1. Using Access Certifications
  2. Overview of Oracle Access Certifications

Overview of Oracle Access Certifications

Oracle Fusion Cloud Access Certifications enables your organization to perform reviews that determine whether roles are assigned appropriately to users. It can support periodic, organization-wide reviews such as quarterly audits, or more narrowly focused sensitive-access scenarios.

Certification Essentials

A certification may be standard or continuous. A standard certification involves a static set of user-role assignments existing at the moment the project is initiated. A continuous certification includes only new user-role assignments: those granted after the project is initiated. While the roles included in a continuous certification remain constant, records of their assignments to users are updated each day.

Every certification project involves workers at three levels:

  • An owner defines and initiates a certification project, and assumes overall responsibility for it.

  • A role manager is responsible for a set of the roles included in a certification, and supervises one or more certifiers who work on those roles.

  • A certifier makes determinations that users' access to roles is, or isn't, authorized. Allotted a subset of a role manager's roles, the certifier evaluates the assignment of each role to each of its users.

At the same time, users other than owners are authorized as editors or viewers. Typically, they're also selected as role managers or certifiers. (Even an owner can also be a role manager or certifier.) But if they're not, editors and viewers have limited rights to the pages owners use to initiate and oversee certifications.

To initiate a certification, an owner:

  • Decides whether it's to be entirely new or based on a previous certification and, if it's new, whether it's standard or continuous.

  • Creates filters that select the roles whose assignments to users may be reviewed, or adapts filters inherited from a previous certification. That process is known as scoping.

  • Appoints role managers and certifiers to work with sets of roles returned by scoping filters.

Certifiers then review the assignments of the roles they've been tasked with certifying. The actual determination of whether a role is correctly assigned to a user is a human judgment. However, Oracle Access Certifications provides each certifier with a worksheet that includes a record of the assignment of each role to each of its users. Certifiers use the worksheets to record whether each user-role combination is under investigation or, ultimately, approved or rejected.

Role managers track the progress of the certifiers they work with. The owner tracks the progress of the role managers and certifiers. Both role managers and owners use overview pages. Each displays a row for each subordinate user and the roles assigned to that person. Owners and role managers can navigate from their overview pages to copies of the pages used by the people they supervise.

Review by Direct Managers

During initiation, owners may set up certifications so that another class of participants, direct managers of users, also judge whether their users' role assignments should be certified. Direct managers use My Team worksheets to review user-role assignments and to recommend that they be approved or rejected. But direct-manager review differs from certifier review in these respects:

  • Each direct manager can see only records of users who are direct reports. Direct managers' My Team worksheets don't contain records of users who don't report to them.

  • Direct managers aren't assigned to any one certification, and aren't made aware of the certifications in which records exist. Instead, a My Team worksheet contains records of user assignments that may belong to any number of active standard or continuous certifications.

  • Direct managers' judgments are advisory: Records of user-role assignments appear both in the worksheets of certifiers working within the focus of certification projects, and for each user, in the My Team worksheet of that user's direct manager. Typically, direct managers act on their role-assignment records first, and their judgments update records in the certifiers' worksheets. However, a certifier is free to override direct managers' judgments, and may even act without waiting for the direct managers' judgments.

Notifications

As a certification proceeds, the people working on it may receive notifications, email alerts, or both if your organization activates them. Both are active by default. (See Activate Alerts.)

  • Notifications are available from the Notifications icon in the global header. (It looks like a bell.)
  • Email alerts are sent to the email address associated with the user account for each user.

Each type of notice is generated automatically to inform its recipient of a task to be completed. When appropriate, a notification or alert includes a direct link to the page to complete a task. For example, a certifier may go directly from a notification to the certifier worksheet to review role assignments.

Other notices provide information about error conditions, such as a job failing or concluding with errors, or a certification lacking an eligible owner or other authorization. (To receive a message concerning an object lacking an eligible owner, a user must have a Mass Edit Security Assignments privilege. Other security-related messages go to the owners of an affected certification.)

In addition, owners and role managers may send email reminders of a deadline that's approaching or has passed. (See Send Email Reminders.) These are always available to be sent, regardless of whether email alerts or notifications are activated.