You can view and make decisions on certifications from the Inbox or the Pending Certifications page of Oracle Identity Self Service. This section describes working with certifications in the following topics:
Note:
This document describes the actions you can perform in the Pending Certifications page. You can perform the same actions by using the Inbox.For an overview of identity certification and information about operations you can perform by using the Dashboard, see "Chapter 12, "Using Identity Certification".
This section describes how to search and filter certifications in the Pending Certifications page, and how to view the details of certifications. It contains the following sections:
To perform simple search for certifications:
Login to Oracle Identity Self Service.
Click the Self Service tab.
Click the Certifications box. The Pending Certifications page is displayed with a list of certification review tasks assigned to you.
From the Status list, select the certification status that you want to search for, for example, Assigned or Completed. Select Any to search for any certification irrespective of the status.
In the Search box, specify a search criterion, for example, the certification name.
Click the Search icon. The certifications that match your search criteria are listed in the search results table.
Tip:
To sort the data in the search results table, place the mouse pointer on a column name. Up and down arrows are displayed on the column names. Click the up arrow to sort in ascending order. Click the down arrow to sort in descending order.This section describes how to access certification tasks for each type of certification:
Note:
The pages that display certification details and the details for user access rights, role content and membership, account details for application instances and entitlements enable you to personalize the contents of the pages. For example, you can use saved search, show/hide columns, and sort the data in columns. These personalization features are similar in all pages in Oracle Identity Self Service. See Chapter 11031120, "Personalizing Self Service" for information about personalizing pages in Oracle Identity Self Service.To view user certification details:
In the Self Service tab of Oracle Identity Self Service, click the Certifications box. The Pending Certifications page is displayed with a list of certification tasks assigned to you, and for which you are the primary reviewer or delegated reviewer.
Click a certification task name to open it in a new page. The user certification summary of the certification task opens in a new page.
Review the following sections of the user details:
The user certification name and certification creation date appears at the top of the page. Clicking the information icon adjacent to the certification name displays a Certification Details pop-up with detailed statistics of the current certification being reviewed. The details include information about Overview, Progress Details, and History.
In the table that lists the users, the user name is a hyperlink. Clicking this hyperlink opens the access details of the user.
Note:
Access details of the user are described in steps 4 through 6 in this procedure.The Detailed Information section consists of the following tabs:
User Information: This tab displays user attributes that are included in the certification snapshot during certification generation. The user name is a hyperlink. Click the user name to display the user details in a new tab.
Risk Summary: This tab identifies why a user's Risk Summary is High/Medium/Low based on various factors. The pie chart in this tab displays the overall breakdown of a user's risk. Click any area of the chart to open the detail screen of the user certification. To view the risk items in a tooltip, place your mouse pointer over the charts.
This tab also displays a graph that breaks down the risk levels based on the roles, accounts, and entitlements the user has, as well as their associated risk levels. Click any area of the graph to open the detail screen of the user certification. To view the risk items in a tooltip, place your mouse pointer over the graph.
Action History: This tab displays the various delegation paths available on the user details page, and a trail of the actions taken by the reviewers as well as by Oracle Identity Manager. Possible details displayed include all the actions that are available in the Actions menu, as well as proxy, escalate, expire, and route. The route action indicates that certification oversight is active.
Review the following sections of the role details displayed when you click the user name to view the user details:
Note:
Depending on the entities assigned to the user, such as roles, accounts, and entitlements, the information is displayed, as described in steps 4 through 6.The User Detail section displays the user attributes that are included in the certification snapshot during certification generation.
The table lists the roles with Display Name, Action, and Risk Summary.
The Detailed Information section consists of the following tabs:
Catalog Information: This tab displays the default catalog attributes that are included as part of the default snapshot creation. The Name and Owner fields are hyper-linked. Clicking these hyperlinks opens the role detail and user details pages in new tabs.
