitlements based on combined risk levels.

Item Risk

Display accounts based on resource risk, and display entitlements based on attribute value risk or entitlement risk.

Policy Violation

Display the accounts and entitlements that have a policy violation.

Last Certification

Display accounts and entitlements based on the previous certification status.

Provisioning Methods

Display role members based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Actions Menu (Resource Entitlement Certification - Summary Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Claim

The attribute or account is valid for this resource for this certification.

Decline

The attribute or account is not valid for this resource for this certification.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Note:

If you select all of the listed accounts and entitlements when you choose an action, the system asks you to confirm whether the action should be applied to "Items on this page only" or "All remaining items." Note that the "All remaining items" option applies only to the accounts and entitlements assigned to the current resource. It does not apply to all of the remaining accounts and entitlements in the certification.

Accounts and Entitlements Detail Table
(Resource Entitlement Certification - Accounts and Entitlements Detail Page)

This table lists the accounts and entitlements on the named resource.

Account Name

The employee's user ID. This is a unique value that identifies the employee in your IT environment.

First Name

The user's first name.

Last Name

The user's surname.

Attribute Name

Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. Rows representing policies display as (Policy Only).

Attribute Value

The value of the attribute listed.

Decision

One of the following:

  • Abstain - You are not responsible for verifying this entitlement.

  • Certify - The entitlement is valid for this user for this certification.

  • Revoke - The entitlement is not valid for this user for this certification.

  • Certify Conditionally - You temporarily certify the entitlement even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Risk Summary

The overall risk level for the account or attribute. This value is determined by choosing the highest risk level across the next four columns.

Item Risk

The assigned account risk or entitlement risk.

Policy Violations

Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk.

Last Certification

The status of the previous certification of this resource account or entitlement. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New.

Provisioning Method

The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Comments

Comments entered about this account or entitlement by a reviewer.

7.3.5 Data Owner Certification Help

A data owner certification enables data owners to certify whether employees should be able to access data. For step-by-step instructions about how to complete a data owner certification, see Section 7.4.6, "To Complete a Data Owner Certification."

Data Owner Certification Help is organized as follows:

7.3.5.1 Data Owner Certification - Summary Page

Filter-Data-By Menu (Data Owner Certification - Summary Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

All

Display all users.

Status

Display certification items by Claim or Decline status.Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.

  • Claim - The data source belongs to you and you are the correct person to complete the certification

  • Decline - The data source does not belong to you and you are not responsible for completing the certification.

Risk Level

Display data sources by High, Medium, or Low role risk level.

Resource

Display resources that match the search string provided. The asterisk ( * ) can be used as a wildcard.

Attribute

Display the entitlements that match the entitlement (attribute) name search string provided. The asterisk ( * ) character can be used as a wildcard.

Attribute Value

Display the entitlements that match the entitlement (attribute) value search string provided. The asterisk ( * ) character can be used as a wildcard.

Actions Menu (Data Owner Certification - Summary Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Claim

The data source belongs to you and you are responsible for verifying it.

Decline

The data source does not belong to you and you are not responsible for verifying it.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Complete Value

The remaining users are valid for this certification.

Summary Table (Data Owner Certification - Summary Page)

The table on the summary page lists the certification items needing review.

Attribute

Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on.

Attribute Value

The value of the attribute listed.

Resource

The name of the resource where the data being certified resides.

Resource Type

The resource category that the resource belongs to.

Status

Shows Declined if you clicked the Decline button for the data source. Otherwise, this field shows the percentage of the certification that is complete for this data source.

Risk Level

The risk level (High, Medium, or Low) assigned to the entitlement / attribute-value on that row.

Users

Shows the number of users that have this entitlement.

Classification

Show the classification value for the attribute value.

Comments

Comments about this certification added by the certifier during the certification process.

7.3.5.2 Data Owner Certification - Entitlement Detail Page

The entitlement detail page shows users who have the entitlement. To open this detail page, click an entitlement in the Attribute Value column on the data owner certification page.

Filter-Data-By Menu (Data Owner Certification - Entitlement Detail Page)

The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.

Filter expressions with multiple criteria are evaluated using the "AND" operator.

