This chapter describes the identity certification user interface pages and includes information about how to complete identity certifications. An overview of identity certification is presented first.
This chapter contains the following sections:
This section describes what, why, and how identity certifications are conducted. It also discusses who is typically involved in the identity certification process.
Identity certification is the process of reviewing user entitlements to ensure that users have not acquired entitlements that they are not authorized to have. Certifications can be scheduled to run on a regular basis to meet compliance requirements. Managers use the Oracle Identity Analytics (OIA) Identity Certification module to review their employees' entitlements to access applications and data. Based on changes reported by Oracle Identity Analytics, managers can authorize or revoke employee access, as needed.
The following table lists the four types of identity certification that are possible in Oracle Identity Analytics.
Table 7-1 The Four Types of Identity Certification
Identity Certification Type | Description |
---|---|
User Entitlement Certification |
Allows managers to certify employee access to roles, accounts, and entitlements. This is the most common and most sweeping type of certification. Typically, each manager in an organization reviews the access-privileges of the people who report directly to that manager. Each reviewer in a certification of this type is focused on his or her direct-reports, but is expected to review all of the access-privileges for each of those people. |
Role Entitlement Certification |
Allows role owners to certify role content and role members. This certification is used in organizations that have implemented role-based access control (RBAC). Typically, the owner of a role is the person responsible for reviewing its definition (that is, the set of access-privileges that it conveys) as well as its membership (the set of users to whom the role has been assigned). Each reviewer in a certification of this type is focused on a particular enterprise role. |
Resource Entitlement Certification |
This certification allows the person who is responsible for a particular system or application to review the set of users who have accounts on that system or application. The reviewer can drill down and view the details of the access-privileges of each account. Each reviewer in a certification of this type is focused on one specific system or application. |
Data Owner Certification |
Allows data owners to certify user accounts that have a particular privilege. This certification is used if a specific person is responsible for a particular entitlement (that is, an Attribute Value or a group membership that confers a specific access-privilege). The data owner can review the set of user accounts that have that particular entitlement. Each reviewer in a certification of this type is focused on one specific privilege within one specific resource. |
Business administrators are tasked with creating certifications for their organizations. For information about creating certifications, see the "Oracle Identity Analytics Identity Certifications" chapter in the Administrator's Guide for Oracle Identity Analytics.
Closed-loop remediation is a feature that utilizes a separate provisioning system to automatically revoke roles and entitlements based on the results of the Oracle Identity Analytics certification process. Closed-loop remediation is only available if the provisioning solution is either Oracle Identity Manager or Oracle Waveset (Sun Identity Manager).
For non-managed applications, you can manually revoke roles and entitlements by using the information stored in the remediation configuration module.
For information about how to de-provision accounts during a certification process, see Section 7.4.7, "To De-provision Accounts During The Certification Process." Because OIA is the authoritative source for roles, when roles are revoked, Oracle Identity Analytics directly de-provisions them.
The identity certification module in Oracle Identity Analytics allows personnel in an organization to review and certify user entitlement data, role content data, and application access data. Following are descriptions of the types of users that are typically involved in the identity certification process, as well as the certifications that each user type can authorize or revoke. In Oracle Identity Analytics, personnel who participate in the identity certification process are called actors.
Table 7-2 Identity Certification Actors
Actor Name | Description | Certification Types That Can Be Accessed |
---|---|---|
Certifier |
A generic term that signifies a person who is responsible for reviewing and completing any kind of certification. |
|
User manager |
A manager with direct reports. Users report to a user manager. |
|
Access reviewer |
Designated personnel responsible for reviewing user access. |
|
Application owner |
Designated personnel responsible for reviewing user access on a particular target system. |
|
Role owner |
Designated personnel responsible for reviewing role and its content. |
|
Data owner |
Designated personnel responsible for reviewing access to an attribute value. |
|
Oracle Identity Analytics administrator |
An administrator with full access to the Oracle Identity Analytics application and who can create and view the progress of all certifications. |
|
Auditor or Audit analyst |
Designated personnel who can view the Identity Certification Dashboard to view the progress of each certification. Can view reports from completed certifications. |
|
Certification administrator |
Administrator with limited access to the Oracle Identity Analytics application and who can only create and view the progress of certifications. |
|
This section provides help using the identity certification portion of the user interface, which you access by clicking Identity Certification on the main menu.
To open the identity certification dashboard, choose Identity Certification > Dashboard from the main menu.
The identity certification dashboard summarizes status information for certifications in progress. The information presented is customized based on your user access. For example, if you are logged in as an administrator with global access, the dashboard presents certification data for the entire organization. If you are logged in as a manager, however, the dashboard only presents information relevant to your particular business units.
The identity certification dashboard presents the following information.
Table 7-3 Certification Dashboard UI Descriptions
Dashboard Panel | Description |
---|---|
Certifications by Status |
This bar graph compares certification statuses (new, in progress, complete, and expired) for each of the four certification types (user, role, resource, and data owner). |
Summary |
Provides the total number of users, accounts, resource types, and resources that are defined in Oracle Identity Analytics for your organization. |
User Accounts Certification Status |
This pie chart shows how many user accounts are marked as certified, revoked, and incomplete. |
Notifications Issued in Last Week |
This bar graph shows how many reminders have been sent in the last week to managers, senior managers, and the IT security department. |
Statistics |
Provides the average number of certifications per business structure, the average number of roles per user, the average number of accounts per user, and the average number of users in the average business structure. |
User Roles Certification Status |
This pie chart shows how many user roles are marked as certified, revoked, or incomplete. |
This page is visible only to administrators. To open the Remediation Tracking page, choose Identity Certification > Remediation Tracking from the main menu.
Use the Remediation Tracking page to track the remediation status of revoked accounts, access within accounts, or roles.
For details and instructions about using the Remediation Tracking page, see the Understanding Remediation Tracking section in the "Oracle Identity Analytics Identity Certifications" chapter in the Oracle Identity Analytics 11gR1 Business Administrations Guide.
This page is visible only to administrators. To open the Certifications Jobs page, choose Identity Certification > Certification Jobs from the main menu.
Use the Certification Jobs page to view the status of certification jobs and delete certification jobs.
For details and instructions about using the Certification Jobs page, see "Scheduling Certifications" in the "Oracle Identity Analytics Identity Certifications" chapter in the Administrator's Guide for Oracle Identity Analytics.
To open the My Certifications page, choose Identity Certification > My Certifications on the main menu.
Use the My Certifications page to view and search for certifications. If you are an administrator, you can create new access certifications from this page by clicking New Certification at the top of the page.
The My Certifications page displays new and in-progress certifications. Filters are provided to view all certifications, or any combination of new, in-progress, complete, or expired certifications. Click any column header to sort the table by the column type. Click again to reverse-sort the table.
In the Certification Name column, click a certification to view progress and to conduct employee verification on the selected certification.