Risk Summary: This tab identifies why the Risk Summary is High, Medium, or Low based on various factors, such as Item Risk, Last Certification Decision, Provisioning Method, and Audit Violations. If there are no audit violations associated with the item, then the Audit Violations entry is not displayed. The Provisioning Method field is hyper-linked. Clicking this hyperlink opens the appropriate access policy or access request details in a new tab.
Certification History: This tab displays the various certification decisions made by reviewers in the past on the given line-item.
Action History: This tab displays the phase in which the reviewer made a given decision. Possible values include all the actions that are available in the Actions menu, as well as proxy, escalate, and expire.
Audit Violations: This tab displays a list of audit violations associated with the selected item. Information includes the policy name, status, remediator, and severity for each audit violation. If there are no audit violations, then the list is empty.
Note:
The Audit Violations tab applies only to the User Certification type.Review the following sections of the account details:
The account name and the application instance name are displayed in the table, along with the underlying entitlements associated to the account. Accounts and entitlements are indicated by different icons.
The Detailed Information section consists of the following tabs:
Catalog Information: This tab displays the account details that are the default catalog attributes. These attributes must be included as part of the default snapshot creation. The Name and Certifier fields are hyper-linked. Clicking these hyperlinks opens the account detail and user details pages in new tabs.
Risk Summary: This tab identifies why the Risk Summary is High, Medium, or Low based on various factors, such as Item Risk, Last Certification Decision, Provisioning Method, and Audit Violations. If there are no audit violations associated with the item, then the Audit Violations entry is not displayed. The Provisioning Method field is hyper-linked for an access request. Clicking this hyperlink opens the appropriate access policy or access request details in a new tab.
Certification History: This tab displays the various certification decisions made by reviewers in the past on the given line-item.
Action History: This tab displays the phase in which the reviewer made a given decision. Possible values include all the actions that are available in the Actions menu, as well as proxy, escalate, and expire.
Audit Violations: This tab displays a list of audit violations associated with the selected item. Information includes the policy name, status, remediator, and severity for each audit violation. If there are no audit violations, then the list is empty.
Review the following sections of the entitlement details:
The account name and the application instance name are displayed in the table, along with the underlying entitlements associated to the account. Accounts and entitlements are indicated by different icons.
The Detailed Information section consists of the following tabs:
Catalog Information: This tab displays the entitlement details that are the default catalog attributes. These attributes must be included as part of the default snapshot creation. The Display Name and Certifier fields are hyper-linked. When you click the Display Name of the entitlement, the granular entitlement hierarchy, if it is being captured in the catalog for a given entitlement, is displayed in a new tab. Clicking the Certifier name opens the user details page in a new tabs.
Risk Summary: This tab identifies why the Risk Summary is High, Medium, or Low based on various factors, such as Item Risk, Last Certification Decision, Provisioning Method, and Audit Violations. If there are no audit violations associated with the item, then the Audit Violations entry is not displayed. The Provisioning Method field is hyper-linked. Clicking this hyperlink opens the appropriate access policy or access request details in a new tab.
Certification History: This tab displays the various certification decisions made by reviewers in the past on the given line-item.
Action History: This tab displays the phase in which the reviewer made a given decision. Possible values include all the actions that are available in the Actions menu, as well as proxy, escalate, and expire.
Audit Violations: This tab displays a list of audit violations associated with the selected item. Information includes the policy name, status, remediator, and severity for each audit violation. If there are no audit violations, then the list is empty.
To display the details of the access rights for the next user in the certification task, click Next at the top of the page. You can click First, Previous, Next, and Last buttons to navigate between the pages for the access rights of each user. You can click Back to Summary to go back to the user certification detail page.
To view role certification details:
In the Self Service tab of Oracle Identity Self Service, click the Certifications box. The Pending Certifications page is displayed with a list of certification tasks assigned to you, and for which you are the primary reviewer or delegated reviewer.
Click a certification task name to open it in a new page. Page 1 or the role certification summary page of the certification task opens.
Review the following sections of the role certification details page:
The role certification name and certification creation date appears at the top of the page. Clicking the information icon adjacent to the certification name displays a pop-up with detailed statistics of the current certification being reviewed.