Decision

.Display users whose Decision status matches the value selected. Select All to display all users

By User Attribute

Display users with attributes such as User Name, First Name, City, Country and so on that match the supplied value. The asterisk ( * ) character can be used as a wildcard.

Risk Summary

Display users by High, Medium, or Low risk level. Aggregated risk is based on the combined risk level of the roles, accounts, and entitlements that the user holds.

Last Certification

Display users based on the previous certification status.

Policy Violations

Display users who have one or more policy violations.

Provisioning Method

Display users based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Actions Menu (Data Owner Certification - Entitlement Detail Page)

Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.

Certify

The user entitlement is valid for this resource for this certification.

Revoke

The user entitlement is not valid for this resource for this certification.

Abstain

You are not responsible for verifying the user entitlement for this resource.

Certify Conditionally

You temporarily certify the user entitlement even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Reset Status

Clear the decision column for the selected entries to indicate that no action has been taken.

Edit Comment

Modify the comment for the selected entries.

Note:

If you select all of the listed accounts when you choose an action, the system asks you to confirm whether the action should be applied to "Items on this page only" or "All remaining items." Note that the "All remaining items" option applies only to all of the accounts assigned the current attribute value. It does not apply to all of the accounts assigned to the remaining attribute values in the certification.

Entitlement Detail Table (Data Owner Certification - Entitlement Detail Page)

This table lists the users who have the selected entitlement.

Account Name

The name of the user's account on the resource. Click the More-Info icon to see additional account details.

First Name

The user's first name.

Last Name

The user's surname.

Decision

One of the following:

  • Certify - The user is valid for this entitlement for this certification.

  • Revoke - The user is not valid for this entitlement for this certification.

  • Certify Conditionally - You temporarily certify the user even though the user assigned to the entitlement may not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

Risk Summary

The overall risk level for the user for this entitlement. This value is determined by choosing the highest risk level across the next three columns.

Policy Violations

Yes if the policy is causing a violation, otherwise No. A violation is considered to be high risk, and no policy violation is low risk. This value contributes to the overall risk level as shown in the Risk Summary column.

Last Certification

The status of the previous certification of this policy or attribute. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New.

Provisioning Method

The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together.

Comments

Comments entered about this user by a reviewer.

7.3.6 Certification Details Help

The certification details pop-up can be displayed by clicking the information icon found next to the certification name in the summary view for each type of certification.

The Certification Details pop-up window opens and displays information in the following sections:

Use the certification details page to view detailed information about a certification.

Note - The details displayed in the certification overview section varies based on the type of certification you have open.

7.3.6.1 Certification Overview

Table 7-4 Screen elements in the Certification Overview section of the Certification Details page

Details Description

Certification

Displays the name of the certification. Certifications use the following naming convention: Name-of-the-certification_Certifier's-last name_Certifier's-first-name

Business structure

Displays the business structure selected for the certification.

Completed

Displays the progress (in percentage) of the certification completion.

Number of users

Displays the number of users that are part of the certification.

Number of roles

Displays the number of roles that are part of the certification.

Number of accounts

Displays the number of accounts that are part of the certification.

Number of resources

Displays the number of resources that are part of the certification.

Number of attribute values

Displays the number of attribute values that are part of the certification.

Certifier

Displays the name of the certifier.

Search button

Option to delegate the certification to another manager.

Note - The details displayed in the Certification Overview section varies depending on the certification page that you have open.

7.3.6.2 Certification History

Table 7-5 Screen elements in the Certification History section of the Certification Details page

Details Description

Start Date

The suggested start date to perform the certification.

End Date

The date when the certification expires. Managers cannot review certifications after the expiration date.

Incremental

If a certification is marked as incremental, then certifiers are required to certify only the changes made to a certification after the last time it was certified. Otherwise, certifiers are required to complete the entire certification again.

Created By

Displays the name of the creator of the certification.

Creation Date

Displays the date of creation.

Last Updated By

Displays the name of the user who updated the certification.

Last Update Date

Displays the date of the last update.

7.3.7 Help for More-Info Pop-Up Pages

During the certification process you can view additional details about roles, accounts, attributes, and policies by clicking a More-Info link. When you click a More-Info link, one of four Meta Information pages opens. The following sections provide details about the Meta Information pages.

