15 Using Identity Certification

This chapter provides an overview of identity certification, describes the identity certification user interface, and includes information about how to complete identity certifications. It contains the following topics:

• Identity Certification Overview

• Certification UI

• Certification Name Formats

• Searching and Viewing Certifications

• Completing User Certifications in Offline Mode

• Generating Certification Reports

15.1 Identity Certification Overview

This section describes what, why, and how identity certifications are conducted. It also discusses who is typically involved in the identity certification process.

15.1.1 What Is Identity Certification?

Identity certification is the process of reviewing user entitlements and access-privileges within an enterprise to ensure that users have not acquired entitlements that they are not authorized to have. It also involves either approving (certifying) or rejecting (revoking) each access-privilege.

Certifications can be scheduled to run on a regular basis to meet compliance requirements. Managers use the identity certification feature to review their employees' entitlements to access applications and data. Based on changes reported by the identity certification module, managers can authorize or revoke employee access as needed.

You can create four types of certifications. Each type of certification addresses a particular use-case—a specific type of review that enterprises commonly perform. Each type of reviewer reviews a different subset of access-related data from a specific point of view.

Table 15-1 lists the four types of identity certification that are possible in Oracle Identity Manager.

Table 15-1 The Four Types of Identity Certification

Identity Certification Type	Description
User Certification	Allows managers to certify employee access to roles, accounts, and entitlements. Typically, each manager in an organization reviews the access-privileges of the people who report directly to that manager. Each reviewer in a certification of this type is focused on his or her direct-reports, but is expected to review all of the access-privileges for each direct report. User certification optimizes review from the perspective of the line-of-business (LOB) manager, who must review all access-privileges for each user who reports to the LOB manager. User certification also supports a two-phased review, in which user access rights can be reviewed by managers first, and subsequently by any of the other IT owners, such as role owner, application instance owner, or entitlement owner, all within a single certification campaign.
Role Certification	Allows role owners to certify role content and/or role members. This certification is used in organizations that have implemented role-based access control (RBAC). Typically, the owner of a role is the person responsible for reviewing its definition (that is, the set of access-privileges that it conveys) as well as its membership (the set of users to whom the role has been assigned). Each reviewer in a certification of this type is focused on a particular enterprise role. Role certification optimizes review from the perspective of the role authorizer or role administrator, who must review the definition and the membership of each role that are owned by the role authorizer or role administrator.
Application Instance Certification	This certification allows the person who is responsible for a particular system or application to review the set of users who have accounts on that system or application. The reviewer can drill down and view the details of the access-privileges of each account. Each reviewer in a certification of this type is focused on one specific system or application. Application instance certification optimizes review from the perspective of the Application Instance Authorizer or Application Instance Administrator, who must review the membership (accounts) and the set of privileges (entitlement-assignments) for each application that are owned by the Application Instance Authorizer or Application Instance Administrator.
Entitlement Certification	Allows entitlement owners to certify user accounts that have a particular privilege. This certification is used if a specific person is responsible for a particular entitlement (that is, an Attribute Value or a group membership that confers a specific access-privilege). The entitlement owner can review the set of user accounts that have that particular entitlement. Each reviewer in a certification of this type is focused on one specific privilege within one specific resource. Entitlement certification optimizes review from the perspective of the Entitlement Authorizer or Entitlement Administrator, who must review the definition and the membership (entitlement-assignments) for each privilege (entitlement-definition) that are owned by the Entitlement Authorizer or Entitlement Administrator.

A scheduled job generates certifications based on a specified certification definition. Oracle Identity Manager applies the selection criteria within the certification definition to select the privilege assignments (and/or privilege definitions) that will be reviewed and by whom. Oracle Identity Manager generates a separate certification for each primary reviewer. Oracle Identity Manager also generates a review task for each primary reviewer. Oracle Identity Manager creates a new review task whenever a primary reviewer delegates or reassigns line-items to another reviewer. As each reviewer acts on the review task assigned to that reviewer, this updates the overall certification. Overall progress for each certification is visible from the Dashboard.

