1. Performing Self Service Tasks with Oracle Identity Governance
  2. Working with Compliance
  3. Managing Identity Certification

13 Managing Identity Certification

Managing identity certification involves understanding certification concepts, configuring and scheduling certification, managing certification definitions, managing event listeners, configuring certification reports, and troubleshooting certification.

This chapter describes the concepts related to identity certification and the configuration tasks required for identity certification. It contains the following topics:

13.1 Certification Concepts

Key concepts related to identity certification are lines of business and line items, certification tasks, objects, definitions, and jobs, closed-loop remediation, remediation tracking, event listeners, certification authorization, and custom reviewer for user certification.

The concepts related to identity certification are described in the following sections.

13.1.1 Line of Business and Line Item

Line of Business (LOB) is a category of industry or business function. A line item is a row of data that appears on Page One of a certification.

LOB is a category of industry or business function. For example, an LOB manager is oriented to a business function within an enterprise, such as Sales.

A line item is a row of data that appears on Page One of a certification. Each line item collects or groups together according to the type of certification the set of privilege-assignments related to a particular identity or privilege. A reviewer can open any line-item to see its line item details. For example, within phase one of a user certification, each line item represents a user. Opening the user details displays the access-privileges of that user.

13.1.2 Certification Task

Certification task consists of a set of work to be done within a certification process.

Each set of line-items that is assigned to a particular reviewer initiates a Service-Oriented Architecture (SOA) task that contains that particular set of line items and that is routed to SOA Inbox of that particular reviewer. The SOA component also notifies the reviewer that a certification task has been assigned to the reviewer.

13.1.3 Certification Object

Certification object consists of a certification ID and a set of line items.

Certification object is a generated certification that is assigned to a particular certifier or primary reviewer. Each certification object consists of:

  • A unique certification ID

  • A set of line-items, each of which contains a set of details

13.1.4 Certification Definition

Certification definition is a named set of parameters that is used as input to a certification job to generate certification objects.

A certification definition specifies the following:

  • The type of certification to generate, such as user certification, role certification, application instance certification, or entitlement certification

  • Selection criteria that describe which line items, for example users, to select

  • Content-restriction criteria that describe which details to select for each line item

  • Other parameters that control the generation of certification objects or the behavior of review tasks

13.1.5 Certification Jobs

Certification jobs are used to create certifications as requested or as scheduled.

A certification job is a background execution-task that generates certification objects based on a specified certification definition. Certification jobs can be:

  • Scheduled to run at regular intervals, such as weekly, monthly, or quarterly, as required

  • Run immediately from the Scheduler section of Oracle Identity System Administration

  • Triggered from an event-listener action

You can create and run certification-generation jobs to create certifications as requested or as scheduled. You can enable and run the risk-aggregation job to calculate the risk-values of entities, such as users, accounts, role-assignments, and entitlement-assignments.

13.1.6 Closed-Loop Remediation

Closed-loop remediation is used to revoke access privileges as an outcome of the certification process.

Closed-loop remediation is a feature that utilizes the provisioning system of Oracle Identity Manager to automatically revoke accounts, roles, and entitlements based on the results of the Oracle Identity Manager certification process.

13.1.7 Remediation Tracking

The access request catalog is used for remediation tracking.

You can use the request catalog to track the remediation status of revoked accounts, access within accounts, or roles. This records whether and when each revocation request is fulfilled.

13.1.8 Event Listener

Event listener is a service that responds to changes in users. Event listeners are supported for all certification types.

Each event listener for certification contains:

  • The selection-criteria specified by an administrator

  • The certification definition to use in response

13.1.9 Certification Authorization

Certification authorization is controlled by assigning or revoking the Certification Administrator and Certification Viewer administrative roles.

The following Oracle Identity Manager admin roles grant the assignee privileges required to administer the certification feature and monitor the progress of certification instances:

  • Certification Administrator: The Certification Administrator admin role grants the assignee super-user privileges for the certification feature. In particular, this admin role grants access to the certification configuration and scheduler in the Oracle Identity Manager System Administration. This role also grants full access to certification where you can view or take action on any certifications.

  • Certification Viewer: The Certification Viewer is a read-only role, allowing a compliance administrator to view new, in progress, and completed certifications.