Click Complete Certification to complete a certification process.
Click View Reports to view a report of a completed certification.
Click View Reminder Logs to view notifications sent for a particular certification.
The following help topics document the pages that you use when completing a certification.
This section includes the following topics:
When you open a certification, a summary page displays that lists the certification items needing review. From the summary page you can navigate deeper into the certification and get a detailed view of each certification item. Both the summary and the detail pages include controls for filtering which certification items are displayed.
This section describes the user interface elements that are common to the certification pages.
The top of the page displays the certification name. Certifications use the following naming convention:
Name-of-the-certification_Certifier's-last name_Certifier's-first-name
The Status Bar and More Info Icon
If the certification page is open to a summary page, a status bar and a certification details More Info icon also display.
The Completed bar shows the percentage of the certification that is complete.
Click the More Info icon to open a pop-up window that contains detailed information about the certification. See the topic for more information about the Certification Details pop-up window.
The Export To options enable you to work on the certification offline. You have to return to Oracle Identity Analytics, however, to complete the certification. You can export the certification to PDF or .xls formats.
Note:
The Export To options are only available on certification summary pages, not certification detail pages.
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Note:
Filter expressions with multiple criteria are evaluated using the "AND" operator.
The following filter controls may be available:
+ and - |
Click to add and remove additional filter criteria. |
---|---|
Apply |
Click to apply the filter and refresh the page. |
Reset |
Click Reset to remove all filtering and refresh the page. |
If a filter is active, use the First, Previous, Next, and Last buttons to navigate from one record to the next.
In OIA, three red bars signifies high risk, two yellow bars signifies medium risk, one green bar signifies low risk.
User entitlement certification enables managers to certify employee access to roles, accounts, and entitlements. For step-by-step instructions about how to complete a user entitlement certification, see To Complete a User Entitlement Certification.
User Entitlement Certification Help is organized as follows:
Filter-Data-By Menu (User Entitlement Certification - Summary Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
All |
Display all users. |
---|---|
Risk Summary |
Display users by High, Medium, or Low risk levels. Risk Summary levels are based on the combined risk level of the roles, accounts, and entitlements that the user holds. |
Entitlement Summary Risk |
Display all users where the highest contributing Item-Risk or Risk-Factor level for any entitlement assigned to the user is High, Medium, or Low. |
Role Summary Risk |
Display all users where the highest contributing Item-Risk or Risk-Factor level for any role assigned to the user is High, Medium, or Low. Note - Filtering by Low Role-Summary Risk could return users who do not have any assigned roles. This is because the Low Role-Summary Risk filter excludes all users who have High-risk and/or Medium-risk roles assigned. Users who have only Low-risk roles assigned, and users who have no roles assigned, are returned. |
Account Summary Risk |
Display all users where the highest contributing Item-Risk or Risk-Factor level for any account assigned to the user is High, Medium, or Low. |
Role Name |
Display users with the role name that matches the search string provided. The asterisk ( |
Resource Name |
Display users with a resource name that matches the search string provided. The asterisk ( |
Status |
Display users by Claim, Decline, Delegate, or Disclaim status.Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.
|
User Attribute |
Display users who meet the attribute criteria that you supply. |
The Actions Menu (User Entitlement Certification - Summary Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Claim |
The user works for you and you are the correct person to complete the certification. |
---|---|
Decline |
The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements. |
Delegate |
The user reports to another manager. Select the manager who is responsible for verifying this user's assigned roles and entitlements. You will not approve or revoke roles and entitlements for this user. |
Disclaim |
The user is no longer part of the organization. The user is removed from the certification process and you will not approve or revoke roles and entitlements for this user. |
Complete User |
The users are valid for this certification. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Summary Table (User Entitlement Certification - Summary Page)
The table on the summary page lists the certification items needing review.
User Name |
The user's user ID. This is a unique value that identifies the user in your IT environment. |
---|---|
First Name |
The user's first name. |
Last Name |
The user's surname. |
Primary Email |
The user's e-mail address. |
Status |
Displays Decline, Delegate, or Disclaim if that status was selected for the user. Otherwise, this field shows the percentage of the certification that is complete for this user. Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here. Decline - The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements Delegate - The user reports to another manager and you are not responsible for approving or revoking roles and entitlements for this user. Disclaim Worker - The user is no longer part of the organization. The user will be removed from the certification process and you will not approve or revoke roles and entitlements for this user. |
Risk Summary |
The risk level (High, Medium, or Low) assigned to the user based on the combined risk level of the roles and entitlements that the user holds.
|
Roles |
The total number of roles that the user holds. |
Accounts |
The total number of accounts that the user holds. |
Entitlements |
The total number of entitlements that the user holds. |
Certification Comments |
Reviewer comments entered about the user certification. |
The role detail page lists a user's assigned roles. To open the Roles Detail page, open a user entitlement certification and click the Roles tab.
Filter-Data-By Menu (User Entitlement Certification - Roles Detail Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
Risk Summary |
Display a user's roles based on the value recorded in the Risk Summary column. |
---|---|
Item Risk |
Display the user's roles that have a matching risk value recorded in the Item Risk column. |
Policy Violation |
Display the user's roles that have a policy violation. |
Last Certification |
Display the user's roles based on the previous certification status. |
Provisioning Methods |
Display the user's roles based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Role Name |
Display the user's roles that match the search string provided. The asterisk ( |
The Actions Menu (User Entitlement Certification - Roles Detail Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Certify |
The role is valid for this user for this certification. |
---|---|
Revoke |
The role is not valid for this user for this certification. |
Abstain |
The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements. |
Certify Conditionally |
You temporarily certify the role even though the role might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Roles Detail Table (User Entitlement Certification - Roles Detail Page)
The table on the roles detail page lists a user's assigned roles.
Role Name |
The name of the assigned role being certified. |
---|---|
Description |
A description of the role. |
Decision |
One of the following:
|
Risk Summary |
The overall risk level for the role. This value is determined by choosing the highest risk level across the next four columns. |
Item Risk |
The risk level associated with the role as determined by an Oracle Identity Analytics administrator during the role configuration process. |
Policy Violations |
Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk. |
Last Certification |
The status of the previous certification of this role assignment. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New. |
Provisioning Method |
The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Comments |
Comments entered about this role by a reviewer. |
The entitlements detail page lists a user's accounts and entitlements that are assigned outside of any assigned roles. To open the Entitlements Detail page, open a user entitlement certification and click the Entitlements tab.