In the table that lists the roles, the user name is a hyperlink. Clicking this hyperlink opens the role details. The table also displays the Members and Policies columns.
Select a role in the certification table. The Detailed Information section displays the following tabs:
Catalog Information: This tab displays all catalog attributes of the selected role. The Role Name and Certifier fields are hyperlinked. Clicking these hyperlinks opens the role details and user details in new tabs.
Action History: This tab displays the various delegation paths available on the role details page, and a trail of the actions taken by the reviewers as well as by Oracle Identity Manager. Possible actions include delegate, re-assign, escalate, proxy, or route. The route action indicates that certification oversight is active.
In the certification table, click a role name to open the role detail. The role detail page consists of the following tabs:
Members: This tab lists the role membership of the open role. Select a row in the members table to display the Detailed Information section, which consists of the User Information, Risk Summary, Certification History, Action History, and Pending Violations tabs.
Policies: This tab lists the policies associated with the open role. Select a row in the policies table to display the Detailed Information section, which consists of the Policy Information, Certification History, and Action History tabs.
In the Policies tab, expand a policy by clicking the icon adjacent to the policy. The entitlements associated with the policy are listed in the table. Select the entitlement to display the entitlement details in the Detailed Information section. The entitlement details are displayed in the Catalog Information, Certification History, and Action History tabs.
To display the role contents and role members for the next role in the certification task, click Next at the top of the page. You can click First, Previous, Next, and Last buttons to navigate between the pages for the role contents and role member details of each role. You can click Back to Summary to go back to the role certification detail page.
To view application instance certification details:
In the Self Service tab of the Oracle Identity Self Service, click the Certifications box. The Pending Certifications page is displayed with a list of certification tasks assigned to you, and for which you are the primary reviewer or delegated reviewer.
Click a certification task name to open it in a new page. Page 1 or the application instance certification summary page of the certification task opens.
Review the following sections of the application instance certification details page:
The application instance certification name and certification creation date appears at the top of the page. Clicking the information icon adjacent to the certification name displays a pop-up with detailed statistics of the current certification being reviewed.
In the table that lists the application instances, the application instance name is a hyperlink. Clicking this hyperlink lists the accounts belonging to the selected application instance.
Select an application instance in the certification table. The Detailed Information section displays the following tabs:
Catalog Information: This tab displays all catalog attributes of the selected application instance. The Certifier field is hyperlinked. Clicking this hyperlink opens the user details in a new tab.
Action History: This tab displays the various delegation paths available on the application instance details page, and a trail of the actions taken by the reviewers as well as by Oracle Identity Manager. Possible values include all the actions that are available in the Actions menu, and delegate, re-assign, escalate, proxy, or route. The route action indicates that certification oversight is active.
In the certification table, click an application instance name to open the application instance detail. This page lists the application instance names and account names along with the underlying entitlements associated to the account.
Click an account to display the account details in the Detailed Information section. This section displays the account details in the Catalog Information, Risk Summary, Certification History, and Action History tabs.
Click an entitlement to display the entitlement details in the Detailed Information section. This section displays the entitlement details in the Catalog Information, Risk Summary, Certification History, Action History, and Pending Violations tabs.
To display the set of users who have accounts for the next the application instance in the certification task, click Next at the top of the page. You can click First, Previous, Next, and Last buttons to navigate between the pages for the account details of each application instance. You can click Back to Summary to go back to the application instance certification detail page.
To view entitlement certification details:
In the Self Service tab of Oracle Identity Self Service, click the Certifications box. The Pending Certifications page is displayed with a list of certification tasks assigned to you, and for which you are the primary reviewer or delegated reviewer.
Click a certification task name to open it in a new page. Page 1 or the entitlement certification detail page of the certification task opens.
Review the following sections of the entitlement certification details page:
The entitlement certification name and certification creation date appears at the top of the page. Clicking the information icon adjacent to the certification name displays a pop-up with detailed statistics of the current certification being reviewed.