13.1.10 Custom Reviewer for User Certifications

Custom reviewer for user certifications can be specified by defining certification rules in the CERT_CUSTOM_ACCESS_REVIEWERS table.

Oracle Identity Manager enables you to define your own custom reviewer for user certifications. This section contains the following topics:
13.1.10.1 About Custom Access Reviewer

You can define your own custom access reviewer for user certifications by specifying certification rules for specific user accounts, roles, entitlements, or application instances, or a combination of these entities, with a particular reviewer. In addition, you can group the certification rules and assign a map name to the certification rule to specify a reviewer for that map name.

These rules can be defined in the CERT_CUSTOM_ACCESS_REVIEWERS table in Oracle Identity Manager database.Table 13-1describes the columns of the CERT_CUSTOM_ACCESS_REVIEWERS table.

Note:

The CERT_CUSTOM_ACCESS_REVIEWERS table must be populated before running the intended certification jobs. The data in the table is to be maintained by Oracle Identity Manager administrators.

Table 13-1 CERT_CUSTOM_ACCESS_REVIEWERS Table Definition

Column Data Type Description
reviewer_login varchar2(256) OIM login ID for the reviewer user.
This field can have the following special values:

  • <USER_MANAGER>: Specifies the default reviewer to be the user’s manager for any user in the mapping

  • <ORGANIZATION_MANAGER>: Specifies the default reviewer to be the organization manager for any user in the mapping
user_login varchar2(256) OIM user login for the user whose access needs to be filtered. This field can have the following special value:

<ANY>: Specifies special reviewer mapping to be applied for any user

Note:

The special value <ANY> for the user_login column in the CERT_CUSTOM_ACCESS_REVIEWERS table is supported only with Default Reviewer or Alternate Reviewer access types.
access_type number(2) Access type has numeric value and the possible value is one of the following:

1 for User

2 for Role

3 for Account

4 for Entitlement

5 for Default Reviewer

6 for Alternate Reviewer

app_instance_name varchar2(4000) Name of the application instance.
account_name varchar2(300) Name of the specific account on the application instance.
entitlement_name varchar2(4000) Name of the entitlement.
role_name varchar2(4000) Name of the role.
map_name varchar2(4000) The map name that can be used to tag mappings and used in certification definitions.
13.1.10.2 Conditions for Using Custom Access Reviewer

Certain conditions must be met for using the custom access reviewer for user certifications.

The following conditions must be met for using the custom access reviewer for user certification feature:

  • Reviewer table does not support any wildcards for any of the fields/columns.

  • Reviewer table has mappings defined for each and every user to be included in certification.

  • Application instance information is required for all account and entitlement mappings.

  • Only one instance of default reviewer and alternate reviewer mapping is allowed per map name.

13.1.10.3 Sample CERT_CUSTOM_ACCESS_REVIEWERS Table
Table 13-2shows a sample CERT_CUSTOM_ACCESS_REVIEWERS table with custom reviewers defined for certification rules.

Table 13-2 Sample CERT_CUSTOM_ACCESS_REVIEWERS Table

Row # REVIEWER_LOGIN USER_LOGIN ACCESS_TYPE Application Instance Name Account name Entitlement Name Map Name
1 ACERTUSER2 VCERTUSER2 3 VISDU1 VCERTUSER2SERVICE   2015 Review
2 ACERTUSER1 VCERTUSER3 4 VISDU1 VCERTUSER3 EntTestDB~CN=VISDU11,DC=abc,DC=com 2015 Review
3 ACERTUSER3 VCERTUSER2 4 VISDU1 VCERTUSER2 EntTestDB~CN=VISDU11,DC=abc,DC=com 2015 Review
4 VCERTUSER10 VCERTUSER2 1 NA NA NA <GLOBAL>
The rows in the sample table represent the following certification rules:

  • Row #1 has a mapping defined for the specific application instance VISDU1 owned by the user account VCERTUSER2SERVICE of user VCERTUSER2 with a particular reviewer ACERTUSER2.

  • Row #2 has a mapping defined for the specific entitlement EntTestDB~CN=VISDU11,DC=abc,DC=com with an application instance VISDU1 owned by the user account VCERTUSER3 of user VCERTUSER3 with a particular reviewer ACERTUSER1.