15.1.2 Who Is Involved in Completing Identity Certifications?

Identity certification allows personnel in an organization to review and certify user entitlement data, role content data, application instance data, and entitlement data. Following are descriptions of the types of users that are typically involved in the identity certification process, as well as the certifications that each user type can authorize or revoke. In Oracle Identity Manager, personnel who participate in the identity certification process are called reviewers.

Table 15-2 lists the reviewers involved in identity certification.

Table 15-2 Identity Certification Reviewers

Reviewer Name	Description	Certification Types That Can Be Accessed
Certifier	A generic term that signifies a person who is responsible for reviewing and completing any kind of certification.	User certification Role certification Application instance certification Entitlement certification
User manager	A manager with direct reports. Users report to a user manager.	User entitlement
Business reviewer	A user within an enterprise who reviews the access-privileges of other users from a business-oriented perspective. Typically, this is a Line-Of-Business (LOB) manager who is responsible for the access-privileges of users who report to him/her. Note: LOB is a category of industry or business function. For example, an LOB manager is oriented to a business function within an enterprise, such as Sales.	User certification Role certification Application instance certification Entitlement certification
Primary Reviewer	The person who is primarily responsible for making certification decisions on a particular set of line-items. The primary reviewer can reassign a line-item to another user, in which case that user becomes the new primary reviewer for that line-item, and the original primary reviewer never sees that line-item again. The primary reviewer can also delegate any of his line-items to another person, in which case that user becomes the delegated reviewer for that line-item, but the primary reviewer still retains responsibility for that line-item.	User certification Role certification Application instance certification Entitlement certification
Technical Reviewer	A user within an enterprise who reviews the access-privileges of others from a technically-oriented perspective. Typically, this is an IT expert or an application-owner who is responsible for access-privileges being specified correctly, or for limiting access within the enterprise to a specific access-privilege.	User certification
Delegated Reviewer	A person who is assigned to help with the certification work. The delegated reviewer is secondarily responsible for making certification-decisions on a particular set of line-items, but the primary reviewer remains ultimately responsible. Any decision made by the delegated reviewer eventually returns to the primary reviewer, who can override that decision.	User certification Role certification Application instance certification Entitlement certification
Final Reviewer	The person who has the final say over the certification-decisions. The final reviewer can review and override the certification decisions of other reviewers. Final Review is performed only after a two-phased review (and only when an administrator has configured the certification-definition to enable this). The primary reviewer from the first phase can then make a final review of the certification actions made by all the reviewers in the first two phases.	User Certification

15.2 Certification UI

You can view and work with certification objects by using the following in Oracle Identity Self Service:

• Inbox: The Inbox lists all the tasks assigned to the logged-in user in a single screen. It enables the logged-in user to filter task views into user preferences, such as assigned tasks, completed tasks, and tasks for which information has been requested. The user can select a task to open it in a new tab and then perform necessary actions on the task. This allows the user to work on multiple tasks at a time by opening them in different tabs. The Inbox also allows the user to search tasks, organize them in views, and create shared views.

  To access the Inbox, login to Oracle Identity Self Service, and click Inbox on the left navigation pane.

  See Also:

  "Managing Certification Review Tasks" for detailed information about the Inbox and the operations you can perform by using the Inbox

• Dashboard: The Identity Certification Dashboard provides an overview of in-progress and completed certifications in the system. The certifications displayed in the dashboard depends on your role. A user with either the Certification Administrator or Certification Viewer admin role can see all certifications in the system. A non-administrative user, for example, a manager, can see any certification for which that user is assigned as a primary reviewer. A primary reviewer or user with the Certification Viewer admin role can view the certification information. A user assigned the Certification Administrator admin role can view any certification, and take basic actions on in-progress certifications. The primary reviewer cannot take actions on the certifications in the Dashboard.