In the table that lists the entitlements, the entitlement name is a hyperlink. Clicking this hyperlink displays the entitlement assignment details of the selected entitlement.
Select an entitlement in the certification table. The Detailed Information section displays the following tabs:
Catalog Information: This tab displays all catalog attributes of the selected application instance. The Display Name and Certifier fields are hyperlinked. Clicking these hyperlinks opens the entitlement details and user details in new tabs.
Action History: This tab displays the various delegation paths available on the entitlement details page, and a trail of the actions taken by the reviewers as well as by Oracle Identity Manager. Possible values include all the actions in the Actions menu, and delegate, re-assign, escalate, proxy, or route. The route action indicates that certification oversight is active.
In the certification table, click an entitlement name to open the entitlement assignment detail. This page lists the account names of the selected entitlement.
Click an account to display the account details in the Detailed Information section. This section displays the account details in the Account-Owner Information, Risk Summary, Certification History, and Action History tabs.
Click an entitlement to display the entitlement details in the Detailed Information section. This section displays the entitlement details in the Catalog Information, Risk Summary, Certification History, and Action History tabs.
To display the set of users who have accounts for the next entitlement in the certification task, click Next at the top of the page. You can click First, Previous, Next, and Last buttons to navigate between the pages for the account details of each entitlement. You can click Back to Summary to go back to the entitlement certification detail page.
Completing certifications is described in the following sections:
User certification enables managers to verify their employees and the role assignments, accounts and entitlement assignments for each. Completing a user certification involves the following steps:
When a certification task is opened, you may be required to verify the access of each user. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of users are skipped and you are presented with the user detail view.
If verification is required, then a decision must be made on each of the users that you have been asked to review. To do so:
In the Pending Certifications page, open the new or in progress certification review task. Page 1 of the certification task is displayed with a list of users.
Review the list of users and verify that each employee works for you, and that you are responsible for verifying their access.
From the Actions menu, select any one of the following for each user:
Claim: Select to restore a user to your verification queue for certification. This might happen automatically, depending on the values in certification configuration. See "Configuring Certification Options" for information about the certification configuration options. However, even if each user is claimed automatically, you are free to choose another action.
Revoke: Select if the user is no longer part of the organization. This action removes the user from the certification process, and you will not approve or revoke roles and entitlements for this user. To return a user to your verification queue, select the user name, and select Claim from the Actions menu.
Re-assign: Select if the user works for someone else who should now be responsible for verifying the user's assigned roles and entitlements. This action removes the selected user(s) from the current certification, creates a new certification with the selected user(s), and assigns the person you specify as the primary reviewer for that new certification.
Abstain: Select if the employee does not work for you and you do not know who should be responsible for verifying the user's assigned roles and entitlements. This action on the user records on each role and entitlement assigns to the user your decision to abstain, that is, to leave each assignment as it is. If you know who should be responsible, then you can reassign the user instead.
After you have taken a verification action on each user, you must make certification decisions on each role and entitlement assigned to the users you have claimed. You do not need to make any further certification decisions on a user that you have revoked or reassigned or abstained. Normally, this means that you will open each user and then review its roles and entitlements, as described in "Reviewing Roles and Entitlements". However, you may also choose to delegate one or more users to another person, which allows that person to make certification decisions on the roles and entitlements assigned to that user. The following actions are available from the Actions menu:
Open: Select this action to review the details of each user and to make certification decisions on the roles and entitlements assigned to the user. See "Reviewing Roles and Entitlements".
Delegate: Select this action to allow another person to make decisions on the access privileges of each selected user. This action will create a new delegated-review task that contains the selected user(s) and will assign the task to the person you specify as delegate. Responsibility still remains with you, the primary reviewer.
Un-delegate: This action applies only to delegated users. This action removes each selected user from the delegated-review task and returns decision-making rights to you, the primary reviewer.
The Actions menu offers two additional convenience actions that are useful after you have made some certification decisions on the details of a user. These actions affect the decisions on multiple details, that is, accesses of each selected user:
Complete: Sets any missing decisions on role-assignments, accounts, or entitlement-assignments to Certify.