7.3.7.1 Role Meta-Information Pop-Up Help

The Role Meta-Information Pop-Up consists of four sections:

  • General - This section includes information about the role.

    • General tab - Displays basic information about the role.

    • Business Structures tab - Displays business structures associated with the role.

    • Users tab - Displays users assigned to the role.

    • Exclusion Roles tab - Displays conflicting roles. This helps define segregation of duties at the role level.

    • Ownership tab - Displays the role owner.

    • Custom Properties tab - Displays the custom properties associated with the role.

  • Rules - This section displays rules associated with the role.

  • Certification History - This section shows the certification history of the role. Information includes last date of action, the nature of the action, and comments, if any.

  • Policy Entitlements - This section displays all the policies that are part of the role. All policy-related information, such as business structures, roles, resources, exclusion policies, ownership information, and entitlements, are displayed.

  • Provisioning Method - (This section is available if the Oracle Identity Manager provisioning solution is enabled.) Provisioning Method provides information about how the item was provisioned to the system.

  • Open Audit Exception - This section shows if the role is part of an open-audit exception. An open-audit exception is a violation that has not been fixed.

7.3.7.2 Accounts Meta-Information Pop-Up Help

The Accounts Meta-Information Pop-Up consists of four sections:

  • General - This provides information about the account and its entitlements.

    • Account - This lists account information such as name, resource, and domain.

    • Entitlement - This lists information about the account's entitlements.

  • Open Audit Exception - This section shows if the account is part of an open-audit exception. An open-audit exception is a violation that has not been fixed.

  • Certification History - This section shows the certification history of the account. The information provided here includes a description of the action taken, the date that the action was taken, and comments, if any.

  • Provisioning Method - (This section is available if the Oracle Identity Manager provisioning solution is enabled.) Provisioning Method provides information about how the item was provisioned to the system.

  • User Activity - This section displays the user's recent account activity. The section is divided into two subtabs:

    • Alerts - Displays the alerts raised by the Intellitactics Security Information and Event Monitoring (SIEM) solution when it detects event violations based on the SIEM solution's internally defined rule set. The tab displays the alert title, description, time range, score, and status. These fields display the value captured by the SIEM solution.

    • All Events - Displays user activity events, which are collected by monitored endpoints by the Intellitactics SIEM system and reported in Oracle Identity Analytics as daily summarized data. The tab displays the event ID, event type, time range, count, and user ID. These fields display the value captured by the SIEM solution.

    Note - The User Activity section will be displayed if Oracle Identity Analytics is integrated with Intellitactics Security Manager, a security information and event monitoring solution. To learn more about Intellitactics Security Manager, see "Integrating with Intellitactics Security Manager" in the Administrator's Guide for Oracle Identity Analytics.

7.3.7.3 Attribute Meta-Information Pop-Up Help

The Attribute Meta-Information Pop-Up consists of the following sections:

  • General - This section lists the attribute name, value, and glossary information. It also lists the attribute hierarchy, if any.

  • Certification History - This section shows the certification history of the attribute. The information provided includes a description of the action taken, the date the action was taken, and comments, if any.

  • Provisioning Method - (This section is available if the Oracle Identity Manager provisioning solution is enabled.) Provisioning Method provides information about how the item was provisioned to the system.

7.3.7.4 Policy Meta-Information Pop-Up Help

The Policy Meta-Information Pop-Up consists of three sections:

  • General - This section includes information about the policy.

    • General tab - Displays basic information about the policy.

    • Business Structures tab - Displays the business structures associated with the policy.

    • Ownership tab - Displays the policy owner.

    • Resources tab - Displays all the resources associated with the policy.

    • Exclusion Policies tab - Displays conflicting policies. This helps define segregation of duties at the policy level.

    • Roles tab - Displays the roles associated with the policy.

    • Entitlements tab - Displays the attribute and the corresponding attributes values.

  • Open Audit Exception - This section shows if the account is part of an open audit exception. An open audit exception is a violation, which is not fixed.

  • Certification History - This section shows the certification history of the account. Information includes a description of the action taken, the date the action was taken, and comments, if any.