  • Row #3 has a mapping defined for the specific entitlement EntTestDB~CN=VISDU11,DC=abc,DC=com with an application instance VISDU1 owned by the user account VCERTUSER2 of user VCERTUSER2 with a particular reviewer ACERTUSER3.

13.1.10.4 Custom Access Reviewer Scenarios

The following is a list of supported custom access reviewer configuration scenarios.

Custom reviewer for specific user

Reviewer table has mapping defined for a specific user U1 with a particular reviewer R1.

This mapping is treated as whole access responsibility mapping. Reviewer R1 will review the entire access for user U1, and user U1 will be included in a certification for reviewer R1. Any access for user U1 will be excluded for which R1 is not a reviewer in reviewer table.

Custom reviewer for account owned by specific user

Reviewer table has mapping defined for a specific user account U1A1 of user U1 with a particular reviewer R2.

This mapping is treated as limited access responsibility mapping. Reviewer R2 will only review account U1A1 for user U1, and user U1 will be included in a certification for reviewer R2. Oracle Identity Manager will include U1A1 account along with all the entitlements that are part of U1A1 for reviewer R2.

Custom reviewer for entitlement owned by specific user account

Reviewer table has mapping defined for a specific entitlement U1A1E1 owned by a specific account U1A1 with a particular reviewer R3.

This mapping is treated as limited access responsibility mapping. Reviewer R3 will only review entitlement U1A1E1 for user U1, and user U1 will be included in a certification for reviewer R3. Oracle Identity Manager will include account U1A1 and only entitlement U1A1E1 for reviewer R3.

Custom reviewer for entitlement within an application instance (without any account name)

Reviewer table has mapping defined for a specific entitlement E3 with an application instance name APP2 with a particular reviewer R5. Account name is not defined for this mapping.

This mapping is treated as limited responsibility mapping. Reviewer R5 will review all the entitlements with name E3 from all the user accounts available in the application instance APP2. Certifications will be generated for all users who have entitlement E3 in the application instance APP2 and assigned to reviewer R5. Oracle Identity Manager will include accounts with only entitlement E3 in the certification for reviewer R5.

Custom reviewer for role owned by specific user

Reviewer table has mapping defined for a specific user role U1R1 of user U1 with a particular reviewer R4.

This mapping is treated as limited access responsibility mapping. Reviewer R4 will only review role U1R1 for user U1, and user U1 will be included in a certification for reviewer R4. Oracle Identity Manager will include only role U1R1 for reviewer R4.

Custom reviewers for different access types specified in the reviewer table

Certifications are created for each of the reviewers defined in the table. Each reviewer will only see the access elements for which mappings are defined. Each reviewer will have only one certification created in one certification job run.

Custom reviewer table with tag/map name defined in reviewer table

The reviewer table is scoped per the tag/map name defined in the certification definition. If the certification definition does not have a tag/map name specified, then the reviewer table is scoped for the <GLOBAL> tag/map name.

Default reviewer mapping for a specific map name

Reviewer table has mapping defined in default reviewer row as <Default Reviewer> - <USER_MANAGER> - <ANY> for map name MAP1.

This mapping is treated as default user reviewer mapping and will default the reviewer for any user to be the user’s manager. All user’s managers are included as reviewers. Oracle Identity Manager will NOT include a user in the certification for user’s manager if there is another User access type mapping defined in the reviewer table. This mapping will NOT affect other mappings in any way.

Reviewer table with user-level mappings as subset of base selection in certification definition

Base selection consists of users U1, U2, U3 and reviewer table with mapping for U1::U1A1-> R1 (account type), U2::U2A1E1-> R2 (entitlement type). Default reviewer mapping is <USER_MANAGER>-<ANY>. Managers are available as U1->M1, U2->M2, and U3->M3.

Certifications are generated for all users U1, U2 and U3. Each user’s manager will review each user’s access. Reviewer M3 will review all access for U3. Reviewer M2 will review all access for U2 except entitlement U2A1E1. Reviewer R2 will review only U2A1E1 for user U2. Reviewer M1 will review all access for U1 except account U1A1. Reviewer R1 will review only U1A1 for user U1.