Reset Status: Clears all decisions made on the user including decisions on the user's access.
Edit Comment: Allows you to edit the comment associated with the certification task.
Sign-off: Allows you to complete the certification by signing off.
Use the details view of the certification to review a user's role assignments, accounts, and entitlement assignments. The details view can be accessed by selecting a user in the summary view, and clicking Open from the Actions menu, or by clicking the user name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
Certify: You approve each selected assignment.
Revoke: You disapprove each selected assignment. This decision indicates that the user no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
From the Actions menu, select Sign-off. The Sign-off dialog box is displayed asking to complete the certification.
To complete the certification, select Yes, and enter a password in the Password Required field. The password option is configurable and set in the certification definition. If disabled, the password field is not displayed in the Sign-off dialog box.
Alternatively, to complete the certification later, select No.
Click OK.
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.
If the FlexibleCertificationProcess composite is selected in the Certification Configuration page of Oracle Identity System Administration or while creating the certification definition, then the certification tasks are assigned to the user's manager by default. Here, the user's manager is the overseer. The certification is not complete until the overseer signs off. The certification will go to the completed stage only after sign-off by the overseer.
Role certification enables role owners to certify roles and role content. Completing a role certification involves the following steps:
When a certification task is opened, you may be required to verify the access of each role. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of role will be skipped, and you will be presented with the role detail view.
If verification is required, then a decision must be made on each of the roles for which you are the role owner. To do so:
In the Pending Certifications page, open the new or in progress certification review task. Page 1 of the certification task is displayed with a list of roles.
From the Actions menu, select any one of the following for each role:
Claim: Select to restore a role to your verification queue for certification. This might happen automatically, depending on the values in certification configuration. See "Configuring Certification Options" for information about the certification configuration options. However, even if each role is claimed automatically, you are free to choose another action.
Revoke: Select if the role is no longer appropriate. This action removes the role from the certification process, and you will not approve or revoke assignments for this role. To return a role to your verification queue, select the role name, and select Claim from the Actions menu.
Re-assign: Select to remove the role from the current certification and create a new one with the selected role. This action removes the selected role(s) from the current certification, creates a new certification with the selected role(s), and assigns the person you specify as the primary reviewer for that new certification.
Abstain: Select if the role is not appropriate and you do not know who should be responsible for verifying the role's assigned accounts, memberships, and entitlements. This action on the role records on each account and entitlement assigns to the role your decision to abstain, that is, to leave each assignment as it is. If you know who should be responsible, then you can reassign the role instead.
After you have taken a verification action on each role, you must make certification decisions on each policy and entitlement assigned to the roles you have claimed. You do not need to make any further certification decisions on a role that you have revoked or reassigned or abstained. Normally, this means that you will open each role and then review its policies and entitlements, as described in "Reviewing the Contents of the Roles". However, you may also choose to delegate one or more roles to another person, which allows that person to make certification decisions on the policies and entitlements assigned to that role. The following actions are available from the Actions menu:
Open: Select this action to review the details of each role and to make certification decisions on the policies and entitlements assigned to the role. See "Reviewing the Contents of the Roles".
Delegate: Select this action to allow another person to make decisions on the access privileges of each selected role. This action will create a new delegated-review task that contains the selected role(s) and will assign the task to the person you specify as delegate. Responsibility still remains with you, the primary reviewer.
Un-delegate: This action applies only to delegated roles. This action removes each selected role from the delegated-review task and returns decision-making rights to you, the primary reviewer.
The Actions menu offers two additional convenience actions that are useful after you have made some certification decisions on the details of a role. These actions affect the decisions on multiple details, that is, accesses of each selected role:
Complete: Sets any missing decisions on account or entitlement assignments to Certify.
Reset: Clears all decisions made on the role including decisions on the role's access.
Use the details view of the certification to review a role's policies, memberships, and entitlements. The details view can be accessed by selecting a role in the summary view and clicking the Open button from the Actions menu, or by clicking the role name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
Certify: You approve each selected assignment.