7.4 Completing Certifications

This section describes how to complete certifications in Oracle Identity Analytics. It includes the following topics:

7.4.1 To Find and Open Your Certifications

  1. Log in to Oracle Identity Analytics.

  2. Choose Identity Certifications > My Certifications.

  3. To search for specific certifications, use the Show Me drop-down menu, or click the expand icon on the left side of the page to open the Search panel.

    • The Show Me drop-down menu displays the following options: New & In Progress, All, New, In Progress, Complete, and Expired.

    • The search panel enables you to search for a certification using the following fields: Certification Name, Business Structure, Created By, Updated By.

    • Certifications use the following naming convention:
      Name-of-the-certification      _Certifier's-last name_Certifier's-first-name.

      Note:

      - During certification, to obtain additional information about users, roles, attributes, and policies, click the More Info link.

  4. Click a certification to open it.

    The Certification Details page opens.

7.4.2 To Delegate a Certification to Another User

Use the steps in this section if you want to delegate a particular certification to someone else.

Note:

If you will be unable to complete certifications for an extended period of time, you can delegate certifications to another user to complete. Refer to Section 4.1.2.1, "To Delegate Certification-Related Duties to Another User" to delegate all certification completion tasks to another manager.

Before You Begin - Open your list of assigned certifications by following the steps in the Section 7.4.1, "To Find and Open Your Certifications" section.

  1. Click to open the certification that you want to delegate.

    The Certification page opens.

  2. Click the More Info icon next to the certification name on the summary page.

    Your name will be displayed as the certifier in the Certification Overview box.

  3. Click the Search icon to search for a user to delegate the certification to. For help using Search, see Section 6.3.1, "Searching for a User."

  4. Click Close.

7.4.3 To Complete a User Entitlement Certification

User Entitlement Certification enables managers to certify employee access to roles and related entitlements. To complete a user entitlement certification, follow these steps:

Before You Begin - Open your user entitlement certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.

  1. Reassign users who do not work for you.

    See Section 7.4.3.1, "Step One: Re-Assign Users Who do not Work for You"for more information.

  2. Review users' roles and entitlements. Revoke the roles and entitlements that are no longer applicable and certify the rest.

    See Section 7.4.3.2, "Step Two: Review Roles and Entitlements and Revoke Those That No Longer Apply"for more information.

  3. (Optional) Bulk certify multiple users with low risk levels.

    See Section 7.4.3.3, "Step Three: Bulk Certify Low-Risk Users (Optional)" for more information.

  4. Complete the user entitlement certification.

    See Section 7.4.3.4, "Step Four: Complete the User Entitlement Certification" for more information.

7.4.3.1 Step One: Re-Assign Users Who do not Work for You

  1. Review the certification and verify that the listed employees work for you and also that you are responsible for verifying their assigned roles and entitlements.

  2. Remove users who do not belong in your verification queue by selecting the check box next to each user name and clicking one of the following buttons:

    • Decline - The employee does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.

    • Delegate - The employee reports to another manager. Select the manager who is responsible for verifying this employee's assigned roles and entitlements. You will not approve or revoke roles and entitlements for this employee.

    • Disclaim Worker - The employee is no longer part of the organization. The employee is removed from the certification process and you will not approve or revoke roles and entitlements for this employee. To return a user to your verification queue, select the check box next to the user name and click the following button:

    • Claim - Restores a user to your verification queue for certification.

Tip:

For a description of the fields on the User Entitlement Certification user interface pages, see Section 7.3.2, "User Entitlement Certification Help."

7.4.3.2 Step Two: Review Roles and Entitlements and Revoke Those That No Longer Apply

Before You Begin - Complete the steps in Section 7.4.3.1, "Step One: Re-Assign Users Who do not Work for You."

  1. Filter the users in your certification queue by risk level or assignment status by choosing an option from the Filter Users By menu.

    • Show All - Displays all users.

    • Risk Level - Display users by High, Medium, or Low risk level. Click + to add an additional filter option; click - to remove the filter option. Click Apply to apply the filter and refresh the page.

    • Status - Display users by Claim, Decline, Delegate, or Disclaim status.

      Note:

      Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.