Reviewer table with default reviewer mapping and overriding user-level mapping

Reviewer table has default reviewer mapping as <Default Reviewer> - <USER_MANAGER> - <ANY> for <GLOBAL> map name. Reviewer table also has user type mapping for U1 -> R1. User U1 has manager M1 defined in system. One certification is generated for reviewer R1, and no certification is generated for manager M1.

Reviewer table with default reviewer mapping and alternate reviewer mapping

Reviewer table has default reviewer mapping as <Default Reviewer> -< USER_MANAGER> - <ANY> for <GLOBAL> map name. Reviewer table has alternate reviewer mapping as <Alternate Reviewer> - <AR1> - <ANY> for <GLOBAL> map name. User U1 has manager M1 defined in system. Reviewer M1 is an inactive user in system.

Any certification will not be generated for manager M1 because the user is inactive. One certification will be generated for reviewer AR1 with user U1.

13.2 Configuring Certifications

After certain prerequisites for certification configuration are met, you can set the certification configuration properties in the Certification Configuration page of the Identity Self Service.

This section describes how to configuring certifications in the following topics:

13.2.1 Prerequisites for Configuring Certifications

Prerequisites for configuring certifications include marking a catalog item as certifiable, setting the certifier, user manager, organization certifier, user attributes for certification snapshot, and risk levels for individual entities, tagging attributes, and configuring the availability of identity certification, reminders, notifications, escalations, and expiry for certifications.

Configuring certifications has the following prerequisite steps:

Note:

Some of the preconfiguration steps require you to use the request catalog. For detailed information about the request catalog, see the following sections:

13.2.1.1 Marking a Catalog Item as Certifiable

A requestable entity, such as role assignment, role membership, application instance, or entitlement, is available for certification only after it is marked as certifiable in the request catalog. Any entity that is not marked as certifiable does not appear in the certification.

By default, all items in the catalog are marked as certifiable. You can deselect the Certifiable option if you do not want a certification task to be generated for that entity.

To mark an entity as certifiable:

  1. Login to Oracle Identity Self Service.
  2. Navigate to the request catalog page.
  3. Search and select the application instance or entitlement that you want to set as certifiable.

    To modify the Certifiable option for roles, open the role details page, and then set the Certifiable option in the Catalog Attributes section.

  4. Click the info (i) icon to open the Detailed Information tab for the selected catalog item.
  5. Under Detailed Information, select the Certifiable option.
  6. Click Apply.
13.2.1.2 Setting the Certifier in the Request Catalog

When you set a user as the certifier for an entity and select some of the options for selecting reviewers, such as Role Certifier or Application Instance Certifier, the user is automatically set as the certifier or primary reviewer for certifying that entity. For example, if user John Doe is selected as the certifier for the Vision Developers role, then John Doe is automatically set as the primary reviewer for certifying the Vision Developers role depending on the selection in the Reviewers screen of creating certifications. In this example, after the user is set as the certifier for the Vision Developers role and you are creating a Role Certification, selecting the Role Certifier option will pick up this field.

Note:

Setting the certifier in the request catalog is required if you want to use some of the options for selecting reviewers in the certification creation screen, such as Role Certifier or Application Instance Certifier.

To set the certifier in the catalog:

  1. In Oracle Identity Self Service, navigate to the Catalog page.
  2. Search and select the role, application instance, or entitlement for which you want to set the certifier.
  3. For the Certifier User field, click the lookup icon. From the lookup, search and select a user that you want to set as certifier for the selected entity.
  4. Click Apply.
13.2.1.3 Setting User Manager and Organization Certifier

The user manager and organization certifier are available for selection as the primary reviewer in the certification creation process.

User manager is the user selected in the Manager field in the Attributes tab of the User Details page in Oracle Identity Self Service. If Jane Doe is specified as the manager for Terence Hill, then while creating a user certification definition, as described in Creating Certification Definitions, when you select user manager as the primary reviewer, Jane Doe is automatically set as the primary reviewer for the certification tasks generated for Terence Hill.

The organization certifier is the user selected in the Certifier User Login field in the Attributes tab of the Organization Details page in Oracle Identity Self Service. If Robert Klein is specified as the organization certifier for the Vision North organization, then while creating the certification definition, when you select organization certifier as the primary reviewer, Robert Klein is automatically set as the primary reviewers for the certifications tasks generated for Vision North.