Revoke: You disapprove each selected assignment. This decision indicates that the role no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
Click the Members tab to review the users who have this role assigned. Revoke, Certify Conditionally, Certify, and/or Abstain the role's members as required. In this tab, an additional Approve option is available for two-phased user certification. Selecting this option copies the decision from Phase 1 to Phase 2. See "Understanding Multi-Phased Review in User Certification" for information about two-phased review.
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
From the Actions menu, select Sign-off. The Sign-off dialog box is displayed asking to complete the certification.
To complete the certification, Select Yes, and enter a password in the Password Required field. The password option is configurable and set in the certification definition. If disabled, the password field is not displayed in the Sign-off dialog box.
Alternatively, to complete the certification later, select No.
Click OK.
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.
Application instance certification involves certifying or revoking employee entitlements on one or more application instances. These entitlements are assigned directly to an employee and are not assigned as part of a role. Completing an application instance certification involves the following steps:
When a certification task is opened, you may be required to verify the access of each application instance. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of application instances is skipped, and you are presented with the application instance detail view.If verification is required, then a decision must be made on each of the application instances. To do so:
In the Pending Certifications page, open the new or in-progress certification review task.
From the Actions menu, select any one of the following for each application instance:
Claim: Select to restore an application instance to your verification queue for certification. This might happen automatically, depending on the values in certification configuration. See "Configuring Certification Options" for information about the certification configuration options. However, even if each application instance is claimed automatically, you are free to choose another action.
Revoke: Select if the application instance is no longer appropriate. This action removes the application instance from the certification process, and you will not approve or revoke assignments for this application instance. To return an application instance to your verification queue, select the application instance name, and select Claim from the Actions menu.
Re-assign: Select to remove the application instance from the current certification and create a new one with the selected application instance. This action removes the selected application instance(s) from the current certification, creates a new certification with the selected application instance(s), and assigns the person you specify as the primary reviewer for that new certification.
Abstain: Select if the application instance is not appropriate and you do not know who should be responsible for verifying the application instance's assigned accounts and entitlements. This action on the application instance records on each account and entitlement assigns to the application instance your decision to abstain, that is, to leave each assignment as it is. If you know who should be responsible, then you can reassign the application instance instead.
After you have taken a verification action on each application instance, you must make certification decisions on each account and entitlement assigned to the application instances you have claimed. You do not need to make any further certification decisions on an application instance that you have revoked or reassigned or abstained. Normally, this means that you will open each application instance and then review its accounts and entitlements, as described in "Reviewing Account and Entitlement Assignments". However, you may also choose to delegate one or more application instances to another person, which allows that person to make certification decisions on the accounts and entitlements assigned to that application instance. The following actions are available from the Actions menu:
Open: Select this action to review the details of each application instance and to make certification decisions on the accounts and entitlements assigned to the application instance. See "Reviewing Account and Entitlement Assignments".
Delegate: Select this action to allow another person to make decisions on the access privileges of each selected application instance. This action will create a new delegated-review task that contains the selected application instance(s) and will assign the task to the person you specify as delegate. Responsibility still remains with you, the primary reviewer.
Un-delegate: This action applies only to delegated application instances. This action removes each selected application instance from the delegated-review task and returns decision-making rights to you, the primary reviewer.
The Actions menu offers two additional convenience actions that are useful after you have made some certification decisions on the details of an application instance. These actions affect the decisions on multiple details, that is, accesses of each selected application instance:
Complete: Sets any missing decisions on account or entitlement assignments to Certify.
Reset: Clears all decisions made on the role including decisions on the application instance's access.
Use the details view of the certification to review an application instance's accounts and entitlements. The details view can be accessed by selecting an application instance in the summary view and clicking the Open button from the Actions menu, or by clicking the application instance name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
Certify: You approve each selected assignment.
Revoke: You disapprove each selected assignment. This decision indicates that the application instance no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
An additional Approve option is available for two-phased user certification. Selecting this option copies the decision from Phase 1 to Phase 2. See "Understanding Multi-Phased Review in User Certification" for information about two-phased review.