  2. Click a user to review the employee's assigned roles.

    Tip:

    If the user has a large number of roles, use the Filter Roles By menu to view only High, Medium, or Low risk-level roles. For a description of the fields on the user entitlement user interface pages, see Section 7.3.2, "User Entitlement Certification Help."

  3. Carry out the following actions as required:

    • Revoke - To revoke a role if the entitlement is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the accounts and entitlements that make up the revoked roles will be automatically de-provisioned.

    • Certify Conditionally - To temporarily certify one or more entitlements, even though the entitlements might not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.

    • Certify - To certify one or more roles if they are valid for this user, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.

    • Decline - Select the applicable check boxes and click Decline if you do not know if the employee's access is valid. The employee's access is neither certified nor revoked. The employee's access details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.

  4. Click the Entitlements tab to review the user's entitlements that have been assigned outside of a role. Revoke, Certify Conditionally, Certify, and/or Decline the user's entitlements as needed.

  5. Click Back to Search Results to review the next employee's assigned roles and entitlements and to revoke those that are no longer applicable.

7.4.3.3 Step Three: Bulk Certify Low-Risk Users (Optional)

The bulk certify action will certify the selected users and set the status to 100%. Any blank status on a role, an account, or an entitlement for the selected users will be set to Certify.

Before You Begin - For employees who do not have low risk levels, complete the steps in Section 7.4.3.2, "Step Two: Review Roles and Entitlements and Revoke Those That No Longer Apply."

  1. To bulk certify multiple users, select the check box next to each user name and click the Certify User button.

    Note:

    Use the global check box at the top of the column to select all of the employees listed. In the dialog box, choose whether you want to certify only the users who are displayed on the current page, or if you want to certify all of the users in the certification.

  2. Type a comment in the box and click OK.

7.4.3.4 Step Four: Complete the User Entitlement Certification

When all of the users are certified, the Complete Certification dialog box opens.

Note - To be complete, the Certification Details page should show 100% complete for all users.

  1. Do one of the following:

    • To complete the certification, select Yes, type your password, and click Submit.

    • To edit the certification or return to the certifications page, select Not right now.

7.4.4 To Complete a Role Entitlement Certification

Role Entitlement Certification enables role owners to certify roles and role content. To complete a role entitlement certification, follow these steps:

Before You Begin - Open your role entitlement certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.

  1. Decline the roles that do not belong to you. See Section 7.4.4.1, "Step One: Decline the Roles That do not Belong to You" for more information.

  2. Review the content of your roles. Revoke the policies, entitlements, and role members that are no longer correct and certify the rest. See Section 7.4.4.2, "Step Two: Review the Contents of Your Roles" for more information.

  3. (Optional) Bulk certify roles with low risk levels. See Section 7.4.4.3, "Step Three: Bulk Certify Low-Risk Roles (Optional)" for more information.

  4. Complete the role entitlement certification. See Section 7.4.4.4, "Step Four: Complete the Role Entitlement Certification" for more information.

7.4.4.1 Step One: Decline the Roles That do not Belong to You

  1. Review the certification and verify that the listed roles belong to you and that you are responsible for verifying the roles and the role content.

  2. Decline the roles that do not belong in your verification queue by selecting the check box next to each role name and clicking one of the following buttons:

    • Decline - The role does not belong to you and you are not responsible for verifying the role and its content.

    • Claim - The role belongs to you and you are responsible for verifying the role and its content.

Tip:

For a description of the fields on the Role Entitlement Certification user interface pages, see Section 7.3.3, "Role Entitlement Certification Help."

7.4.4.2 Step Two: Review the Contents of Your Roles

Before You Begin - Complete the steps in Section 7.4.4.1, "Step One: Decline the Roles That do not Belong to You."

  1. Filter the roles in your certification queue by risk level by choosing an option from the Filter Data By menu.

  2. Click a role to open the policies detail page. The policies detail page shows the policies that belong to this role, as well as the attributes (or entitlements) that make up each policy.

  3. Review the role's policies and attributes.

    Tip:

    If the role has a large number of policies and attributes, use the Filter Data By menu to view only High, Medium, or Low risk-level items.

