JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Analytics User's Guide 11g Release 1
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

1.  Oracle Identity Analytics Overview

2.  Using the Oracle Identity Analytics User Interface

3.  The Home Page

4.  My Settings

5.  My Requests

6.  Identity Warehouse

7.  Identity Certification

Identity Certification Overview

What Is Identity Certification?

Who Is Involved in Completing Identity Certifications?

Understanding the Identity Certification User Interface

The Dashboard

My Certifications

Remediation Tracking

Certification Jobs

Finding and Reassigning Certifications

To Search for a Certification

To Delegate a Certification to Another User

Completing Certifications

To Complete a User Entitlement Certification

To Complete a Role Entitlement Certification

To Complete a Resource Entitlement Certification

To Complete a Data Owner Certification

Certification Details Help

Certification Overview

Certification History

Export Options

Getting More Information About User Accounts, Roles, Attributes, and Policies

Role Meta Information Page Help

Accounts Meta Information Page Help

Attribute Meta Information Page Help

Policy Meta Information Page Help

To De-provision Accounts During The Certification Process

Viewing Certification Reports

To View a Certification Report

Certification Reports Available in Oracle Identity Analytics

8.  Identity Audit

9.  Reports

Completing Certifications

This section describes how to complete access certifications in Oracle Identity Analytics.

If closed-loop remediation is configured, you can directly de-provision the accounts you revoke. Closed-loop remediation is a feature that allows you to directly revoke roles and entitlements from the provisioning solution as a result of roles and entitlements revoked during the certification process. This feature is applicable only if the provisioning solution is Oracle Waveset (Sun Identity Manager).

However, for non-managed applications, you can manually revoke roles and entitlements by using the information stored in the remediation configuration module.

To know how to de-provision accounts during a certification process, see To De-provision Accounts During The Certification Process. When roles are revoked, Oracle Identity Analytics directly de-provisions them as it is the authoritative source for roles.

To Complete a User Entitlement Certification

User Entitlement Certification enables managers to certify employee access to roles and related entitlements. User Entitlement Certification is a two-step process: Step one involves certifying or revoking access to an account, while step two involves certifying or revoking access to roles and the entitlements assigned outside of roles.

Note - During certification, to obtain additional information about users, roles, attributes, and policies, click the More Info link. See Getting More Information About User Accounts, Roles, Attributes, and Policies for help.

  1. Log in to Oracle Identity Analytics.

  2. Choose Identity Certifications > My Certifications.

  3. To search for specific certifications, use the Show Me drop-down menu, or click the Search panel on the left side of the page.

    Certifications use the following naming convention: Name-of-the-certification_Certifier's-last name_Certifier's-first-name.

  4. Click a certification to open it.

  5. To view certification details, click Show Details on the right side of the page.

    See Certification Details Help to understand the information displayed.

  6. Scroll down to the section titled Step 1: Employment Verification.

    In this step you verify that the listed employees work for you and also that you are responsible for verifying their assigned roles and entitlements.

  7. Use the drop-down menu in the last column to assign a status update to each employee:

    • Works for me - The employee works for you and you are responsible for verifying his assigned roles and entitlements.

    • Does not work for me - The employee does not work for you and you are not responsible for verifying his assigned roles and entitlements.

    • Reports to - The employee reports to another manager. Select the manager who is responsible for verifying this employee's assigned roles and entitlements. You will not approve or revoke roles and entitlements for this employee in Step 2 of the certification process.

    • Terminated - The employee is no longer part of the organization. The employee is removed from the certification process and you will not approve or revoke roles and entitlements for this employee in Step 2.

      Note - To save time, use the global drop-down menu to make a selection for all of the employees listed.

  8. Click Go To Step 2.

    In Step 2 you will approve or revoke roles and entitlements for the employees that work for you.

    The Approve or Revoke Roles and Entitlements page opens.

    Note - Use the Group Data By drop-down menu to select how you would like to see employees listed on the page. You can sort by the following variables: My Employees, Applications, Location, Job Code, Manager, Office Name, Department, Employee Type, Title, Country and State.

  9. Click to expand each employee's role and entitlement information.

  10. Information about the employee is listed. Information includes the name of the employee, designation, Employee Identification (EID) number, phone, and e-mail ID.

  11. Review each role and entitlement before completing the form.

    When completing the form, be aware of the following:

    • You can click the Certify All, Revoke All, Unknown All, or Exception Allowed All links. Clicking these links will change the status of all accounts and entitlements.