  To access the Dashboard, login to Oracle Identity Self Service, and click Dashboard under Certifications on the left navigation pane.

15.3 Certification Name Formats

The certification task names are displayed is different formats depending on the review phase and reviewer. Table 15-3 lists the certification task names in various review phases.

See Also:

"Understanding Multi-Phased Review in User Certification" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about the review phases in multi-phased review for user certification

Table 15-3 Certification Name Formats

Review Phase	Name Format	Example
Phase 1 (P1)	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]	Q1 Access 2012[ Robert Klein ]
Phase 1 Reassign	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Reassigned[ NEW_PRIMARY_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Reassigned[ Jane Doe ]
Phase 1 Delegate	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Delegated[ P1_DELEGATED_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Delegated[ Jane Doe ]
Phase 1 Verification	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Verification
Phase 2 (P2)	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Roles[ Terence Hill ]
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]
Phase 2 Reassign	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Roles[ Terrence Hill ]Reassigned[ Jane Doe ]
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Reassigned[ Jane Doe ]
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Reassigned[ Jane Doe ]
Phase 2 Delegate	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Roles[ Terrence Hill ]Delegated[ Jane Doe ]
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Delegated[ Jane Doe ]
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Delegated[ Jane Doe ]
Phase 2 Verification	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Roles[ Terence Hill ]Verification
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Verification
	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Verification
Final review	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Final Review	Q1 Access 2012[ Robert Klein ]Final Review

15.4 Searching and Viewing Certifications

This section describes how to search and filter certifications in the Inbox and Dashboard, and how to view the details of certifications in the following sections:

• Searching Certifications in the Dashboard

• Viewing Certifications From the Dashboard

15.4.1 Searching Certifications in the Dashboard

To search for certifications:

1. Login to Oracle Identity Self Service.

2. On the left pane, under Certifications, click Dashboard. The Dashboard is displayed with a list of certifications in a table. The table consists of columns, such as Name, Percent Complete, and Organization.

   You can personalize the table to display or hide certification attributes that are displayed as columns in the table. You can also change the order in which the columns are displayed in the table.

3. To show or hide columns and change the order of the columns, follow the instructions in "Personalizing the Search Result".

4. From the Show list, select any one of the following to filter the list of certifications displayed in the Dashboard:

   • New and In Progress: Lists the certifications that are assigned to you and the certifications in progress.

   • New: Lists all newly assigned certifications where action has not been taken yet. In some instances, the certification might be newly assigned and yet be partially complete. This can occur if the certification has completed one phase of a multi-phase certification, is partially complete and delegated to a new user who has not yet taken any action, or certifications that include items automatically marked as complete if no action is required.

   • In Progress: Lists only the certifications in progress.

   • Expired: Lists the certifications whose end date has passed.

   • Completed: Lists the certifications that are in the completed state.

   • All: Lists all types of certifications including new, in progress, and expired certifications.

5. From the Search list, select any one of the following, and enter a search criterion in the box adjacent to the list:

   • Certification Name: To search the certifications by certification name.

   • Organization Name: To search the certifications by the organization name selected for the certification.

   • Create Date: To search the certifications by certification creation date.

6. Click the Search icon. The certifications that match your search criteria are displayed in the table.

   Tip:

   To sort the data in the search results table, place the mouse pointer on a column name. Up and down arrows are displayed on the column names. Click the up arrow to sort in ascending order. Click the down arrow to sort in descending order.

15.4.2 Viewing Certifications From the Dashboard

You can open and view certification details from the Inbox or the Dashboard. However, all users cannot see the certifications in the Dashboard. Only the primary reviewers, who have been selected as certifiers during the certification creation process, can see the certifications in the Dashboard. All other users can access certification tasks only from the Inbox. For example, the delegated reviewers cannot see the particular certification in the Dashboard, but can see a certification task in the Inbox. Similarly, phase 2 reviewers for user certification cannot see any certification in the Dashboard. For non-admin users, the Dashboard provides a read-only access to certifications for the purpose of monitoring.