Filter-Data-By Menu (User Entitlement Certification - Entitlements Detail Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
Risk Summary |
Display a user's accounts and entitlements based on the value recorded in the Risk Summary column. |
---|---|
Item Risk |
Display the user's roles that have a matching risk value recorded in the Item Risk column. |
Policy Violation |
Display the user's accounts and entitlements that have a policy violation. |
Last Certification |
Display the user's accounts and entitlements based on the previous certification status. |
Provisioning Methods |
Display the user's accounts and entitlements based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Resource Name |
Display the user's accounts and entitlements by resource name. The asterisk ( |
Resource Type |
Display the user's accounts and entitlements by resource category. |
Attribute |
Display the user's entitlements by attribute name. The asterisk ( |
Attribute Value |
Display the user's entitlements by attribute value. The asterisk ( |
The Actions Menu (User Entitlement Certification - Entitlements Detail Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Certify |
The entitlement is valid for this user for this certification. |
---|---|
Revoke |
The entitlement is not valid for this user for this certification. |
Abstain |
The user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements. |
Certify Conditionally |
You temporarily certify the entitlement even though the entitlement might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Note:
If you select all of the listed roles and entitlements when you choose an action, the system asks you to confirm if you want to "Select only entitlements that are displayed on the current page," or if you want to "Select all entitlements from this certification." Note that the "Select all entitlements from this certification" option applies only to the selection of roles and entitlements for the current user only. It does not apply to all of the roles and entitlements assigned to all of the users in the certification.
Entitlements Detail Table (User Entitlement Certification - Entitlements Detail Page)
The table on the entitlements detail page lists a user's assigned accounts and entitlements.
Note:
Rows representing accounts are labeled (Account Only) in the Attribute Name column.
Resource Name |
The name of the resource that has the accounts and entitlements that are being certified. (A resource is an application or some other enterprise information asset that users need to do their jobs.) |
---|---|
Resource Type |
The resource category that the resource belongs to. |
Account Name |
The name of the user's account on the resource. Click the More-Info icon to see additional account details. |
Attribute |
Attributes are entitlements that map to different objects on a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. Note - (Account Only) rows represent accounts. |
Attribute Value |
The value of the attribute listed. Note - Account rows do not have attribute values. |
Decision |
One of the following:
|
Risk Summary |
The overall risk level for the account or entitlement. This value is determined by choosing the highest risk level across the next four columns. |
Item Risk |
The assigned attribute-value risk or entitlement risk. The risk level is determined by an Oracle Identity Analytics administrator during the resource configuration process. |
Policy Violations |
Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk. |
Last Certification |
The status of the previous certification of this entitlement. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New. |
Provisioning Method |
The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Comments |
Comments entered about the account or entitlement by a reviewer. |
A role entitlement certification enables role owners to certify roles and role content, such as polices, entitlements, and users assigned to roles. For step-by-step instructions about how to complete a role certification, see To Complete a Role Entitlement Certification.
Role Entitlement Certification Help is organized as follows:
Filter-Data-By Menu (Role Entitlement Certification - Summary Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
All |
Display all roles. |
---|---|
Risk Level |
Display the user's roles that have a matching role risk value recorded in the Risk Level column. |
Role Name |
Display roles that match the search string provided. The asterisk ( |
Status |
Display roles by Claim or Decline status.
|
Policy Violations |
Display roles that have open identity auditing violations. |
Actions Menu (Role Entitlement Certification - Summary Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Claim |
The role belongs to you and you are the correct person to complete the certification. |
---|---|
Decline |
The role does not belong to you and you are not responsible for verifying it. |
Complete Roles |
The remaining roles are valid for this certification. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Summary Table (Role Entitlement Certification - Summary Page)
The table on the summary page lists the certification items needing review.
Role Name |
The name of the role being certified. |
---|---|
Description |
A description of the role. |
Status |
Either shows the percentage of the certification that is complete for this role, or Decline. |
Risk Level |
The risk level associated with the role as determined by an administrator during the role configuration process. |
Policy Violations |
Indicates if any open identity auditing violations are caused by this role. The identity audit component checks for identity relationships that go against policy, including segregation of duties (SoD) violations. |
Policies |
Shows the number of policies assigned to the role. Policies define account attributes and privileges that users have on different platforms or applications. A policy has a specific privilege on a specific data resource. Policies are assigned to roles, and roles are assigned to users. |
Comments |
Comments entered about this role certification by a reviewer. |
The policies detail page shows policies that belong to this role, as well as attributes of the policy. To open this page, open a role entitlement certification and click the Policies tab.
Filter-Data-By Menu (Role Entitlement Certification - Policies Detail Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
Resource Name |
Display policies and attributes that have resource names that match the search string provided. The asterisk ( |
---|---|
Resource Type |
Display policies and attributes that match the selected resource category. |
Policy Name |
Display policies and attributes that match the selected policy name. |
Attribute Name |
Display the attributes that match the attribute name search string provided. The asterisk ( |
Attribute Value |
Display the attributes that match the attribute value search string provided. The asterisk ( |
Risk Summary |
Display policies and attributes based on combined risk levels. |
Item Risk |
Display policies based on resource risk, and display attributes based on either the assigned attribute value risk or the entitlement risk. |
Last Certification |
Display policies and attributes based on the previous certification status. |
Actions Menu (Role Entitlement Certification - Policies Detail Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Certify |
The policy, entitlement, or user assigned to this role is valid for this certification. |
---|---|
Revoke |
The policy, entitlement, or user assigned to this role is not valid for this certification. |
Abstain |
The policy, entitlement, or user does not belong to you and you are not responsible for verifying it. |
Certify Conditionally |
You temporarily certify the policy, entitlement, or user assigned to this role even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Note:
If you select all of the listed policies and entitlements when you choose an action, the system asks you to confirm if you want to "Select only policies that are displayed on the current page," or if you want to "Select all policies from this certification." Note that the "Select all policies from this certification" option applies only to the policies and entitlements assigned to the current role. It does not apply to all of the policies and entitlements assigned to all of the roles in the certification.
Policies Detail Table (Role Entitlement Certification - Policies Detail Page)
Note - Rows representing policies are labeled (Policy Only) in the Attribute Name column.
Resource Name |
The name of the resource that the policy or the policy attribute relates to. |
---|---|
Resource Type |
The resource category that the resource belongs to. |
Policy Name |
The name of the policy or the policy attribute that belongs to the role. |
Attribute Name |
Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. Rows representing policies display as (Policy Only). |
Attribute Value |
The value of the attribute listed. Rows representing policies do not have attribute values. |
Decision |
One of the following:
|
Last Certification |
The status of the previous certification of this policy or attribute. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New. |
Comments |
Comments entered about this policy or policy attribute by a reviewer. |
The members detail tab shows all of the members that belong to this role. To open this page, open a role entitlement certification and click the Members tab.