    • You can use the top-most drop-down menu to certify access to an employee account, while choosing Revoke, Unknown, or Exception Allowed to act on individual entitlements listed under that account.

    • When evaluating an employee's entitlement access, if you select Revoke, Unknown, or Exception Allowed from the top-most drop-down menu, you will lose the ability to enter line-item information for each entitlement. If you need to be able to evaluate individual entitlements, do not choose Revoke, Unknown, or Exception Allowed from this menu.

  12. Use the top-most drop-down menu to select from the following list of actions:

    • Certify - The employee's access is valid.

    • Revoke - The employee's access is not valid and should be revoked. When selecting Revoke, you are prompted to annotate this record with a comment.

    • Unknown - You do not know if the employee's access is valid. The employee's access is neither certified nor revoked. The employee's access details appear in the certification report for post-certification action. When selecting Unknown, you are prompted to annotate this record with a comment.

    • Exception Allowed - You temporarily certify access even though the access might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

      The Complete Certification box opens.

  13. Do one of the following:

    • To complete the certification, click Yes and enter your password.

    • To edit the certification or return to the certifications page, click No.

To Complete a Role Entitlement Certification

Role Entitlement Certification enables role owners to certify roles and role content. This certification is a two-step process: Step one involves verifying that you are responsible for the roles listed, while step two involves certifying or revoking access to the individual entitlements that define the role.

Note - During certification, to obtain additional information about users, roles, attributes, and policies, click the More Info link. See Getting More Information About User Accounts, Roles, Attributes, and Policies for help.

  1. Log in to Oracle Identity Analytics.

  2. Choose Identity Certifications > My Certifications.

  3. To search for specific certifications, use the Show Me drop-down menu, or click the Search panel on the left side of the page.

    Certifications use the following naming convention: Name-of-the-certification_Certifier's-last name_Certifier's-first-name.

  4. Click a certification to open it.

  5. To view certification details, click Show Details on the right side of the page.

    See Certification Details Help to understand the information displayed.

  6. Scroll down to the section titled Step 1: Role Verification.

    In this step you verify that you are responsible for the listed roles and the policies and entitlements that are linked to the role.

  7. Use the drop-down menu in the right-most column to assign one of the following status updates to each role:

    • Belongs to me - You are responsible for the role and the policies and entitlements that are linked to the role. Selecting this option enables role review in Step 2 of the certification process.

    • Does not belong to me - You are not responsible for the role. You will not verify the role-associated policies and entitlements for roles that do not belong to you.

      Note - To view information about specific roles, accounts, and attributes, click More Info. See Understanding The Accounts Meta Information dialog box for more information.

  8. Click Go to Step 2.

    In Step 2 you will certify or revoke the entitlements that are linked to the role.

  9. Click to expand each role's policy and entitlement information.

    Roles contain policies, and policies contain entitlements.

  10. Review the policy and entitlement information before completing the form.

    When completing the form, be aware of the following:

    • You can use the top-most drop-down menu to certify a role's entitlements, while choosing Revoke, Unknown, or Exception Allowed, to act on individual entitlements listed under that role.

    • When evaluating a role's entitlements, if you use the top-most drop-down menu to select Revoke, Unknown, or Exception Allowed, you will lose the ability to enter line-item information for each entitlement. If you need to be able to evaluate individual entitlements, do not choose Revoke, Unknown, or Exception Allowed from this menu.

  11. Use the top-most drop-down menu to select from the following list of actions:

    • Certify - The entitlement is valid for this role.

    • Revoke - The entitlement is not valid for this role and should be revoked. When selecting Revoke, you are prompted to annotate this record with a comment.

    • Unknown - You do not know if the entitlement is valid. The employee's access is neither certified nor revoked. The employee's access details appear in the certification report for post-certification action. When selecting Unknown, you are prompted to annotate this record with a comment.

    • Exception Allowed - You temporarily certify access even though the access might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

  12. When finished with the role certifications, click Complete Certification.

    The Complete Certification box opens.

  13. Do one of the following:

    • To complete the certification, click Yes and enter your password.

    • To edit the certification or return to the certifications page, click No.

To Complete a Resource Entitlement Certification

Resource Entitlement Certification involves certifying or revoking employee entitlements on one or more resources. Resource entitlements are entitlements that are assigned directly to an employee and are not assigned to an employee as part of a role.

Note - During certification, to obtain additional information about users, roles, attributes, and policies, click the More Info link. See Getting More Information About User Accounts, Roles, Attributes, and Policies for help.