Note:

  • Setting the user manager or organization certifier is required if you want to use the Reviewer option of User Manager or Organization Certifier. Otherwise, this is not required.

  • Role organization certifier does not support the Hierarchy aware option. For the organization certifier, the role must be available in the organization. In other words, the specific organization must be specified for the role. Otherwise, certification will not be generated. Make sure that the role and organization are linked and organization has the certifier user assigned.

13.2.1.4 Setting User Attributes for Certification Snapshot

Certification snapshots the following user attributes in Oracle Identity Manager:

UserManagerConstants.AttributeName.USER_KEY.getId());
UserManagerConstants.AttributeName.USER_ORGANIZATION.getId());
UserManagerConstants.AttributeName.USER_LOGIN.getId());
UserManagerConstants.AttributeName.MANAGER_KEY.getId());
UserManagerConstants.AttributeName.STATUS.getId());
UserManagerConstants.AttributeName.EMAIL.getId());
UserManagerConstants.AttributeName.FIRSTNAME.getId());
UserManagerConstants.AttributeName.LASTNAME.getId());
UserManagerConstants.AttributeName.DISPLAYNAME.getId());
UserManagerConstants.AttributeName.EMPTYPE.getId());
UserManagerConstants.AttributeName.PHONE_NUMBER.getId());
UserManagerConstants.AttributeName.EMPLOYEE_NUMBER.getId());
UserManagerConstants.AttributeName.USER_UPDATE.getId());
UserManagerConstants.AttributeName.USER_CREATEBY.getId());
UserManagerConstants.AttributeName.USER_UPDATEBY.getId());
UserManagerConstants.AttributeName.USER_CREATED.getId());
UserManagerConstants.AttributeName.DEPARTMENT_NUMBER.getId());
UserManagerConstants.AttributeName.LOCALITY_NAME.getId());
UserManagerConstants.AttributeName.POSTAL_CODE.getId());
UserManagerConstants.AttributeName.STATE.getId());
UserManagerConstants.AttributeName.STREET.getId());
UserManagerConstants.AttributeName.USER_COUNTRY.getId());
UserManagerConstants.AttributeName.LOCALE.getId());
UserManagerConstants.AttributeName.TITLE.getId());
UserManagerConstants.AttributeName.GENERATION_QUALIFIER.getId())
UserManagerConstants.AttributeName.COMMONNAME.getId());
UserManagerConstants.AttributeName.HIRE_DATE.getId());
UserManagerConstants.AttributeName.ACCOUNT_STATUS.getId());
UserManagerConstants.AttributeName.MIDDLENAME.getId());

All other user attributes can be added to the certification snapshots if the attributes are marked as certifiable . These attributes are stored along with the other user defined attributes. Note that marking an attribute as certifiable can impact performance, and therefore, it is recommended to mark the attributes as certifiable only if required.

13.2.1.5 Setting Risk Levels for Individual Entities

To set the risk levels for individual entities:

Note:

See About How Risk Summaries are Calculated for information about the impact of setting risk levels and how Oracle Identity Manager processes risk levels to arrive at risk summaries.

  1. In Oracle Identity Self Service, navigate to the Catalog page.
  2. Search and select the role, application instance, or entitlement for which you want to set the risk level.
  3. Under Detailed Information, from the Risk Level list, select High Risk, Medium Risk, or Low Risk.
  4. Click Apply.

After setting the risk level for an individual entity, you must run the Risk Aggregation scheduled job so that the new risk level is correctly picked up when new certifications are created. Note that existing certification objects do not reflect the new risk level.

13.2.1.6 Tagging Attributes

Accounts, IT resources, and entitlements must be tagged for certification in the Design Console. Without tagging, certification for the entities are not generated.

You can check if the accounts, IT resources, and entitlements are already tagged by following the navigation in the Design Console as described in this section. If the entities are already tagged, then you can skip this section. Otherwise, configure account and IT resource tagging by performing the steps in this section.

Note:

For the certification creation to work, the value of the following properties must be set to true, as described in the procedure in this section.

