10 Managing Certification Review Tasks
This section describes working with certifications in the following topics:
Note:
This document describes the actions you can perform in the Pending Certifications page. For certification and identity audit tasks, use the Certifications and Pending Violations tiles respectively. If you are using the Inbox Generic view, then do not use the Actions menu because the actions are not supported for certification and identity audit.
For an overview of identity certification and information about operations you can perform by using the Dashboard, see Using Identity Certification.
10.1 Searching and Viewing Certifications
You can search and filter certifications in the Pending Certifications page and view the certification details.
This section contains the following topics:
10.1.1 Searching Certifications in the Pending Certifications Page
You can search for the certification review tasks assigned to you.
To perform simple search for certifications:
- Login to Oracle Identity Self Service.
- Click the Self Service tab.
- Click the Certifications box. The Pending Certifications page is displayed with a list of certification review tasks assigned to you.
- From the Status list, select the certification status that you want to search for, for example, Assigned or Completed. Select Any to search for any certification irrespective of the status.
- In the Search box, specify a search criterion, for example, the certification name.
- Click the Search icon. The certifications that match your search criteria are listed in the search results table.
Tip:
-
To sort the data in the search results table, place the mouse pointer on a column name. Up and down arrows are displayed on the column names. Click the up arrow to sort in ascending order. Click the down arrow to sort in descending order.
-
In this release of Oracle Identity Manager, you can sort the certifications by their percent completion. If you place your mouse pointer on the Percent Complete column, the up and down arrow keys are displayed. Click the up arrow to sort by ascending order of percent completion, and click the down arrow to sort by descending order of percent completion.
10.1.2 Accessing Certification Tasks From the Pending Certifications Page
You can view details of different types of certification tasks like User Certification, Role Certification, Application Instance Certification, and Entitlement Certification.
This section describes how to access certification tasks for each type of certification:
Note:
The pages that display certification details and the details for user access rights, role content and membership, account details for application instances and entitlements enable you to personalize the contents of the pages. For example, you can use saved search, show/hide columns, and sort the data in columns. These personalization features are similar in all pages in Oracle Identity Self Service. See Personalizing Self Service for information about personalizing pages in Oracle Identity Self Service.
10.1.2.3 Viewing Application Instance Certification Details
To view application instance certification details:
10.2 Completing Certifications
You can set any missing decisions on user, role-assignments, accounts, or entitlement-assignments to Certify.
Completing certifications is described in the following sections:
10.2.1 Completing User Certifications
User certification enables managers to verify their employees and the role assignments, accounts and entitlement assignments for each.
Completing a user certification involves the following steps:
10.2.1.1 Making Certification Decision on the Users
When a certification task is opened, you may be required to verify the access of each user. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of users are skipped and you are presented with the user detail view.
If verification is required, then a decision must be made on each of the users that you have been asked to review. To do so:
10.2.1.2 Reviewing Roles and Entitlements
Use the details view of the certification to review a user's role assignments, accounts, and entitlement assignments. The details view can be accessed by selecting a user in the summary view, and clicking Open from the Actions menu, or by clicking the user name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
-
Certify: You approve each selected assignment.
-
Revoke: You disapprove each selected assignment. This decision indicates that the user no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
-
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
-
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
-
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
10.2.1.3 Finishing the User Certification
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.
If the FlexibleCertificationProcess
composite is selected in the Certification Configuration page of Oracle Identity System Administration or while creating the certification definition, then the certification tasks are assigned to the user's manager by default. Here, the user's manager is the overseer. The certification is not complete until the overseer signs off. The certification will go to the completed stage only after sign-off by the overseer.
10.2.2 Completing Role Certifications
Role certification enables role owners to certify roles and role content.
Completing a role certification involves the following steps:
10.2.2.1 Making Certification Decisions on the Roles
When a certification task is opened, you may be required to verify the access of each role. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of role will be skipped, and you will be presented with the role detail view.
If verification is required, then a decision must be made on each of the roles for which you are the role owner. To do so:
10.2.2.2 Reviewing the Contents of the Roles
Use the details view of the certification to review a role's policies, memberships, and entitlements. The details view can be accessed by selecting a role in the summary view and clicking the Open button from the Actions menu, or by clicking the role name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
-
Certify: You approve each selected assignment.