Filter-Data-By Menu (Role Entitlement Certification - Members Detail Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
User ID |
Display role members who have account names that match the search string provided. The asterisk ( |
---|---|
Risk Summary |
Display role members by High, Medium, or Low risk level. The Risk Summary level is based on the combined risk level of the roles, accounts, and entitlements that the user holds. |
Policy Violation |
Display role members who have one or more policy violations resulting from this role assignment. |
Provisioning Method |
Display role members based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Last Certification |
Display role members based on the previous certification status. |
Actions Menu (Role Entitlement Certification - Members Detail Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Certify |
The policy, entitlement, or user assigned to this role is valid for this certification. |
---|---|
Revoke |
The policy, entitlement, or user assigned to this role is not valid for this certification. |
Abstain |
The role does not belong to you and you are not responsible for verifying it. |
Certify Conditionally |
You temporarily certify the policy, entitlement, or user even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Members Detail Table (Role Entitlement Certification - Members Detail Page)
User ID |
The employee's user ID. This is a unique value that identifies the employee in your IT environment. |
---|---|
First Name |
The user's first name. |
Last Name |
The user's surname. |
Primary Email |
The user's e-mail address. |
Decision |
One of the following:
|
Risk Summary |
The overall risk level for the user for this role. This value is determined by choosing the highest risk level across the next three columns. |
Policy Violations |
Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk. |
Last Certification |
The status of the previous certification of the user for this role. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New. |
Provisioning Method |
The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Comments |
Comments entered about this role user by a reviewer. |
Resource entitlement certification involves certifying or revoking employee entitlements on one or more resources. Resource entitlements are entitlements that are assigned directly to an employee and are not assigned to an employee as part of a role. For step-by-step instructions about how to complete a resource certification, see Section 7.4.5, "To Complete a Resource Entitlement Certification."
Resource Entitlement Certification Help is organized as follows:
Filter-Data-By Menu (Resource Entitlement Certification - Summary Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
All |
Display all users. |
---|---|
Risk Level |
Display resources by High, Medium, or Low risk level. |
Resource Name |
Display resources that match the search string provided. The asterisk ( |
Status |
Display resources by Claim or Decline status. Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.
|
Actions Menu (Resource Entitlement Certification - Summary Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Claim |
Restores a disclaimed user, role, resource, or data source to your verification queue for certification. |
---|---|
Decline |
Either the user does not work for you and you are not responsible for verifying his or her assigned roles and entitlements, or the role, resource, or data source does not belong to you and you are not responsible for verifying it. |
Complete Resource |
The remaining open accounts and entitlements for this resource are valid. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Summary Table (Resource Entitlement Certification - Summary Page)
The table on the summary page lists the certification items needing review.
Resource Type |
The resource category that the resource belongs to. |
---|---|
Resource Name |
The name of the resource for which accounts and entitlements are being certified. Click the Resource Name link to open the Accounts and Entitlements Detail page. |
Status |
Shows Certify or Revoke if this resource certification is complete. Otherwise, this field shows the percentage of the certification that is complete for this resource. |
Risk Level |
The risk level of the named resource as determined by an Oracle Identity Analytics administrator during the resource configuration process. |
Accounts |
The total number of accounts that the named resource has. |
Entitlements |
The total number of entitlements that the named resource has. |
Certification Comments |
Comments entered about the resource certification by a reviewer. |
The accounts and entitlements detail page shows the accounts and entitlements on the named resource. Click a Resource name on the Resource Entitlement Certification page to open this detail page.
Note - The rows representing accounts have Attribute Name labeled as (Account Only).
Filter-Data-By Menu (Resource Entitlement Certification - Accounts and Entitlements Detail Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
Attribute name |
Display the entitlements that match the entitlement (attribute) name search string provided. The asterisk ( |
---|---|
Attribute Value |
Display the entitlements that match the entitlement (attribute) value search string provided. The asterisk ( |
Risk Summary |
Display accounts and entitlements based on combined risk levels. |
Item Risk |
Display accounts based on resource risk, and display entitlements based on attribute value risk or entitlement risk. |
Policy Violation |
Display the accounts and entitlements that have a policy violation. |
Last Certification |
Display accounts and entitlements based on the previous certification status. |
Provisioning Methods |
Display role members based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Actions Menu (Resource Entitlement Certification - Summary Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Claim |
The attribute or account is valid for this resource for this certification. |
---|---|
Decline |
The attribute or account is not valid for this resource for this certification. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Note:
If you select all of the listed accounts and entitlements when you choose an action, the system asks you to confirm whether the action should be applied to "Items on this page only" or "All remaining items." Note that the "All remaining items" option applies only to the accounts and entitlements assigned to the current resource. It does not apply to all of the remaining accounts and entitlements in the certification.
Accounts and Entitlements Detail Table
(Resource Entitlement Certification - Accounts and Entitlements Detail Page)
This table lists the accounts and entitlements on the named resource.
Account Name |
The employee's user ID. This is a unique value that identifies the employee in your IT environment. |
---|---|
First Name |
The user's first name. |
Last Name |
The user's surname. |
Attribute Name |
Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. Rows representing policies display as (Policy Only). |
Attribute Value |
The value of the attribute listed. |
Decision |
One of the following:
|
Risk Summary |
The overall risk level for the account or attribute. This value is determined by choosing the highest risk level across the next four columns. |
Item Risk |
The assigned account risk or entitlement risk. |
Policy Violations |
Yes if one or more policy violations result from this role assignment, otherwise No. One or more violations is considered to be high risk, and no policy violations is low risk. |
Last Certification |
The status of the previous certification of this resource account or entitlement. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New. |
Provisioning Method |
The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Comments |
Comments entered about this account or entitlement by a reviewer. |
A data owner certification enables data owners to certify whether employees should be able to access data. For step-by-step instructions about how to complete a data owner certification, see Section 7.4.6, "To Complete a Data Owner Certification."
Data Owner Certification Help is organized as follows:
Filter-Data-By Menu (Data Owner Certification - Summary Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
All |
Display all users. |
---|---|
Status |
Display certification items by Claim or Decline status.Note - Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.
|
Risk Level |
Display data sources by High, Medium, or Low role risk level. |
Resource |
Display resources that match the search string provided. The asterisk ( |
Attribute |
Display the entitlements that match the entitlement (attribute) name search string provided. The asterisk ( |
Attribute Value |
Display the entitlements that match the entitlement (attribute) value search string provided. The asterisk ( |
Actions Menu (Data Owner Certification - Summary Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Claim |
The data source belongs to you and you are responsible for verifying it. |
---|---|
Decline |
The data source does not belong to you and you are not responsible for verifying it. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Complete Value |
The remaining users are valid for this certification. |
Summary Table (Data Owner Certification - Summary Page)
The table on the summary page lists the certification items needing review.
Attribute |
Attributes are entitlements that map to different objects in a resource type. For example, database name is an attribute of MySQL™, UID is a UNIX attribute, and so on. |
---|---|
Attribute Value |
The value of the attribute listed. |
Resource |
The name of the resource where the data being certified resides. |
Resource Type |
The resource category that the resource belongs to. |
Status |
Shows Declined if you clicked the Decline button for the data source. Otherwise, this field shows the percentage of the certification that is complete for this data source. |
Risk Level |
The risk level (High, Medium, or Low) assigned to the entitlement / attribute-value on that row. |
Users |
Shows the number of users that have this entitlement. |
Classification |
Show the classification value for the attribute value. |
Comments |
Comments about this certification added by the certifier during the certification process. |
The entitlement detail page shows users who have the entitlement. To open this detail page, click an entitlement in the Attribute Value column on the data owner certification page.