See Also:

"Understanding Multi-Phased Review in User Certification" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for information about the phases of reviews in multi-phased review for user certification

To open and view certification details from the Dashboard:

1. Open the Dashboard.

2. Select the certification for which you want to display the details. A summary of the selected certification is displayed in the Detail Information section, which consists of the following tabs:

   • Certification Details: Displays the certification attributes such as name, percentage complete, and number of roles, accounts, entitlements, or users for the selected certification. A link to the requests page is also displayed if closed-loop remediation has been activated for the certification.

     If auto-claimed is enabled then, date certified field is populated with the date of the certification.

     For information about closed-loop remediation and remediation tracking, see "Understanding Closed-Loop Remediation and Remediation Tracking" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager. For information about the Track Requests page, see "Tracking a Request".

   • Certification Tasks: Displays a list of certification tasks that are part of the selected certification. This is a read-only view, and the user cannot take any action on the certification tasks.

   • Reports: Enables you to generate certification reports. This tab is displayed only if the report option is configured in Oracle Identity Manager. See "Generating Certification Reports" for details.

3. From the Actions menu, select Open. Alternatively, you can click Open on the toolbar, or click the certification name to open it. The details of the selected certification are displayed in the certification details page.

   In both Inbox and the Dashboard, you can also click the certification name to open the details of the certification.

   The certification details is displayed in a tabular format. You can hide, unhide, and re-order columns in the table. For details, see "Personalizing the Search Result". In addition, you can use the saved search feature in this page to search for the details. For information about creating and using saved search, see "Using Saved Search".

15.5 Completing User Certifications in Offline Mode

You have the option to download user certification data to your local computer and work on it in an offline mode by using Microsoft Excel without having an active session with Oracle Identity Manager. After making decisions on the certifications, you can connect to Oracle Identity Manager and upload your decisions. The availability of this option can be controlled by enabling or disabling the Enable Interactive Excel option in the Certification Configuration page in Oracle Identity System Administration. For information about this option, see "Configuring Certification Options in Identity System Administration" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Note:

• The option to download user certification data to your local computer and work on it in an offline mode is available for user certifications only. This functionality is not available for role, application instance, and entitlement certifications.

• For this functionality to work, you must have Microsoft Excel 2007 or 2010. To configure Microsoft Excel for this functionality:

  1. Ensure that the prerequisites described in "Configuring Excel to work with ADF Desktop Integration" in the Oracle Fusion Middleware Desktop Integration Developer's Guide for Oracle Application Development are met.

  2. Perform the one-time configuration, as described in "How to Install Runtime Edition of ADF Desktop Integration" in the Oracle Fusion Middleware Desktop Integration Developer's Guide for Oracle Application Development.

• For applications running in an environment using Oracle Access Manager, ensure that the URL for the ADF Desktop Integration Remote servlet is configured as a protected resource for Oracle Access Manager. The ADF Desktop Integration Remote servlet is:

  http://IDM_HOST.domain.com:OIM_PORT/identity/adfdiRemoteServlet

When the Enable Interactive Excel option is enabled, the Download to Editable Excel menu option is available in the Actions menu in the certification detail and certification summary pages of the user certification.

To work on a user certification in offline mode:

1. Open a user certification from the Dashboard or Inbox.

2. From the Actions menu, select Download to Editable Excel. A message box is displayed with the options to open or save the file.

3. Select Open with.

4. Make sure that Microsoft Office Excel is selected instead of Microsoft Office Excel (Default). Microsoft Office Excel (Default) is the version of Excel for which the plugin for this functionality is not enabled.

5. Click OK. A message box is displayed asking whether you want to connect to the corresponding server where the application is running and from where the spreadsheet was downloaded.