  • Entitlement

  • ITResource

  • AccountName

To configure account and IT resource tagging:

  1. Login to the Design Console.
  2. Under Development Tools, click Form Designer.
  3. Click the search icon on the top. The Form Designer Table is displayed with a list of all available forms.
  4. Open the child process form, and click Create New Version.
  5. Click the Properties tab.
  6. Locate only one entitlement field per form, click Add Property, and add the Entitlement = true property setting.

    If there are multiple entitlement child forms, then add one Entitlement = true property setting per entitlement form.

  7. Save the child form, and click Make Version Active.

    Note:

    If there are multiple child forms, update all of them by repeating steps 4 through 7 before going to the next step.

  8. Select the parent forms for each connector that is installed. The parent form has the User ID fields to store the account name in the target system, for example, UD_ADUSER and UD_EBS_USER.
  9. Select a form. A new Form Designer tab opens.
  10. Click Create New Version. In the popup, enter a name, for example, v2. Click the save icon. Close the popup.
  11. In the Current version list, make sure that the newly created version v2 is selected.
  12. Click the Properties tab.
  13. Locate the field that uniquely identifies the account in the target system, such as UserID, UserName, and AccountName, which are typical fields in the default connectors. Click Add Property, and add the AccountName = true property setting.
  14. Locate the IT resource field. For most connectors, this is identified by the text ITResourceLookupField as a property for the target system. Click Add Property, and add the ITResource = true property setting.
  15. Save the parent form. Click Make Version Active.
  16. Repeat steps 3 through 11 for each IT resource.
13.2.1.7 Configuring the Availability of Identity Certification

The certification feature is part of Compliance in Oracle Identity Manager. Therefore, the certification feature is available when the value of the Identity Auditor Feature Set Availability system property is set to TRUE. When the value of this property is TRUE, role lifecycle management, Segregation of Duties (SoD), and identity certification are enabled.

If you change the value of this property, then you must restart Oracle Identity Manager server.

Note:

For information about system properties and setting the values of system properties, see “Managing System Properties” in the Administering Oracle Identity Governance.

13.2.1.8 Configuring Reminders, Notifications, Escalations, and Expiry for Certifications (Optional)

If email notifications is configured in SOA, as described in "Configuring SOA Email Notification" in Administering Oracle Identity Governance, then email notifications are sent by default in the following scenarios:

  • When a task is assigned to a user

  • When a task is completed

By default, two reminders are sent one day after and two days after the certification has been created. There is no escalation or expiry set for the certifications by default.

To change the default configuration for certification:

  1. Login to Oracle SOA Composer with Admin credentials, such as weblogic, by navigating to the following URL:

    http://HOST_NAME:PORT_NUMBER/soa/composer

  2. Click Open, and select Open Tasks. The Select a Task to open dialog box is displayed.

  3. Select CertificationProcess_rev1.0, and click Open. The CertificationTask : Event Driven Configuration page is displayed.

  4. In the Notification Settings section, perform the following:

    1. The assignees of the task are selected as recipients of the notification for Assign and Complete tasks. To change the default setting, you can select the task status in the Task Status column, and select the notification recipient in the Recipient column. You can click the pencil icon for each task to edit the default notification message, and click OK.

    2. In the drop-down below, change the default setting for reminders.

  5. In the Expiry and Escalation Policy section, you can change the default value for escalation and expiry.

  6. Click OK.

  7. Click Save, and then click Commit.

13.2.2 Configuring Certification Options

You can set default options in Oracle Identity Self Service that are used during certification creation based on the type of certification. These options can be changed during the certification creation process for each certification definition.

To configure certification options:

  1. Login to Oracle Identity Self Service.
  2. Click the Compliance tab.
  3. Click the Identity Certification box, and select Certification Configuration. The Certification Configuration page is displayed.
  4. Set the configuration properties, as listed in Table 13-3.

    Note:

    All the options listed in Table 13-3 set the default configuration that is picked up during certification creation based on the type of certification. These can be changed during the certification creation process for each certification definition.

    Table 13-3 Configuration Properties

    Property Description

    Password required on sign-off

    Select to require users to sign off in order to complete a certification.

    Allow comments on certify operations

    Select to allow the user to type a comment if a certify action is selected. By default, a comment is required.

    Allow comments on all non-certify operations

    Select to allow the user to type a comment if a revoke action is selected. By default, a comment is required.

    Verify employee access

    Select to control if you want to view Page 1 in the user certification view. By default, this option is selected. This option is used in user certification.