Filter-Data-By Menu (Data Owner Certification - Entitlement Detail Page)
The Filter data by menu allows you to filter items within a certification by various criteria, such as risk level, certification status, and so on.
Filter expressions with multiple criteria are evaluated using the "AND" operator.
Decision |
.Display users whose Decision status matches the value selected. Select All to display all users |
---|---|
By User Attribute |
Display users with attributes such as User Name, First Name, City, Country and so on that match the supplied value. The asterisk ( |
Risk Summary |
Display users by High, Medium, or Low risk level. Aggregated risk is based on the combined risk level of the roles, accounts, and entitlements that the user holds. |
Last Certification |
Display users based on the previous certification status. |
Policy Violations |
Display users who have one or more policy violations. |
Provisioning Method |
Display users based on the provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Actions Menu (Data Owner Certification - Entitlement Detail Page)
Use the Actions menu to change status, reset status, or edit a comment for one or more entries in the certification.
Certify |
The user entitlement is valid for this resource for this certification. |
---|---|
Revoke |
The user entitlement is not valid for this resource for this certification. |
Abstain |
You are not responsible for verifying the user entitlement for this resource. |
Certify Conditionally |
You temporarily certify the user entitlement even though it might not be valid. Selecting this option requires you to enter an end date and you are prompted to annotate this record with a comment. The system includes the end date and comment when it generates reports. The system does not revoke the access or send out notices regarding expired end dates. |
Reset Status |
Clear the decision column for the selected entries to indicate that no action has been taken. |
Edit Comment |
Modify the comment for the selected entries. |
Note:
If you select all of the listed accounts when you choose an action, the system asks you to confirm whether the action should be applied to "Items on this page only" or "All remaining items." Note that the "All remaining items" option applies only to all of the accounts assigned the current attribute value. It does not apply to all of the accounts assigned to the remaining attribute values in the certification.
Entitlement Detail Table (Data Owner Certification - Entitlement Detail Page)
This table lists the users who have the selected entitlement.
Account Name |
The name of the user's account on the resource. Click the More-Info icon to see additional account details. |
---|---|
First Name |
The user's first name. |
Last Name |
The user's surname. |
Decision |
One of the following:
|
Risk Summary |
The overall risk level for the user for this entitlement. This value is determined by choosing the highest risk level across the next three columns. |
Policy Violations |
Yes if the policy is causing a violation, otherwise No. A violation is considered to be high risk, and no policy violation is low risk. This value contributes to the overall risk level as shown in the Risk Summary column. |
Last Certification |
The status of the previous certification of this policy or attribute. One of the following: Certify, Revoke, Decline, Certify Conditionally, or New. |
Provisioning Method |
The provisioned-by information returned by Oracle Identity Manger if OIM and OIA have been configured to work together. |
Comments |
Comments entered about this user by a reviewer. |
The certification details pop-up can be displayed by clicking the information icon found next to the certification name in the summary view for each type of certification.
The Certification Details pop-up window opens and displays information in the following sections:
Use the certification details page to view detailed information about a certification.
Note - The details displayed in the certification overview section varies based on the type of certification you have open.
Table 7-4 Screen elements in the Certification Overview section of the Certification Details page
Details | Description |
---|---|
Certification |
Displays the name of the certification. Certifications use the following naming convention: Name-of-the-certification_Certifier's-last name_Certifier's-first-name |
Business structure |
Displays the business structure selected for the certification. |
Completed |
Displays the progress (in percentage) of the certification completion. |
Number of users |
Displays the number of users that are part of the certification. |
Number of roles |
Displays the number of roles that are part of the certification. |
Number of accounts |
Displays the number of accounts that are part of the certification. |
Number of resources |
Displays the number of resources that are part of the certification. |
Number of attribute values |
Displays the number of attribute values that are part of the certification. |
Certifier |
Displays the name of the certifier. |
Search button |
Option to delegate the certification to another manager. |
Note - The details displayed in the Certification Overview section varies depending on the certification page that you have open.
Table 7-5 Screen elements in the Certification History section of the Certification Details page
Details | Description |
---|---|
Start Date |
The suggested start date to perform the certification. |
End Date |
The date when the certification expires. Managers cannot review certifications after the expiration date. |
Incremental |
If a certification is marked as incremental, then certifiers are required to certify only the changes made to a certification after the last time it was certified. Otherwise, certifiers are required to complete the entire certification again. |
Created By |
Displays the name of the creator of the certification. |
Creation Date |
Displays the date of creation. |
Last Updated By |
Displays the name of the user who updated the certification. |
Last Update Date |
Displays the date of the last update. |
During the certification process you can view additional details about roles, accounts, attributes, and policies by clicking a More-Info link. When you click a More-Info link, one of four Meta Information pages opens. The following sections provide details about the Meta Information pages.
The Role Meta-Information Pop-Up consists of four sections:
General - This section includes information about the role.
General tab - Displays basic information about the role.
Business Structures tab - Displays business structures associated with the role.
Users tab - Displays users assigned to the role.
Exclusion Roles tab - Displays conflicting roles. This helps define segregation of duties at the role level.
Ownership tab - Displays the role owner.
Custom Properties tab - Displays the custom properties associated with the role.
Rules - This section displays rules associated with the role.
Certification History - This section shows the certification history of the role. Information includes last date of action, the nature of the action, and comments, if any.
Policy Entitlements - This section displays all the policies that are part of the role. All policy-related information, such as business structures, roles, resources, exclusion policies, ownership information, and entitlements, are displayed.
Provisioning Method - (This section is available if the Oracle Identity Manager provisioning solution is enabled.) Provisioning Method provides information about how the item was provisioned to the system.
Open Audit Exception - This section shows if the role is part of an open-audit exception. An open-audit exception is a violation that has not been fixed.
The Accounts Meta-Information Pop-Up consists of four sections:
General - This provides information about the account and its entitlements.
Account - This lists account information such as name, resource, and domain.
Entitlement - This lists information about the account's entitlements.
Open Audit Exception - This section shows if the account is part of an open-audit exception. An open-audit exception is a violation that has not been fixed.
Certification History - This section shows the certification history of the account. The information provided here includes a description of the action taken, the date that the action was taken, and comments, if any.
Provisioning Method - (This section is available if the Oracle Identity Manager provisioning solution is enabled.) Provisioning Method provides information about how the item was provisioned to the system.
User Activity - This section displays the user's recent account activity. The section is divided into two subtabs:
Alerts - Displays the alerts raised by the Intellitactics Security Information and Event Monitoring (SIEM) solution when it detects event violations based on the SIEM solution's internally defined rule set. The tab displays the alert title, description, time range, score, and status. These fields display the value captured by the SIEM solution.