    For a description of the fields on the role entitlement user interface pages, see Section 7.3.3, "Role Entitlement Certification Help."

  4. Carry out the following actions as required:

    • Revoke - To revoke a policy or attribute if it is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the policy or attribute will be automatically de-provisioned.

    • Certify Conditionally - To temporarily certify a policy or attribute, even though the policy or attribute may not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.

    • Certify - To certify a policy or attribute if it is valid for this user, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.

    • Decline - Select the applicable check box and click Decline if you do not know if the policy or attribute is valid. The policy or attribute is neither certified nor revoked. The role's details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.

  5. Click the Members tab to review the users who have this role assigned. Revoke, Certify Conditionally, Certify, and/or Decline the role's members as needed.

  6. Click Back to Search Results to review the next role's assigned policies and attributes and to revoke those that are no longer applicable.

7.4.4.3 Step Three: Bulk Certify Low-Risk Roles (Optional)

The Complete Roles action will certify the selected roles and set the status to 100%. Any blank status on a policy, attribute, or role member for the selected roles will be set to Certify.

Before You Begin - For roles that do not have low risk levels, complete the steps in Section 7.4.4.2, "Step Two: Review the Contents of Your Roles."

  1. To bulk certify multiple roles, select the check box next to each role name and click the Complete Roles button.Note - Use the global check box at the top of the column to select all of the roles listed. In the dialog box, choose whether you want to certify only the roles that are displayed on the current page, or if you want to certify all of the roles in the certification.

  2. Type a comment in the box and click OK.

7.4.4.4 Step Four: Complete the Role Entitlement Certification

When all of the roles are certified, the Complete Certification dialog box opens.

Note - To be complete, the Certification Details page should show 100% complete for all roles.

  1. Do one of the following:

    • To complete the certification, select Yes, type your password, and click Submit.

    • To edit the certification or return to the certifications page, select Not right now.

7.4.5 To Complete a Resource Entitlement Certification

Resource Entitlement Certification involves certifying or revoking employee entitlements on one or more resources. Resource entitlements are entitlements that are assigned directly to an employee and are not assigned to an employee as part of a role. To complete a resource entitlement certification, follow these steps:

Before You Begin - Open your resource entitlement certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.

  1. Decline the resources that do not belong to you. See Section 7.4.5.1, "Step One: Decline the Resources That do not Belong to You" for more information.

  2. Review the accounts and attributes (entitlements) that are assigned to users. Revoke the accounts and attributes that are no longer correct and certify the rest. See Section 7.4.5.2, "Step Two: Review Your Account and Attribute Assignments" for more information.

  3. (Optional) Bulk certify resources with low risk levels. See Section 7.4.5.3, "Step Three: Bulk Certify Resources With Low-Risk Assignments (Optional)" for more information.

  4. Complete the resource entitlement certification. See Section 7.4.5.4, "Step Four: Complete the Resource Entitlement Certification" for more information.

7.4.5.1 Step One: Decline the Resources That do not Belong to You

  1. Review the certification and verify that the listed resource belongs to you and that you are responsible for verifying the resource accounts and attributes (entitlements) that are assigned to users.

  2. Decline the resources that do not belong in your verification queue by selecting the check box next to each resource name and clicking one of the following buttons:

    • Decline - The resource does not belong to you and you are not responsible for verifying the users with accounts and entitlements on the resource.

    • Claim - The resource belongs to you and you are responsible for verifying the users with accounts and entitlements on the resource.

Tip:

For a description of the fields on the Resource Entitlement Certification user interface pages, see Section 7.3.4, "Resource Entitlement Certification Help."

7.4.5.2 Step Two: Review Your Account and Attribute Assignments

Before You Begin - Complete the steps in Section 7.4.5.1, "Step One: Decline the Resources That do not Belong to You."

  1. Filter the resources in your certification queue by risk level by choosing an option from the Filter Data By menu.

  2. Click a resource name to open the resource detail page. The resource detail page shows the accounts and attributes (entitlements) that are assigned to users.

  3. Review the assigned accounts and attributes.

    Tip:

    If the resource has a large number of assigned accounts and attributes, use the Filter Data By menu to view only High, Medium, or Low risk-level items.

