This chapter contains the following sections:
This chapter discusses identity certification tasks that need to be completed by an Oracle Identity Analytics business administrator. Identity certification information for business users, including information about how to complete identity certifications, is included in the User's Guide for Oracle Identity Analytics chapter.
See the User's Guide for Oracle Identity Analytics to learn more about the following identity certification topics:
Identity certification overview
Understanding the identity certification user interface
Finding and reassigning certifications
Completing certifications
Getting more information about user accounts, roles, attributes, and policies
Viewing certification reports
For information about configuring identity certifications, see the following topics:
"Configuring Identity Certification Batch Sizes in the UI" in the "Customizing the Oracle Identity Analytics User Interface" chapter in the System Integrator's Guide for Oracle Identity Analytics
For information about how Risk Summaries are calculated, as well as information about running the Risk Aggregation job, see the following topic:
Four types of certifications can be created in Oracle Identity Analytics. Each type of certification addresses a particular use-case—a specific type of review that enterprises commonly perform. Each type of actor reviews a different subset of access-related data from a specific point of view.
Table 7-1 The Four Identity Certification Types in Oracle Identity Analytics
| Identity Certification Type | Description |
|---|---|
|
User Entitlement Certification |
Allows managers to certify employee access to roles, accounts, and entitlements. This is the most common and most sweeping type of certification. Typically, each manager in an organization reviews the access-privileges of the people who report directly to that manager. Each reviewer in a certification of this type is focused on his or her direct-reports, but is expected to review all of the access-privileges for each of those people. |
|
Role Entitlement Certification |
Allows role owners to certify role content and role members. This certification is used in organizations that have implemented role-based access control (RBAC). Typically, the owner of a role is the person responsible for reviewing its definition (that is, the set of access-privileges that it conveys) as well as its membership (the set of users to whom the role has been assigned). Each reviewer in a certification of this type is focused on a particular enterprise role. |
|
Resource Entitlement Certification |
This certification allows the person who is responsible for a particular system or application to review the set of users who have accounts on that system or application. The reviewer can drill down and view the details of the access-privileges of each account. Each reviewer in a certification of this type is focused on one specific system or application. |
|
Data Owner Certification |
Allows data owners to certify user accounts that have a particular privilege. This certification is used if a specific person is responsible for a particular entitlement (that is, an Attribute Value or a group membership that confers a specific access-privilege). The data owner can review the set of user accounts that have that particular entitlement. Each reviewer in a certification of this type is focused on one specific privilege within one specific resource. |
Log in to Oracle Identity Analytics.
Choose Identity Certifications > My Certifications.
Click New Certification.
The Create Certification window opens.
Complete the form as follows, then click Next:
Certification Name - Type a name for the certification.
Type - Select User Entitlement from the drop-down menu.
Incremental - This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.
See Section 7.2.5, "Understanding the Incremental Certification Option" for more information.
Select a user-selection strategy from the drop-down menu, then click Next:
All business structures - Selects all business structures created in Oracle Identity Analytics.
Selected business structures - Allows you to manually select specific business structures. Click Next.
Note:
When completing a certification, the Business Structure name or any other details about the Business Structure will be shown only if both the following conditions are met:
The user-selection strategy for the certification is by business structures.
The certifier is the Business Structure Manager.
All users - Selects all the users in the system.
Users criteria - Selects all the users that meet the given search condition. For help with search, see "Searching for a User" in the "Identity Warehouse" section of the User's Guide for Oracle Identity Analytics. You can preview the results of this selection.
Selected users - Allows you to select specific users from a list of users in the system. Click Next.
Complete the Period and Certifier form as follows, then click Next:
Certifier - You can select Business Structure Manager, User Manager, or search for an authorized user to specify as the certifier.
Start Date - Enter the start date. The certification is valid as of the start date.
End Date - Enter the end date. The certification expires after the end date. Managers cannot review certifications after the expiration date.
Configuration Details - Select the check box to change the configuration of the certification you are creating. For detailed instructions on customizing configuration settings, see Section 11.2.1, "Identity Certification Configuration." After clicking Next, the summary page opens.
Click Back if you want to modify any selection.
Select one of the following options:
To Run Certification immediately, select Run.
To schedule a certification job, select Later.
Refer to Section 7.3, "Scheduling Certifications" for instructions.
Click Create.
Log in to Oracle Identity Analytics.
Choose Identity Certifications > My Certifications.
Click New Certification.
The Create Certification window opens.
Complete the form as follows, then click Next:
Certification Name - Type a name for the certification.
Type - Select Role Entitlement from the drop-down menu.
Incremental - This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the role content, which has been certified.
See Section 7.2.5, "Understanding the Incremental Certification Option" for more information.
Select a role selection strategy from the drop-down menu, then click Next:
All business structures - Selects all business structures created in Oracle Identity Analytics.
Selected business structures - Allows you to manually select the business structures.
Note:
When completing a certification, the Business Structure name or any other details about the Business Structure will be shown only if both the following conditions are met:
The user-selection strategy for the certification is by business structures.