    Prevent self certification

    Select to prevent reviewers from being able to certify their own access. Enabling this option allows the certification creator to assign the certification to an alternate reviewer.

    When the Prevent self certification option is enabled, the User Manager option is selected by default, which means that the assignee is the user's manager.

    To select any other user, select Select User. Click the Search icon to search and select an alternate reviewer.

    User and Account Selections

    Select any one of the following:

    • Include only active users and active accounts

    • Include any user with active accounts

    • Include all users and all accounts

    Allow advanced delegation

    Select to enable the ability to delegate a line item to others. This option is not selected by default.

    When delegation is enabled, there is a verification stage, in which the certification is routed to the primary reviewer with all the decisions of the delegates as well as the primary reviewer's own decisions for final sign off.

    Allow multi-phased review

    Select to enable collaborative certification, for which in phase 1 the business review is completed and that is followed by a phase 2 for the technical review followed by an optional final review, which is completed by the business reviewer again. This is used in user certification only.

    Allow reassignment

    Select to enable the ability to reassign the line items in page 1 of certifications to other users. When line items are reassigned, the items are removed from the certification task and are no longer visible within the review cycle for the original certification object. A new certification object is created containing the reassigned line items. The new assignee is the primary reviewer for the new certification object.

    Allow auto-claim

    Select to mark all the items in page 1 as claimed by default. By default, auto claim is enabled. If you deselect this option, then users have to manually claim each item before they can view the item details.

    Perform closed loop remediation

    Select to specify closed-loop remediation when certification is completed.

    Enable Interactive Excel

    Select to enable ADF DeskTop Integration (DI) for user certification that provides the user the option to download certification data to Microsoft Excel worksheet and work on it in offline mode. For information about working on certifications in an offline mode, see Completing User Certifications in Offline Mode

    Enable Certification Reports

    Select to enable the creation of certification reports and display the Reports tab in the Detailed Information section of the Certification Dashboard.

    Composite Name

    Select the SOA composite for the certification workflow. The default composite is default/CertificationProcess. You can select another version of the composite to enable certification oversight in the certification workflow. To do so, select the CertificationOverseerProcess composite. This composite specifies that the reviewer's manager is the overseer for the certification process.
  5. Click Save.

13.3 Managing Certification Definitions

Managing certification definitions include creating, modifying, and deleting the definitions for user, role, application instance, and entitlement certification.

This section describes about certification definitions in the following topics:

13.3.1 Creating Certification Definitions

You can create user, role, application instance, and entitlement certification definitions by launching the New Certification wizard from the Certification Definitions page.

Creating certification definitions is described in the following sections:

13.3.1.1 Creating a User Certification Definition

To create a user certification definition:

  1. Log in to Oracle Identity Self Service.

  2. Click the Compliance tab.

  3. Click the Identity Certification box, and select Definitions. The Certification Definitions page is displayed.

  4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.

  5. Enter values as follows:

    • Certification Name: Enter a name for the certification.

    • Type: Select User to create a user certification.

    • Description: Optionally enter a description for the new user certification.

  6. Click Next. The Base Selection page of the New Certification wizard is displayed.

  7. Select a user-selection strategy in the Base Selection section, as follows:

    • Users from All Organizations: Selects users from all organizations in Oracle Identity Manager.

    • Only Users from Selected Organizations: Allows you to manually select specific organizations. You can select the organizations by clicking Add. To remove a selected organization, click Remove.

      Note:

      When completing a certification, a certifier cannot see the organization name or any other details about the organization unless that person is also the organization administrator for that organization. If the certifier is not the organization administrator, only the users in the organization are displayed.

    • All users: Selects all the users in Oracle Identity Manager.

    • Users criteria: Selects all the users that meet the given search condition.

    • Selected users: Allows you to select specific users from a list of users in the system. To select users, click Add. To remove selected users, click Remove.

  8. Select any one of the following options to specify constraints to the base selection:

    • Users with Any Level of Risk

    • Only Users with High Risk Summaries

    • Only Users with High Risk Roles

    • Only Users with High Risk Application Instances

    • Only User with High Risk Entitlements

  9. Click Next. The Content Selection page is displayed.

  10. Select the following:

    • Include users with no accounts: This option includes the users who have no access within the certification.