    For a description of the fields on the resource entitlement user interface pages, see Section 7.3.4, "Resource Entitlement Certification Help."

  4. Carry out the following actions as required:

    • Revoke - To revoke an assigned account or entitlement if it is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the account or attribute will be automatically de-provisioned.

    • Certify Conditionally - To temporarily certify an assigned account or entitlement, even though the account or entitlement may not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.

    • Certify - To certify an assigned account or entitlement, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.

    • Decline - Select the applicable check box and click Decline if you do not know if the assigned account or entitlement is valid. The assigned account or entitlement is neither certified nor revoked. The resource's details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.

  5. Click Back to Search Results to review the next role's assigned policies and attributes and to revoke those that are no longer applicable.

7.4.5.3 Step Three: Bulk Certify Resources With Low-Risk Assignments (Optional)

The Complete Resource action will certify the selected resources and set the status to 100%. Any blank status on an account or attribute (entitlement) for the selected resources will be set to Certify.

Before You Begin - For resources that do not have low risk levels, complete the steps in Section 7.4.5.2, "Step Two: Review Your Account and Attribute Assignments."

  1. To bulk certify multiple resources, select the check box next to each resource name and click the Complete Resource button.

    Tip:

    Use the global check box at the top of the column to select all of the resources listed. In the dialog box, choose whether you want to certify only the resources that are displayed on the current page, or if you want to certify all of the resources in the certification.

  2. Type a comment in the box and click OK.

7.4.5.4 Step Four: Complete the Resource Entitlement Certification

When all of the resources are certified, the Complete Certification dialog box opens.

Note - To be complete, the Certification Details page should show 100% complete for all resources.

  1. Do one of the following:

    • To complete the certification, select Yes, type your password, and click Submit.

    • To edit the certification or return to the certifications page, select Not right now.

7.4.6 To Complete a Data Owner Certification

Data Owner Certification enables data owners to certify whether employees should be able to access data. To complete a data owner certification, follow these steps:

Before You Begin - Open your data owner certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.

  1. Decline any data sources that do not belong to you. See Section 7.4.6.1, "Step One: Decline the Data Sources That do not Belong to You" for more information.

  2. Review the list of users who are assigned to the data source. Revoke the user accounts that should not have access and certify the rest. See Section 7.4.6.2, "Step Two: Review Your User Assignments" for more information.

  3. (Optional) Bulk certify items with low risk levels. See Section 7.4.6.3, "Step Three: Bulk Certify Data Sources With Low-Risk Assignments (Optional)" for more information.

  4. Complete the data owner certification. See Section 7.4.6.4, "Step Four: Complete the Data Owner Certification" for more information.

7.4.6.1 Step One: Decline the Data Sources That do not Belong to You

  1. Review the certification and verify that the listed data sources belong to you and that you are responsible for verifying user access to the data.

  2. Decline the data sources that do not belong in your verification queue by selecting the check box next to each Attribute/Attribute-Value name and clicking one of the following buttons:

    • Decline - The data source does not belong to you and you are not responsible for verifying the users with access privileges to the data.

    • Claim - The data source belongs to you and you are responsible for verifying the users with access privileges to the data.

Tip:

For a description of the fields on the Data Owner Certification user interface pages, see Section 7.3.5, "Data Owner Certification Help."

7.4.6.2 Step Two: Review Your User Assignments

Before You Begin - Complete the steps in Section 7.4.6.1, "Step One: Decline the Data Sources That do not Belong to You."

  1. Filter the data sources in your certification queue by risk level by choosing an option from the Filter Data By menu.

  2. Click an attribute value to open the entitlement detail page. The entitlement detail page shows the users who are assigned to the data source.

  3. Review the list of assigned users.

    Tip:

    If the data source has a large number of assigned accounts and attributes, use the Filter Data By menu to view only High, Medium, or Low risk-level items.

    For a description of the fields on the resource entitlement user interface pages, see Section 7.3.5, "Data Owner Certification Help."

  4. Carry out the following actions as required:

    • Revoke - To revoke a user account if it is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the account will be automatically de-provisioned.

    • Certify Conditionally - To temporarily certify a user, even though the user access may not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.