The certifier is the Business Structure Manager.
All roles - Selects all of the roles in the system.
Roles criteria - Selects all of the roles that meet the given search condition. You can preview the results of this selection.
Selected roles - Allows you to manually select the roles in the system.
Complete the Period and Certifier form as follows, then click Next:
Certifier - You can select Business Structure Manager, Role Owner, or search for an authorized user to specify as the certifier.
Start Date - Enter the start date. The certification is valid as of the start date.
End Date - Enter the end date. The certification expires after the end date. Managers cannot review certifications after the expiration date.
Configuration Details - Select the check box to change the configuration of the certification you are creating. For detailed instructions on customizing configuration settings, see Section 11.2.1, "Identity Certification Configuration."
After clicking Next, the summary page opens.
Click Back if you want to modify any selection.
Select one of the following options:
To Run Certification immediately, select Run.
To schedule a certification job, select Later.
Refer to Section 7.3, "Scheduling Certifications" for instructions.
Click Create.
Log in to Oracle Identity Analytics.
Choose Identity Certifications > My Certifications.
Click New Certification.
The Create Certification window opens.
Complete the form as follows, then click Next:
Certification Name - Type a name for the certification.
Type - Select Resource Entitlement from the drop-down menu.
Incremental - This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.
See Section 7.2.5, "Understanding the Incremental Certification Option" for more information.
Select a user selection strategy from the drop-down menu, then click Next:
All business structures - Selects all business structures created in Oracle Identity Analytics.
Selected business structures - Allows you to manually select the business structures.
Note:
When completing a certification, the Business Structure name or any other details about the Business Structure will be shown only if both the following conditions are met:
The user-selection strategy for the certification is by business structures.
The certifier is the Business Structure Manager.
All users - Selects all the users in the system.
Users criteria - Selects all the users that meet the given search condition. For help with search, see "Searching for a User" in the "Identity Warehouse" section of the User's Guide for Oracle Identity Analytics. You can preview the results of this selection.
Selected users - Allows you to select specific users from a list of users in the system.
Click Add Resource.
The Select Resource(s) window opens.
Select the desired resource and click OK.
Click Next.
Complete the Period and Certifier form as follows, then click Next:
Certifier - Select Business Structure Manager, User Manager, or search for an authorized user to specify as the certifier.
Start Date - Enter the start date. The certification is valid as of the start date.
End Date - Enter the end date. The certification expires after the end date. Managers cannot review certifications after the expiration date.
Configuration Details - Select the check box to change the configuration of the certification you are creating. For detailed instructions on customizing configuration settings, see Section 11.2.1, "Identity Certification Configuration." After clicking Next, the summary page opens. Click Back if you want to modify any selection.
Select one of the following options:
To Run Certification immediately, select Run.
To schedule a certification job, select Later.
Refer to Section 7.3, "Scheduling Certifications" for instructions.
Click Create.
Note:
You should only certify parent-level attributes imported from Oracle Identity Manager (attributes with the OIAParentAttribute property), not child-level attributes. If a child attribute is certified in a Data Owner certification, closed-loop remediation with OIM will not work.
Child-level attributes that were imported in a text file can be certified provided that the attributes are marked as certifiable using the Administration > Configuration > Resource Types > Resource page.
Log in to Oracle Identity Analytics.
Choose Identity Certifications > My Certifications.
Click New Certification.
The Create Certification window opens.
Complete the form as follows, then click Next:
Certification Name - Type a name for the certification.
Type - Select Data Owner from the drop-down menu.
Incremental - This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.
See Section 7.2.5, "Understanding the Incremental Certification Option" for more information.
Select a selection strategy from the drop-down menu, then click Next:
By Data Owner - Creates a certification for the attribute values for which the selected user is designated as the data owner.
Click Add Data Owner, select the user, and click OK. For help using search, see the User's Guide for Oracle Identity Analytics, "Identity Warehouse" chapter, "Working With Users," "Searching for a User."
By Attribute - Creates a certification for data owners of the selected attribute values.
Click the Add Attributes button. The Attribute Selection table appears.
Select the resource type, resource, and attributes, and click OK.
Click Next.
Complete the Period and Certifier form as follows, then click Next:
Certifier - Select the data owner or an authorized user as the certifier.
Start Date - Enter the start date. The certification is valid as of the start date.
End Date - Enter the end date. The certification expires after the end date. Managers cannot review certifications after the expiration date.
Configuration Details - Select the check box to change the configuration of the certification you are creating. For detailed instructions on customizing configuration settings, see Section 11.2.1, "Identity Certification Configuration." After clicking Next, the summary page opens. Click Back if you want to modify any selection.
Select one of the following options:
To Run Certification immediately, select Run.
To schedule a certification job, select Later.
Refer to Section 7.3, "Scheduling Certifications" for instructions.
Click Create.
Incremental certification is a setting that allows managers to certify only those changes that are new since the last certification was created. This option is available if the certifier and certification type have not changed since the last certification. Enabling this setting saves time during the certification process.