All Events - Displays user activity events, which are collected by monitored endpoints by the Intellitactics SIEM system and reported in Oracle Identity Analytics as daily summarized data. The tab displays the event ID, event type, time range, count, and user ID. These fields display the value captured by the SIEM solution.
Note - The User Activity section will be displayed if Oracle Identity Analytics is integrated with Intellitactics Security Manager, a security information and event monitoring solution. To learn more about Intellitactics Security Manager, see "Integrating with Intellitactics Security Manager" in the Administrator's Guide for Oracle Identity Analytics.
The Attribute Meta-Information Pop-Up consists of the following sections:
General - This section lists the attribute name, value, and glossary information. It also lists the attribute hierarchy, if any.
Certification History - This section shows the certification history of the attribute. The information provided includes a description of the action taken, the date the action was taken, and comments, if any.
Provisioning Method - (This section is available if the Oracle Identity Manager provisioning solution is enabled.) Provisioning Method provides information about how the item was provisioned to the system.
The Policy Meta-Information Pop-Up consists of three sections:
General - This section includes information about the policy.
General tab - Displays basic information about the policy.
Business Structures tab - Displays the business structures associated with the policy.
Ownership tab - Displays the policy owner.
Resources tab - Displays all the resources associated with the policy.
Exclusion Policies tab - Displays conflicting policies. This helps define segregation of duties at the policy level.
Roles tab - Displays the roles associated with the policy.
Entitlements tab - Displays the attribute and the corresponding attributes values.
Open Audit Exception - This section shows if the account is part of an open audit exception. An open audit exception is a violation, which is not fixed.
Certification History - This section shows the certification history of the account. Information includes a description of the action taken, the date the action was taken, and comments, if any.
This section describes how to complete certifications in Oracle Identity Analytics. It includes the following topics:
Log in to Oracle Identity Analytics.
Choose Identity Certifications > My Certifications.
To search for specific certifications, use the Show Me drop-down menu, or click the expand icon on the left side of the page to open the Search panel.
The Show Me drop-down menu displays the following options: New & In Progress, All, New, In Progress, Complete, and Expired.
The search panel enables you to search for a certification using the following fields: Certification Name, Business Structure, Created By, Updated By.
Certifications use the following naming convention:
Name-of-the-certification_Certifier's-last name_Certifier's-first-name.
Note:
- During certification, to obtain additional information about users, roles, attributes, and policies, click the More Info link.
Click a certification to open it.
The Certification Details page opens.
Use the steps in this section if you want to delegate a particular certification to someone else.
Note:
If you will be unable to complete certifications for an extended period of time, you can delegate certifications to another user to complete. Refer to Section 4.1.2.1, "To Delegate Certification-Related Duties to Another User" to delegate all certification completion tasks to another manager.
Before You Begin - Open your list of assigned certifications by following the steps in the Section 7.4.1, "To Find and Open Your Certifications" section.
Click to open the certification that you want to delegate.
The Certification page opens.
Click the More Info icon next to the certification name on the summary page.
Your name will be displayed as the certifier in the Certification Overview box.
Click the Search icon to search for a user to delegate the certification to. For help using Search, see Section 6.3.1, "Searching for a User."
Click Close.
User Entitlement Certification enables managers to certify employee access to roles and related entitlements. To complete a user entitlement certification, follow these steps:
Before You Begin - Open your user entitlement certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.
Reassign users who do not work for you.
See Section 7.4.3.1, "Step One: Re-Assign Users Who do not Work for You"for more information.
Review users' roles and entitlements. Revoke the roles and entitlements that are no longer applicable and certify the rest.
See Section 7.4.3.2, "Step Two: Review Roles and Entitlements and Revoke Those That No Longer Apply"for more information.
(Optional) Bulk certify multiple users with low risk levels.
See Section 7.4.3.3, "Step Three: Bulk Certify Low-Risk Users (Optional)" for more information.
Complete the user entitlement certification.
See Section 7.4.3.4, "Step Four: Complete the User Entitlement Certification" for more information.
Review the certification and verify that the listed employees work for you and also that you are responsible for verifying their assigned roles and entitlements.
Remove users who do not belong in your verification queue by selecting the check box next to each user name and clicking one of the following buttons:
Decline - The employee does not work for you and you are not responsible for verifying his or her assigned roles and entitlements.
Delegate - The employee reports to another manager. Select the manager who is responsible for verifying this employee's assigned roles and entitlements. You will not approve or revoke roles and entitlements for this employee.
Disclaim Worker - The employee is no longer part of the organization. The employee is removed from the certification process and you will not approve or revoke roles and entitlements for this employee. To return a user to your verification queue, select the check box next to the user name and click the following button:
Claim - Restores a user to your verification queue for certification.
Tip:
For a description of the fields on the User Entitlement Certification user interface pages, see Section 7.3.2, "User Entitlement Certification Help."
Before You Begin - Complete the steps in Section 7.4.3.1, "Step One: Re-Assign Users Who do not Work for You."
Filter the users in your certification queue by risk level or assignment status by choosing an option from the Filter Users By menu.
Show All - Displays all users.
Risk Level - Display users by High, Medium, or Low risk level. Click + to add an additional filter option; click - to remove the filter option. Click Apply to apply the filter and refresh the page.
Status - Display users by Claim, Decline, Delegate, or Disclaim status.
Note:
Status terminology is configurable. The terminology in use at your organization may differ from the terms listed here.
Click a user to review the employee's assigned roles.
Tip:
If the user has a large number of roles, use the Filter Roles By menu to view only High, Medium, or Low risk-level roles. For a description of the fields on the user entitlement user interface pages, see Section 7.3.2, "User Entitlement Certification Help."
Carry out the following actions as required:
Revoke - To revoke a role if the entitlement is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the accounts and entitlements that make up the revoked roles will be automatically de-provisioned.
Certify Conditionally - To temporarily certify one or more entitlements, even though the entitlements might not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.
Certify - To certify one or more roles if they are valid for this user, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.
Decline - Select the applicable check boxes and click Decline if you do not know if the employee's access is valid. The employee's access is neither certified nor revoked. The employee's access details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.
Click the Entitlements tab to review the user's entitlements that have been assigned outside of a role. Revoke, Certify Conditionally, Certify, and/or Decline the user's entitlements as needed.
Click Back to Search Results to review the next employee's assigned roles and entitlements and to revoke those that are no longer applicable.
The bulk certify action will certify the selected users and set the status to 100%. Any blank status on a role, an account, or an entitlement for the selected users will be set to Certify.
Before You Begin - For employees who do not have low risk levels, complete the steps in Section 7.4.3.2, "Step Two: Review Roles and Entitlements and Revoke Those That No Longer Apply."