    • Certify - To certify a user, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.

    • Decline - Select the applicable check box and click Decline if you do not know if the user access is valid. The user access is neither certified nor revoked. The details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.

  5. Click Back to Search Results to review the next role's assigned policies and attributes and to revoke those that are no longer applicable.

7.4.6.3 Step Three: Bulk Certify Data Sources With Low-Risk Assignments (Optional)

The Complete User Access action will certify the selected data sources and set the status to 100%. Any blank status on a user account for the selected data sources will be set to Certify.

Before You Begin - For data sources that do not have low risk levels, complete the steps in Section 7.4.6.2, "Step Two: Review Your User Assignments."

  1. To bulk certify multiple data sources, select the check box next to each attribute-name/attribute-value and click the Complete User Access button.Note - Use the global check box at the top of the column to select all of the data sources listed. In the dialog box, choose whether you want to certify only the data sources that are displayed on the current page, or if you want to certify all of the data sources in the certification.

  2. Type a comment in the box and click OK.

7.4.6.4 Step Four: Complete the Data Owner Certification

When all of the data sources are certified, the Complete Certification dialog box opens.

Note - To be complete, the Certification Details page should show 100% complete for all data sources.

  1. Do one of the following:

    • To complete the certification, select Yes, type your password, and click Submit.

    • To edit the certification or return to the certifications page, select Not right now.

7.4.7 To De-provision Accounts During The Certification Process

As a certifier, you can directly de-provision the accounts or roles you revoke during the certification process. Please check with your Oracle Identity Analytics administrator if this feature is configured.

To check and de-provision accounts, do the following:

  1. Review and certify or revoke access to accounts, attributes, roles, policies and entitlements.

  2. Select 'revoke' from the drop-down menu against an account, attribute, role or policy.

  3. Click the hyperlinked resource name under the resource column.

  4. Follow the steps.

Note - If Oracle Identity Analytics is integrated with Oracle Waveset (Sun Identity Manager), then revoked accounts will be de-provisioned automatically.

7.5 Viewing Certification Reports

Managers can view or export reports of completed certifications. Various reports are available for each certification type.

7.5.1 To View a Certification Report

  1. Log in to Oracle Identity Analytics.

  2. Choose Identity Certifications > My Certifications.

  3. Choose Complete from the Show Me drop-down menu.

    A list of completed certifications is displayed.

  4. Click the certification that you want to view.

  5. Select the type of report you want to view and click OK.

    The report is displayed.

  6. Click Actions to either print or export the report.

7.5.2 Certification Reports Available in Oracle Identity Analytics

This section details the various certification reports that are available in Oracle Identity Analytics.

Table 7-6 User Entitlement Certification Reports

Reports Available Description

Revoked access report

Lists access marked as revoked.

Certified access report

Lists access marked as certified.

Terminated users report

Lists employees that were marked as terminated.

Completed certification report

Comprehensive report of a user entitlement certification. This report includes a list of all employees and their access.

Abstain report

Lists certification items that the certifier declined to complete because the certifier is not responsible for verifying the user's assigned roles and entitlements.

Certify conditionally report

Lists access that the certifier temporarily certified, even though the access may not be valid. Certifiers are required to enter an end date, which are included in this report, however, the system does not revoke the access or send out notices regarding expired end dates.

Table 7-7 Role Entitlement Certification Reports

Reports Available Description

Revoked entitlement report

Lists entitlements marked as revoked.

Certified entitlement report

Lists entitlements marked as certified.

Complete certification report

Comprehensive report of a role entitlement certification.

Table 7-8 Resource Entitlement Certification Reports

Reports Available Description

Revoked entitlement report

Lists entitlements marked as revoked.

Certified entitlement report

Lists entitlements marked as certified.

Completion certification report

Comprehensive report of a resource entitlement certification.

Table 7-9 Data Owner Certification Reports

Reports Available Description

Certify Access report

Lists access marked as certified.

Revoked access report

Lists access marked as revoked.

Declined report

Lists access that the certifier declined to review because the data source does not belong to the certifier

Complete data ownership report

Comprehensive report of a data owner certification including revoked and certified access.