The following options are available when the incremental certification option is selected:
Since Last Base - Specifies that Oracle Identity Analytics treat the previous non-incremental certification as the base. Managers then review user access and either certify or revoke those changes that have taken place after the base. Events that are considered to be changes include the addition of new users, new accounts, or new roles. For example, a certification in Q1 has two users. In Q2 a third user is added and the certifier must certify the access of the new user as part of an incremental certification. In Q3 a fourth user is added and another account access is given to the third user. The Q3 certification displays only the fourth user and the third user's new access.
Since Date - Specifies that Oracle Identity Analytics return only those certification changes made after the date provided. Access certifications that were certified before the given date have to be re-certified. For example, in January a certification is created with two users. In March, a third user is added and a certification is completed. In August, a fourth user is added. If you create an August certification and choose February 2nd as your base, the certification will return the user added in August, as well as any users certified before February 2nd (that is, the two users in January).
Show Previous Values - Specifies that Oracle Identity Analytics return the previous certified values during the certification process. A certifier can change these values, if required.
Note:
Incremental certification requires that the certifier and certification type remain the same. Also, incremental certification is valid only for completed certifications. Incremental certification does not apply for expired or incomplete certifications.
Certifications are scheduled as part of the new certification creation process. For more information, see Section 7.2, "Creating New Certifications." Certifications can be scheduled to run once, or to repeat on a daily, weekly, or monthly basis.
Before You Begin - You need to create a new certification before you can schedule it. See Section 7.2, "Creating New Certifications."
Complete the Certification Job form as follows:
Certification Job Name - Type the name of the job.
Certification Job Description - Type a description.
Select Daily, Weekly, Monthly, or One-time-only based on how often certifications should be run.
Scheduled Dates - Select the time and day for the task to start.
Click Create.
The certification job is displayed in the Identity Certification > Certification Jobs section.
Log in to Oracle Identity Analytics.
Choose Identity Certifications > Certification Jobs.
The Certification Jobs page opens.
Find the certification job that you want to delete, and click Delete in the Actions column.
A window confirming the action opens.
Click Yes.
Closed-loop remediation is a feature that allows you to directly revoke roles and entitlements from the provisioning solution as a result of roles and entitlements revoked during the certification process. This feature is applicable only if the provisioning solution is either Oracle Identity Manager or Oracle Waveset ( Sun Identity Manager).
For non-managed applications, however, you can manually revoke roles and entitlements by using the information stored in the remediation configuration module.
The remediation status can be tracked in the remediation tracking module for auditing purposes.
Configuring closed-loop remediation is a two-step process:
To define the remediation process, first select the provisioning mode used for the resource. If auto mode is selected, choose the appropriate provisioning connection. If manual mode is selected, you must describe the steps required to de-provision an account belonging to the resource.
Log in to Oracle Identity Analytics.
Choose Identity Warehouse > Resources.
Select the desired resource, and click the Remediation subtab.
Check the box adjacent to Select Provisioning Mode.
Auto - This mode sends an SPML call to the provisioning server to revoke the account. The account is subsequently revoked in Oracle Identity Analytics after the next updated feed is imported. Select the Connection.
Note:
Closed-loop remediation is supported with either Oracle Identity Manager or Oracle Waveset (Sun Identity Manager). It is not supported with other provisioning servers.
Manual - This mode prompts you to write the steps to manually de-provision the account. Example: Self-service URL, de-provisioning instructions, and so on.
Click Save.
Log in to Oracle Identity Analytics.
Choose Administration > Configuration.
Click Identity Certification.
Click to expand the Revoke and Remediation section.
Scroll down to the Remediation section.
Display Remediation Instructions - Select to display remediation instructions to the user manager during the certification process.
Perform Closed-loop remediation on - Select to be able to enable one of the following two options:
Certification End Date - This will start the remediation on the date the certification ends. Even if the certifier has completed the certification before the end (expiration date), remediation will not take place until the end date is reached.
Include Expired Certifications - If Certification End Date is enabled, select this option to start remediation for revoked accounts of incomplete certifications.
Certification Completion Date - This will start remediation on the date that the certifier completes the certification.
Click Save.
Oracle Identity Analytics enables tracking of remediation activities for audit purposes. In the Remediation Tracking view, a revoked account can exist in two states:
Required: Means that the remediation is not complete.
Complete: Means that the revoked account, access within an account, or role has been successfully removed.
Log in to Oracle Identity Analytics.
Choose Identity Certification > Remediation Tracking.
The Status column displays the remediation tracking information.
Click the certification name to see details.
The remediation tracking details page is divided into two sections:
Remediation Details
Overview - Information about the certification, number of roles, and accounts revoked and remediated.
History - Information about the creation and end of the certification, name of the creator, and so on.
Export Options - Option to export the report to a PDF or XLS file.
Section for each user whose account or role has been remediated.
Employee Information - Displays the employee's name, job title, phone number, employee ID, and e-mail details.
Roles or Entitlements - Displays the details of the revoked accounts, roles, and the remediation status against each revocation.