  1. Log in to Oracle Identity Analytics.

  2. Choose Identity Certifications > My Certifications.

  3. To search for specific certifications, use the Show Me drop-down menu, or click the Search panel on the left side of the page.

    Certifications use the following naming convention: Name-of-the-certification_Certifier's-last name_Certifier's-first-name.

  4. Click a certification to open it.

  5. To view certification details, click Show Details on the right side of the page.

    See Certification Details Help to understand the information displayed.

  6. Click each resource section to open it.

    One or more user accounts are listed for that resource. Information about the employee is listed. Information includes name of the employee, designation, Employee Identification (EID) number, phone, and e-mail ID.

  7. Review the entitlement information before completing the form.

    When completing the form, be aware of the following:

    • You can use the top-most drop-down menu to certify employee access to a resource, while choosing Revoke, Unknown, or Exception Allowed, to act on individual entitlements listed under that resource.

    • When evaluating an employee's entitlements, if you use the top-most drop-down menu to select Revoke, Unknown, or Exception Allowed, you will lose the ability to enter line-item information for each entitlement. If you need to be able to evaluate individual entitlements, do not choose Revoke, Unknown, or Exception Allowed from this menu.

  8. Use the drop-down menu to select from the following list of actions:

    • Certify - The entitlement is valid for this employee.

    • Revoke - The entitlement is not valid for this employee and should be revoked. When selecting Revoke, you are prompted to annotate this record with a comment.

    • Unknown - You do not know if the entitlement is valid. The employee's access is neither certified nor revoked. The employee's access information is displayed in the certification report for post certification action. When selecting Unknown, you are prompted to annotate this record with a comment.

    • Exception Allowed - You temporarily certify access even though the access might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

  9. When finished with the role certifications, click Complete Certification.

    The Complete Certification box opens.

  10. Do one of the following:

    • To complete the certification, click Yes and enter your password.

    • To edit the certification or return to the certifications page, click No.

To Complete a Data Owner Certification

Data Owner Certification enables data owners to certify whether employees should be able to access data. Data owner certification is a two-step process: Step one involves verifying that you are the data owner, while step two involves certifying or revoking employee access to the data.

Note - During certification, to obtain additional information about users, roles, attributes, and policies, click the More Info link. See Getting More Information About User Accounts, Roles, Attributes, and Policies for help.

  1. Log in to Oracle Identity Analytics.

  2. Choose Identity Certifications > My Certifications.

  3. To search for specific certifications, use the Show Me drop-down menu, or click the Search panel on the left side of the page.

    Certifications use the following naming convention: Name-of-the-certification_Certifier's-last name_Certifier's-first-name.

  4. Click a certification to open it.

  5. To view certification details, click Show Details on the right side of the page.

    See Certification Details Help to understand the information displayed.

  6. Scroll down to the section titled Step 1: Entitlement Verification.

    In this step you verify that you are responsible for the listed entitlements.

  7. Use the drop-down menu in the right-most column to assign one of the following status updates to each role:

    • Belongs to me - You are responsible for the entitlement listed. Selecting this option enables data access certification in Step 2 of the certification.

    • Does not belong to me - You are not responsible for the entitlement listed. You will not verify entitlements that do not belong to you.

  8. Click Go to Step 2.

    In Step 2 you will certify or revoke individual employees entitlements to access data that is under your control.

  9. Review the entitlement information before completing the form.

    When completing the form, be aware of the following:

    • You can use the top-most drop-down menu to certify employee access, while choosing Revoke, Unknown, or Exception Allowed, to act on individual entitlements listed under that resource or role.

    • When evaluating entitlements, if you use the top-most drop-down menu to select Revoke, Unknown, or Exception Allowed, you will lose the ability to enter line-item information for each entitlement. If you need to be able to evaluate individual entitlements, do not choose Revoke, Unknown, or Exception Allowed from this menu.

  10. Use the drop-down menu to select from the following list of actions:

    • Certify - The entitlement is valid for this employee.

    • Revoke - The entitlement is not valid for this employee and should be revoked. When selecting Revoke, you are prompted to annotate this record with a comment.

    • Unknown - You do not know if the entitlement is valid. The employee's access is neither certified not revoked. The employee's access information appears in the certification report for post certification action. When selecting Unknown, you are prompted to annotate this record with a comment.

    • Exception Allowed - You temporarily certify access even though the access might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates.

  11. When finished with the certifications, click Complete Certification.

    The Complete Certification box opens.

  12. Do one of the following:

    • To complete the certification, click Yes and enter your password.

    • To edit the certification or return to the certifications page, click No.

Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next