-
Revoke: You disapprove each selected assignment. This decision indicates that the role no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
-
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
-
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
-
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
Click the Members tab to review the users who have this role assigned. Revoke, Certify Conditionally, Certify, and/or Abstain the role's members as required. In this tab, an additional Approve option is available for two-phased user certification. Selecting this option copies the decision from Phase 1 to Phase 2. See Understanding Multi-Phased Review in User Certification for information about two-phased review.
10.2.2.3 Finishing the Role Certification
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.
10.2.3 Completing Application Instance Certifications
Application instance certification involves certifying or revoking employee entitlements on one or more application instances. These entitlements are assigned directly to an employee and are not assigned as part of a role.
Completing an application instance certification involves the following steps:
10.2.3.1 Making Certification Decisions on the Application Instances
When a certification task is opened, you may be required to verify the access of each application instance. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of application instances is skipped, and you are presented with the application instance detail view.If verification is required, then a decision must be made on each of the application instances. To do so:
10.2.3.2 Reviewing Account and Entitlement Assignments
Use the details view of the certification to review an application instance's accounts and entitlements. The details view can be accessed by selecting an application instance in the summary view and clicking the Open button from the Actions menu, or by clicking the application instance name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
-
Certify: You approve each selected assignment.
-
Revoke: You disapprove each selected assignment. This decision indicates that the application instance no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
-
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
-
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
-
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
An additional Approve option is available for two-phased user certification. Selecting this option copies the decision from Phase 1 to Phase 2. See Understanding Multi-Phased Review in User Certification for information about two-phased review.
10.2.3.3 Finishing the Application Instance Certification
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.
10.2.4 Completing Entitlement Certifications
Entitlement certifications enable you to certify whether employees should be able to access entitlements.
Completing an entitlement certification involves the following steps:
10.2.4.1 Making Certification Decisions on the Entitlements
When a certification task is opened, you may be required to verify the access of each entitlement. This verification step is optional based on the configuration settings set in the certification definition. If verification is not required, then the initial summary view of the entitlements is skipped, and you are presented with the entitlement detail view.If verification is required, then a decision must be made on each of the entitlements. To do so:
10.2.4.2 Reviewing the Entitlement Assignments
Use the details view of the certification to review an entitlement's user accounts. The details view can be accessed by selecting an entitlement in the summary view and clicking Open from the Actions menu, or by clicking the entitlement name.
After your selections are made, you can use the Actions menu to select the appropriate action. The Actions menu contains the following options:
-
Certify: You approve each selected assignment.
-
Revoke: You disapprove each selected assignment. This decision indicates that the entitlement no longer needs the privilege and the assignment should be removed. When you select this option, a dialog box might be displayed that asks for comments. Type a note in the Comments pop-up, and click OK.
-
Certify Conditionally: You approve each selected assignment, but only temporarily. This action also requires you to specify an end date on which your approval expires.
-
Abstain: You take no position on each selected assignment. This records your decision to leave the assignment as it is.
-
Reset: Use this to clear any decision you have made on the selected assignment.
For each action, optional comments can be added. By default, every decision other than to certify, such as Revoke, Certify Conditionally, and Abstain, allow optional comments.
An additional Approve option is available for two-phased user certification. Selecting this option copies the decision from Phase 1 to Phase 2. See Understanding Multi-Phased Review in User Certification for information about two-phased review.
10.2.4.3 Finishing the Entitlement Certification
The final step in the certification cycle is the sign-off action. Signing off can only be done when every access privilege has a decision assigned to it. When this state is reached, Oracle Identity Manager automatically prompts you to sign-off on all the decisions taken. If you choose not to sign-off at that time, then you can manually invoke the sign-off dialog box later assuming that all access privileges are still completed. The process for signing off is the same whether automatically prompted by the system or manually activated.
To manually sign-off:
Upon successful sign-off, the tab displaying the certification is closed automatically and a confirmation message is displayed.
10.3 Claiming and Releasing Group Certifier Assignments
Group or certifier assignments must be claimed by a user to take actions on it and released by the user for other users in the group to view the actions taken.
You can have a predefined role with potential certifiers as members. Each time a certification is created with certifier as the role, each member of the role can take action on the certification by claiming the task. The member who claims the task first is the primary reviewer for that certification. Rest of the members will not be able to view or work on the same certification. Similarly, the member can release the certification task back to the group if the user has claimed it before.
This section contains the following topics:
10.3.1 Claiming Group Certifier Assignments
Group certifier review tasks can be claimed by clicking the Claim Task button.
10.3.2 Releasing Group Certifier Assignments
Group certifier assignments can be released by clicking the Release Task button.