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
From the Actions menu, select Sign-off. The Sign-off dialog box is displayed asking to complete the certification.
To complete the certification, Select Yes, and enter a password in the Password Required field. The password option is configurable and set in the certification definition. If disabled, the password field is not displayed in the Sign-off dialog box.
Alternatively, to complete the certification later, select No.
Click OK.
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.
Entitlement certifications enable you to certify whether employees should be able to access entitlements. Completing an entitlement certification involves the following steps:
When a certification task is opened, you may be required to verify the access of each entitlement. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of the entitlements is skipped, and you are presented with the entitlement detail view.If verification is required, then a decision must be made on each of the entitlements. To do so:
In the Pending Certifications page, open the new or in-progress certification review task.
From the Actions menu, select any one of the following for each entitlement:
Claim: Select to restore an entitlement to your verification queue for certification. This might happen automatically, depending on the values in certification configuration. See "Configuring Certification Options" for information about the certification configuration options. However, even if each entitlement is claimed automatically, you are free to choose another action.
Revoke: Select if the entitlement is no longer appropriate. This action removes the entitlement from the certification process, and you will not approve or revoke assignments for this entitlement. To return an entitlement to your verification queue, select the entitlement name, and select Claim from the Actions menu.
Re-assign: Select to remove the entitlement from the current certification and create a new one with the selected entitlement. This action removes the selected entitlement(s) from the current certification, creates a new certification with the selected entitlement(s), and assigns the person you specify as the primary reviewer for that new certification.
Abstain: Select if the entitlement is not appropriate and you do not know who should be responsible for verifying the entitlement's assigned accounts. This action on the entitlement records on each account assigns to the entitlement your decision to abstain, that is, to leave each assignment as it is. If you know who should be responsible, then you can reassign the entitlement instead.
After you have taken a verification action on each entitlement, you must make certification decisions on each user account assigned to the entitlements you have claimed. You do not need to make any further certification decisions on an entitlement that you have revoked or reassigned or abstained. Normally, this means that you will open each entitlement and then review its user accounts, as described in "Reviewing the Entitlement Assignments". However, you may also choose to delegate one or more entitlements to another person, which allows that person to make certification decisions on the user accounts assigned to that entitlement. The following actions are available from the Actions menu:
Open: Select this action to review the details of each entitlement and to make certification decisions on the user accounts assigned to the entitlement. See "Reviewing the Entitlement Assignments".
Delegate: Select this action to allow another person to make decisions on the access privileges of each selected entitlement. This action will create a new delegated-review task that contains the selected entitlement(s) and will assign the task to the person you specify as delegate. Responsibility still remains with you, the primary reviewer.
Un-delegate: This action applies only to delegated entitlements. This action removes each selected entitlement from the delegated-review task and returns decision-making rights to you, the primary reviewer.
The Actions menu offers two additional convenience actions that are useful after you have made some certification decisions on the details of an entitlement. These actions affect the decisions on multiple details, that is, accesses of each selected entitlement:
Complete: Sets any missing decisions on account assignments to Certify.
Reset: Clears all decisions made on the entitlement including decisions on the entitlement's access.
Use the details view of the certification to review an entitlement's user accounts. The details view can be accessed by selecting an entitlement in the summary view and clicking Open from the Actions menu, or by clicking the entitlement name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
Certify: You approve each selected assignment.
Revoke: You disapprove each selected assignment. This decision indicates that the entitlement no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
An additional Approve option is available for two-phased user certification. Selecting this option copies the decision from Phase 1 to Phase 2. See "Understanding Multi-Phased Review in User Certification" for information about two-phased review.
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
From the Actions menu, select Sign-off. The Sign-off dialog box is displayed asking to complete the certification.
To complete the certification, Select Yes, and enter a password in the Password Required field. The password option is configurable and set in the certification definition. If disabled, the password field is not displayed in the Sign-off dialog box.
Alternatively, to complete the certification later, select No.
Click OK.
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.