1. Using Access Certifications
  2. Scope the Certification

Scope the Certification

Once you finish working in the Security Assignment region, a Scoping Filters region becomes active. Use it to create filters that select roles whose assignments to users are to be reviewed.

For a new certification, the page initially contains no filters. For a certification that reuses a prior definition, the page displays scoping filters inherited from that definition.

You can scope only assignable roles: job, data, abstract, and other roles that can be assigned directly to users. Scoping filters don't return roles, such as predefined duty roles, that are available to users only indirectly, by being included in the role hierarchies of their assignable roles.

You can create four types of scoping filter:

  • Data-source filter: This type of filter selects the data sources whose role assignments are to be included in a certification campaign. In the absence of a data source filter, a campaign may include role assignments from all the data sources your organization has set up.

  • Access-point filter: In the Oracle Cloud data source, an access point is a privilege or a role of any type. An access-point filter specifies one of these items and may return either an assignable role specified directly by the filter, or assignable roles that are hierarchical parents of an access point specified by the filter. In other data sources, an access point is an assignable role, and an access-point filter returns that role.

    For a standard certification, the filter returns only roles that are assigned to users. For a continuous certification, the filter returns both assigned and unassigned roles, so that you can scope roles that may be assigned to users after the certification is initiated.

  • Entitlement filter: An entitlement is a set of related access points. An entitlement filter may return assignable roles that are included in the entitlement or are hierarchical parents of access points included in the entitlement. Again, for a standard certification the filter returns only assigned roles, but for a continuous certification it returns both assigned and unassigned roles.

  • Condition filter: This filter type selects from a pool of role records. The purpose of this filter type, however, is essentially exclusionary. From the pool of records they begin with, condition filters remove all records they don't select.

The filter types you use depend on whether you opt for top-down or bottom-up scoping:

  • For a top-down scoping job, you begin with all the roles you might want to consider. For a continuous certification, this literally means all assignable roles across all the data sources your organization has set up. For a standard certification, this means all such roles that have been assigned to users. You can create data-source and condition filters to exclude the roles you don't want in your certification campaign. But because you begin with all the roles that access-point or entitlement filters could return, those filters aren't needed, so you can't create them.

  • For a bottom-up scoping job, you begin with no roles selected. You must create at least one access-point or entitlement filter (and may create more) for each of the data sources you want to include in a certification campaign. You may then create condition filters to exclude roles from this pool. You may also create data-source filters.

A checkbox labeled Leverage Top Down Scoping Approach is selected by default. Leave it selected to implement top-down scoping or clear it to implement bottom-up scoping. Then create the filters your scoping job requires.

When you finish, click the Submit button. This returns focus to the Access Certifications home page. It also initiates a scoping job. You can check the status of that job; click the Monitor Jobs tab to open the Monitor Jobs page. When the job reaches successful completion, the status of the certification updates to Finalizing, and the Actions menu displays the option Finalize Roles.

Note:

The maximum number of roles you can scope for a certification is 500. Scoping filters may return more, but if so, the scoping job fails. In that case, add scoping filters that narrow the focus of the scoping job, and then rerun it.

The scoping job creates a model that's accessible in the Models page (Risk Management > Advanced Controls > Models). It's important that you not delete that model until the certification it applies to is fully initiated.