1. Using Access Certifications
  2. Scope the Certification

Scope the Certification

Once you finish working in the Security Assignment region, a Scoping Filters region becomes active. Use it to create filters that select roles whose assignments to users are to be reviewed.

For a new certification, the page initially contains no filters. For a certification that reuses a prior definition, the page displays scoping filters inherited from that definition.

You can scope only assignable roles: job, data, abstract, and other roles that can be assigned directly to users. Scoping filters don't return roles, such as predefined duty roles, that are available to users only indirectly, by being included in the role hierarchies of their assignable roles.

You can create three types of scoping filter:

  • Access point filter: An access point is a privilege or a role of any type. An access-point filter specifies one of these items and may return either an assignable role specified directly by the filter, or assignable roles that are hierarchical parents of an access point specified by the filter.

    For a standard certification, the filter returns only roles that are assigned to users. For a continuous certification, the filter returns both assigned and unassigned roles, so that you can scope roles that may be assigned to users after the certification is initiated.

  • Entitlement filter: An entitlement is a set of related access points. An entitlement filter may return assignable roles that are included in the entitlement or are hierarchical parents of access points included in the entitlement. Again, for a standard certification the filter returns only assigned roles, but for a continuous certification it returns both assigned and unassigned roles.

  • Condition filter: This filter type selects from a pool of role records. The purpose of this filter type, however, is essentially exclusionary. From the pool of records they begin with, condition filters remove all records they don't select.

The filter types you use depend on whether you opt for top-down or bottom-up scoping:

  • For a top-down scoping job, you begin with all the roles you'd want to consider. For a continuous certification, this literally means all assignable roles. For a standard certification, this means all such roles that have been assigned to users. So there's no need for an access-point or entitlement filter to select roles. You can create only condition filters to exclude the roles you don't want.

  • For a bottom-up scoping job, you begin with no roles selected, so you create either a single access-point filter or a single entitlement filter to create a pool of assignable-role records. You may then create condition filters to exclude roles from this pool.

A check box labeled Leverage Top Down Scoping Approach is selected by default. Leave it selected to implement top-down scoping or clear it to implement bottom-up scoping. Then create the filters your scoping job requires.

When you finish, click the Submit button. This returns focus to the Access Certifications home page. It also initiates a scoping job. You can check the status of that job; click the Monitor Jobs tab to open the Monitor Jobs page. When the job reaches successful completion, the status of the certification updates to Finalizing, and the Actions menu displays the option Finalize Roles.

Note: The maximum number of roles you can scope for a certification is 500. Scoping filters may return more, but if so, the scoping job fails. In that case, add scoping filters that narrow the focus of the scoping job, and then rerun it. The scoping job creates a model that's accessible in the Models page (Risk Management > Advanced Controls > Models). It's important that you not delete that model until the certification it applies to is fully initiated.