1. Using Access Certifications
  2. Overview of Oracle Access Certifications

Overview of Oracle Access Certifications

Oracle Fusion Cloud Access Certifications enables your organization to perform reviews that determine whether roles are assigned appropriately to users. It can support periodic, organization-wide reviews such as quarterly audits, or more narrowly focused sensitive-access scenarios.

Certification campaigns can analyze role-assignment data from multiple data sources. By default, an Oracle Cloud data source supplies data from many Oracle Fusion Cloud applications. "Synchronized" data sources provide data from other applications, but only after your organization sets up connections to them. These data sources include:

  • EPM-ARCS, which provides data from Enterprise Performance Management Account Reconciliation.

  • Up to three instances of EPM-FCCS, each providing data from a distinct "pod" in Enterprise Performance Management Financial Consolidation and Close.

  • OCI, which provides data from Oracle Cloud Infrastructure.

Your organization can also import data from applications that aren't among the synchronized data sources to which it can set up connections. Examples include Workday and Salesforce. Role assignments from these applications form a data source called Imported.

Certification Essentials

A certification may be standard or continuous. A standard certification involves a static set of user-role assignments existing at the moment a certification campaign is initiated. A continuous certification includes only new user-role assignments: those granted after the campaign is initiated. While the roles included in a continuous certification remain constant, records of their assignments to users are updated each day.

Every certification campaign involves workers at three levels:

  • An owner defines and initiates a certification campaign, and assumes overall responsibility for it.

  • A role manager is responsible for a set of the roles included in a certification, and supervises one or more certifiers who work on those roles.

  • A certifier makes determinations that users' access to roles is, or isn't, authorized. Allotted a subset of a role manager's roles, the certifier evaluates the assignment of each role to each of its users.

At the same time, users other than owners are authorized as editors or viewers. Typically, they're also selected as role managers or certifiers. (Even an owner can also be a role manager or certifier.) But if they're not, editors and viewers have limited rights to the pages owners use to initiate and oversee certifications.

To initiate a certification, an owner:

  • Decides whether it's to be entirely new or based on a previous certification and, if it's new, whether it's standard or continuous.

  • Creates filters that select the roles whose assignments to users may be reviewed, or adapts filters inherited from a previous certification. That process is known as scoping.

  • Appoints role managers and certifiers to work with sets of roles returned by scoping filters.

Certifiers then review the assignments of the roles they've been tasked with certifying. The actual determination of whether a role is correctly assigned to a user is a human judgment. However, Oracle Access Certifications provides each certifier with a worksheet that includes a record of the assignment of each role to each of its users. Certifiers use the worksheets to record whether each user-role combination is under investigation or, ultimately, approved or rejected.

Role managers track the progress of the certifiers they work with. The owner tracks the progress of the role managers and certifiers. Both role managers and owners use overview pages. Each displays a row for each subordinate user and the roles assigned to that person. Owners and role managers can navigate from their overview pages to copies of the pages used by the people they supervise.

Review by Direct Managers

During initiation, owners may set up certifications so that another class of participants, direct managers of users, also judge whether their users' role assignments should be certified. Direct managers use My Team worksheets to review user-role assignments and to recommend that they be approved or rejected. But direct-manager review differs from certifier review in these respects:

  • Each direct manager can see only records of users who are direct reports. Direct managers' My Team worksheets don't contain records of users who don't report to them.

  • Direct managers aren't assigned to any one certification, and aren't made aware of the certifications in which records exist. Instead, a My Team worksheet contains records of user assignments that may belong to any number of active standard or continuous certifications.

  • Direct managers' judgments are advisory: Records of user-role assignments appear both in the worksheets of certifiers working within the focus of certification campaigns, and for each user, in the My Team worksheet of that user's direct manager. Typically, direct managers act on their role-assignment records first, and their judgments update records in the certifiers' worksheets. However, a certifier is free to override direct managers' judgments, and may even act without waiting for the direct managers' judgments.

Notifications

As a certification proceeds, the people working on it may receive notifications, email alerts, or both if your organization activates them. Both are active by default.

  • Notifications are available from the Notifications icon in the global header. (It looks like a bell.)
  • Email alerts are sent to the email address associated with the user account for each user.

Each type of notice is generated automatically to inform its recipient of a task to be completed. When appropriate, a notification or alert includes a direct link to the page to complete a task. For example, a certifier may go directly from a notification to the certifier worksheet to review role assignments.

Other notices provide information about error conditions, such as a job failing or concluding with errors, or a certification lacking an eligible owner or other authorization. (To receive a message concerning an object lacking an eligible owner, a user must have a Mass Edit Security Assignments privilege. Other security-related messages go to the owners of an affected certification.)

In addition, owners and role managers may send email reminders of a deadline that's approaching or has passed. These are always available to be sent, regardless of whether email alerts or notifications are activated.

Related Topics