To bulk certify multiple users, select the check box next to each user name and click the Certify User button.
Note:
Use the global check box at the top of the column to select all of the employees listed. In the dialog box, choose whether you want to certify only the users who are displayed on the current page, or if you want to certify all of the users in the certification.
Type a comment in the box and click OK.
When all of the users are certified, the Complete Certification dialog box opens.
Note - To be complete, the Certification Details page should show 100% complete for all users.
Do one of the following:
To complete the certification, select Yes, type your password, and click Submit.
To edit the certification or return to the certifications page, select Not right now.
Role Entitlement Certification enables role owners to certify roles and role content. To complete a role entitlement certification, follow these steps:
Before You Begin - Open your role entitlement certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.
Decline the roles that do not belong to you. See Section 7.4.4.1, "Step One: Decline the Roles That do not Belong to You" for more information.
Review the content of your roles. Revoke the policies, entitlements, and role members that are no longer correct and certify the rest. See Section 7.4.4.2, "Step Two: Review the Contents of Your Roles" for more information.
(Optional) Bulk certify roles with low risk levels. See Section 7.4.4.3, "Step Three: Bulk Certify Low-Risk Roles (Optional)" for more information.
Complete the role entitlement certification. See Section 7.4.4.4, "Step Four: Complete the Role Entitlement Certification" for more information.
Review the certification and verify that the listed roles belong to you and that you are responsible for verifying the roles and the role content.
Decline the roles that do not belong in your verification queue by selecting the check box next to each role name and clicking one of the following buttons:
Decline - The role does not belong to you and you are not responsible for verifying the role and its content.
Claim - The role belongs to you and you are responsible for verifying the role and its content.
Tip:
For a description of the fields on the Role Entitlement Certification user interface pages, see Section 7.3.3, "Role Entitlement Certification Help."
Before You Begin - Complete the steps in Section 7.4.4.1, "Step One: Decline the Roles That do not Belong to You."
Filter the roles in your certification queue by risk level by choosing an option from the Filter Data By menu.
Click a role to open the policies detail page. The policies detail page shows the policies that belong to this role, as well as the attributes (or entitlements) that make up each policy.
Review the role's policies and attributes.
Tip:
If the role has a large number of policies and attributes, use the Filter Data By menu to view only High, Medium, or Low risk-level items.
For a description of the fields on the role entitlement user interface pages, see Section 7.3.3, "Role Entitlement Certification Help."
Carry out the following actions as required:
Revoke - To revoke a policy or attribute if it is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the policy or attribute will be automatically de-provisioned.
Certify Conditionally - To temporarily certify a policy or attribute, even though the policy or attribute may not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.
Certify - To certify a policy or attribute if it is valid for this user, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.
Decline - Select the applicable check box and click Decline if you do not know if the policy or attribute is valid. The policy or attribute is neither certified nor revoked. The role's details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.
Click the Members tab to review the users who have this role assigned. Revoke, Certify Conditionally, Certify, and/or Decline the role's members as needed.
Click Back to Search Results to review the next role's assigned policies and attributes and to revoke those that are no longer applicable.
The Complete Roles action will certify the selected roles and set the status to 100%. Any blank status on a policy, attribute, or role member for the selected roles will be set to Certify.
Before You Begin - For roles that do not have low risk levels, complete the steps in Section 7.4.4.2, "Step Two: Review the Contents of Your Roles."
To bulk certify multiple roles, select the check box next to each role name and click the Complete Roles button.Note - Use the global check box at the top of the column to select all of the roles listed. In the dialog box, choose whether you want to certify only the roles that are displayed on the current page, or if you want to certify all of the roles in the certification.
Type a comment in the box and click OK.
When all of the roles are certified, the Complete Certification dialog box opens.
Note - To be complete, the Certification Details page should show 100% complete for all roles.
Do one of the following:
To complete the certification, select Yes, type your password, and click Submit.
To edit the certification or return to the certifications page, select Not right now.
Resource Entitlement Certification involves certifying or revoking employee entitlements on one or more resources. Resource entitlements are entitlements that are assigned directly to an employee and are not assigned to an employee as part of a role. To complete a resource entitlement certification, follow these steps:
Before You Begin - Open your resource entitlement certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.
Decline the resources that do not belong to you. See Section 7.4.5.1, "Step One: Decline the Resources That do not Belong to You" for more information.
Review the accounts and attributes (entitlements) that are assigned to users. Revoke the accounts and attributes that are no longer correct and certify the rest. See Section 7.4.5.2, "Step Two: Review Your Account and Attribute Assignments" for more information.
(Optional) Bulk certify resources with low risk levels. See Section 7.4.5.3, "Step Three: Bulk Certify Resources With Low-Risk Assignments (Optional)" for more information.
Complete the resource entitlement certification. See Section 7.4.5.4, "Step Four: Complete the Resource Entitlement Certification" for more information.
Review the certification and verify that the listed resource belongs to you and that you are responsible for verifying the resource accounts and attributes (entitlements) that are assigned to users.
Decline the resources that do not belong in your verification queue by selecting the check box next to each resource name and clicking one of the following buttons:
Decline - The resource does not belong to you and you are not responsible for verifying the users with accounts and entitlements on the resource.
Claim - The resource belongs to you and you are responsible for verifying the users with accounts and entitlements on the resource.
Tip:
For a description of the fields on the Resource Entitlement Certification user interface pages, see Section 7.3.4, "Resource Entitlement Certification Help."
Before You Begin - Complete the steps in Section 7.4.5.1, "Step One: Decline the Resources That do not Belong to You."
Filter the resources in your certification queue by risk level by choosing an option from the Filter Data By menu.
Click a resource name to open the resource detail page. The resource detail page shows the accounts and attributes (entitlements) that are assigned to users.
Review the assigned accounts and attributes.
Tip:
If the resource has a large number of assigned accounts and attributes, use the Filter Data By menu to view only High, Medium, or Low risk-level items.
For a description of the fields on the resource entitlement user interface pages, see Section 7.3.4, "Resource Entitlement Certification Help."
Carry out the following actions as required:
Revoke - To revoke an assigned account or entitlement if it is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the account or attribute will be automatically de-provisioned.
Certify Conditionally - To temporarily certify an assigned account or entitlement, even though the account or entitlement may not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.
Certify - To certify an assigned account or entitlement, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.
Decline - Select the applicable check box and click Decline if you do not know if the assigned account or entitlement is valid. The assigned account or entitlement is neither certified nor revoked. The resource's details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.
Click Back to Search Results to review the next role's assigned policies and attributes and to revoke those that are no longer applicable.
The Complete Resource action will certify the selected resources and set the status to 100%. Any blank status on an account or attribute (entitlement) for the selected resources will be set to Certify.
Before You Begin - For resources that do not have low risk levels, complete the steps in Section 7.4.5.2, "Step Two: Review Your Account and Attribute Assignments."