6. Click Yes. The page to login to Oracle Identity Self Service is displayed. This provides an extra layer of security before you can download the data to work on.

7. Login to Oracle Identity Self Service by providing the credentials. The user certification data is downloaded into a spreadsheet.

8. Click the Certification tab. This displays the list of options available when you work on a record. Figure 15-1 shows the Certification tab.

   Figure 15-1 The Certification Tab

   
   Description of "Figure 15-1 The Certification Tab"
   
   

9. Select the decisions from the drop-down for each user. When a decision is selected, the Changed column displays a flag that indicates the change. The area highlighted in grey color is a read-only area and no changes can be made there.

   Decisions other than Certify cannot be updated unless certain conditions are met, and as a result, the data upload will fail. To view these errors, double-click the error field under the status column. Then, you can perform the necessary action to fix it before trying to upload again. The actions can be:

   • Revoke: Comments are required.

   • Abstain: Comments are required.

   • Certify Conditionally: Comments and an end date are required.

   Note:

   User-defined field (UDF) data for both user and catalog will show up in the spreadsheet as read-only columns.

10. When you finish selecting the decisions, you can upload the data back to the server by clicking the Save to Server. The user data is updated on the user certification screens.

Note:

When you upload the spreadsheet data, if the application instance and entitlement decisions are different, the decisions for entitlements maybe be over-ridden on the server side depending on which data gets uploaded to the server first. In other words, data downloaded in a particular order is uploaded in that particular order.

For example, if you revoke an entitlement and certify the account as Certify Conditionally, the entitlement could also be certified as Certify Conditionally if the account is updated last in the server, after the entitlement has been updated.

As a work around, you can download the Excel file again to verify the final value updated on the server.

If you try to download the spreadsheet for a certification that has already been completed, then a different version of the spreadsheet is downloaded, in which all the columns are marked as read-only and the Save to Server button is not available.

15.6 Generating Certification Reports

Oracle BI Publisher reports are used for identity certification. These reports select data from the certification tables of the Oracle Identity Manager database.

There are specific templates to control the format and content of reports. For example, many of the certification reports have a template that includes details from action history for each line-item and detail, and another template that does not.

There are a list of predefined or default certification reports in Oracle Identity Manager. For more information about the default certification reports, see "Certification Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

This section contains the following topics:

• Generating Certification Reports From the Dashboard

• Generating Exported Certification Reports From the Certification Pages

15.6.1 Generating Certification Reports From the Dashboard

To generate certification reports by using the Dashboard:

1. In Oracle Identity Self Service, navigate to the Dashboard. A list of certifications is displayed.

2. Select the certification for which you to generate the report. The Detailed Information section is displayed for the selected certification.

3. Click the Reports tab.

4. Select Report Type as Complete Certification, Certified, Revoked, Abstained, or Certified Conditionally.

5. From the Report Format Output list, select the format in which you want to generate the report, such as HTML or PDF.

6. Select the Display Action History option to include in the report the action history or trail of actions taken by all reviewers on the certification. Deselecting this option does not show the action history in the certification report.

7. Click Generate Report. The certification information is exported to the selected option, such as HTML or PDF.

   Tip:

   On selecting Excel as the report format in step 5, an error message is displayed on opening the report. This is a security alert from Microsoft and can be ignored. However, if you want to avoid the message, then perform the following steps:

   1. Go to Windows registry.

   2. Search and navigate to the HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security key.

   3. Set the following value:

      (DWORD)"ExtensionHardening" = 0
      

15.6.2 Generating Exported Certification Reports From the Certification Pages

To generate certification reports by using the Inbox:

1. In Oracle Identity Self Service, navigate to the Inbox. A list of certification tasks is displayed.

2. Click an in-progress certification task name to open Page 1 of the certification task.

3. From the Actions menu, select Export to PDF or Excel.

   The exported certification tasks in PDF or Excel is equivalent to Complete Certification Report.