To bulk certify multiple resources, select the check box next to each resource name and click the Complete Resource button.
Tip:
Use the global check box at the top of the column to select all of the resources listed. In the dialog box, choose whether you want to certify only the resources that are displayed on the current page, or if you want to certify all of the resources in the certification.
Type a comment in the box and click OK.
When all of the resources are certified, the Complete Certification dialog box opens.
Note - To be complete, the Certification Details page should show 100% complete for all resources.
Do one of the following:
To complete the certification, select Yes, type your password, and click Submit.
To edit the certification or return to the certifications page, select Not right now.
Data Owner Certification enables data owners to certify whether employees should be able to access data. To complete a data owner certification, follow these steps:
Before You Begin - Open your data owner certification. See Section 7.4.1, "To Find and Open Your Certifications" for instructions.
Decline any data sources that do not belong to you. See Section 7.4.6.1, "Step One: Decline the Data Sources That do not Belong to You" for more information.
Review the list of users who are assigned to the data source. Revoke the user accounts that should not have access and certify the rest. See Section 7.4.6.2, "Step Two: Review Your User Assignments" for more information.
(Optional) Bulk certify items with low risk levels. See Section 7.4.6.3, "Step Three: Bulk Certify Data Sources With Low-Risk Assignments (Optional)" for more information.
Complete the data owner certification. See Section 7.4.6.4, "Step Four: Complete the Data Owner Certification" for more information.
Review the certification and verify that the listed data sources belong to you and that you are responsible for verifying user access to the data.
Decline the data sources that do not belong in your verification queue by selecting the check box next to each Attribute/Attribute-Value name and clicking one of the following buttons:
Decline - The data source does not belong to you and you are not responsible for verifying the users with access privileges to the data.
Claim - The data source belongs to you and you are responsible for verifying the users with access privileges to the data.
Tip:
For a description of the fields on the Data Owner Certification user interface pages, see Section 7.3.5, "Data Owner Certification Help."
Before You Begin - Complete the steps in Section 7.4.6.1, "Step One: Decline the Data Sources That do not Belong to You."
Filter the data sources in your certification queue by risk level by choosing an option from the Filter Data By menu.
Click an attribute value to open the entitlement detail page. The entitlement detail page shows the users who are assigned to the data source.
Review the list of assigned users.
Tip:
If the data source has a large number of assigned accounts and attributes, use the Filter Data By menu to view only High, Medium, or Low risk-level items.
For a description of the fields on the resource entitlement user interface pages, see Section 7.3.5, "Data Owner Certification Help."
Carry out the following actions as required:
Revoke - To revoke a user account if it is not valid, select the applicable check boxes and click Revoke. Type a note in the Comments pop-up and click OK. If closed-loop remediation is configured, the account will be automatically de-provisioned.
Certify Conditionally - To temporarily certify a user, even though the user access may not be valid, select the applicable check boxes and click Certify Conditionally. Use the End Date box to specify the date when the certification will expire, type a note in the Comments box, and click OK.
Certify - To certify a user, select the applicable check boxes and click Certify. Type a note in the Comments pop-up and click OK.
Decline - Select the applicable check box and click Decline if you do not know if the user access is valid. The user access is neither certified nor revoked. The details appear in the certification report for post-certification action. When selecting Decline, you are prompted to annotate this record with a comment.
Click Back to Search Results to review the next role's assigned policies and attributes and to revoke those that are no longer applicable.
The Complete User Access action will certify the selected data sources and set the status to 100%. Any blank status on a user account for the selected data sources will be set to Certify.
Before You Begin - For data sources that do not have low risk levels, complete the steps in Section 7.4.6.2, "Step Two: Review Your User Assignments."
To bulk certify multiple data sources, select the check box next to each attribute-name/attribute-value and click the Complete User Access button.Note - Use the global check box at the top of the column to select all of the data sources listed. In the dialog box, choose whether you want to certify only the data sources that are displayed on the current page, or if you want to certify all of the data sources in the certification.
Type a comment in the box and click OK.
When all of the data sources are certified, the Complete Certification dialog box opens.
Note - To be complete, the Certification Details page should show 100% complete for all data sources.
Do one of the following:
To complete the certification, select Yes, type your password, and click Submit.
To edit the certification or return to the certifications page, select Not right now.
As a certifier, you can directly de-provision the accounts or roles you revoke during the certification process. Please check with your Oracle Identity Analytics administrator if this feature is configured.
To check and de-provision accounts, do the following:
Review and certify or revoke access to accounts, attributes, roles, policies and entitlements.
Select 'revoke' from the drop-down menu against an account, attribute, role or policy.
Click the hyperlinked resource name under the resource column.
Follow the steps.
Note - If Oracle Identity Analytics is integrated with Oracle Waveset (Sun Identity Manager), then revoked accounts will be de-provisioned automatically.
Managers can view or export reports of completed certifications. Various reports are available for each certification type.
Log in to Oracle Identity Analytics.
Choose Identity Certifications > My Certifications.
Choose Complete from the Show Me drop-down menu.
A list of completed certifications is displayed.
Click the certification that you want to view.
Select the type of report you want to view and click OK.
The report is displayed.
Click Actions to either print or export the report.
This section details the various certification reports that are available in Oracle Identity Analytics.
Table 7-6 User Entitlement Certification Reports
Reports Available | Description |
---|---|
Revoked access report |
Lists access marked as revoked. |
Certified access report |
Lists access marked as certified. |
Terminated users report |
Lists employees that were marked as terminated. |
Completed certification report |
Comprehensive report of a user entitlement certification. This report includes a list of all employees and their access. |
Abstain report |
Lists certification items that the certifier declined to complete because the certifier is not responsible for verifying the user's assigned roles and entitlements. |
Certify conditionally report |
Lists access that the certifier temporarily certified, even though the access may not be valid. Certifiers are required to enter an end date, which are included in this report, however, the system does not revoke the access or send out notices regarding expired end dates. |
Table 7-7 Role Entitlement Certification Reports
Reports Available | Description |
---|---|
Revoked entitlement report |
Lists entitlements marked as revoked. |
Certified entitlement report |
Lists entitlements marked as certified. |
Complete certification report |
Comprehensive report of a role entitlement certification. |
Table 7-8 Resource Entitlement Certification Reports
Reports Available | Description |
---|---|
Revoked entitlement report |
Lists entitlements marked as revoked. |
Certified entitlement report |
Lists entitlements marked as certified. |
Completion certification report |
Comprehensive report of a resource entitlement certification. |
Table 7-9 Data Owner Certification Reports
Reports Available | Description |
---|---|
Certify Access report |
Lists access marked as certified. |
Revoked access report |
Lists access marked as revoked. |
Declined report |
Lists access that the certifier declined to review because the data source does not belong to the certifier |
Complete data ownership report |
Comprehensive report of a data owner certification including revoked and certified access. |