    • Limit the role-assignments to certify for each user: The list of roles per user can be restricted to the selected option. For example, if you select selected roles and add one role, then that role only will show up in the certification if it is marked as certifiable in the catalog even if the user has other roles.

    • Include accounts with no certification attributes: This includes the accounts in the selected application instances even if there are no certifiable entitlements (access) within the target system. If you deselect this option, then accounts in the target system that do not have any entitlements do not appear in the certification.

    • Limit the application-instance-assignments to certify each user: Similar to roles, you can restrict the application instances you want to see within the certification.

    • Limit the entitlement-assignments to certify for each user: You can limit the entitlements that you can see within the certification by selecting any one of the following options:

      • All Entitlements: Select to show all entitlements.

      • Entitlements Outside Roles: Select to show only the entitlements that are not provisioned by roles/access policies, and exclude access granted via roles/access policies.

      • Accounts with High-Risk Entitlements: Select to show account information for high-risk entitlements only.

      • Only High-Risk Entitlements: Select to show only the high-risk entitlements, and exclude the entitlements with medium and low risk levels.

      • Only High-Risk Entitlements Outside Roles: Select to show only high-risk entitlements, exclude the entitlements with medium and low risk levels, and exclude all entitlements (with any risk) granted via roles/access policies.

  11. Click Next. The Configuration page is displayed.

  12. Select the options, as described in Table 13-3, and click Next. The Reviewers page is displayed.

    If you want to enable multi-phased review with advanced delegation, then select the Allow advanced delegation and Allow multi-phased review options.

    If you want to enable certification oversight in the certification workflow, then click the search icon, search for the available composites, select the CertificationOverseerProcess composite, and click Add.

  13. From the Reviewer list, select a primary reviewer. The primary reviewer can be user manager, organization certifier, any other user that you select, or any other role that you select. The primary reviewer can be any one of the following:

    • User Manager: Selects the user’s manager as the primary reviewer.

    • Organization Certifier: Select’s the organization certifier as the primary reviewer.

    • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

    • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

      Group certifier assignments are not supported with CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

    • Custom Access Reviewer: A custom reviewer that you specify as the primary reviewer by populating the CERT_CUSTOM_ACCESS_REVIEWERS table in Oracle Identity Manager database. For detailed information about defining a custom access reviewer, see Custom Reviewer for User Certifications.

    For multi-phased review, perform the following:

    1. In the Phase 1 section, select any one of the following to select the Phase 1 reviewer:

      • User Manager: Selects the user's manager as the Phase 1 reviewer.

      • Organization Certifier: Selects the organization certifier as the Phase 1 reviewer.

      • Search for a User: Selects any user as the Phase 1 reviewer that you search and specify by clicking the lookup icon.

      • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the Phase 1 reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

        Group certifier assignments are not supported with CertificationProcess composite. If you want to select this option, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

      • Custom Access Reviewer: A custom reviewer that you specify as the Phase 1 reviewer by populating the CERT_CUSTOM_ACCESS_REVIEWERS table in Oracle Identity Manager database. For detailed information about defining a custom access reviewer, see Custom Reviewer for User Certifications.

    2. In the Phase 2 (Optional) section, select the Enable Phase 2 review process option to specify that the privilege certifier will be the primary Phase 2 reviewer for each user privilege, such as role, account, and entitlement assignments. Then, select any one of the following as the Phase 2 reviewer:

      • Certifier User: Selects the catalog certifier user as the Phase 2 reviewer.

      • Certifier Role: Selects the catalog certifier role as the Phase 2 reviewer. If a catalog item does not have a certifier role, then the task goes to the certifier user. If entitlement certifier (both user and role) are not defined, then the task falls back to application instance (certifier user/role).

    3. In the Final Review (Optional) section, select the Enable Final Review process option to enable a final review process by the Phase 1 reviewer for final validation and sign off.

  14. Click Next. The Incremental page is displayed.

    Incremental certification is not supported for group/role certification. Therefore, if you have selected the Search for a Role option in the Reviewers page, then the Incremental page is skipped and the Summary page is displayed.

  15. Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.

    When Incremental Certification is enabled, it takes the following parameters:

    • Incremental Date Range (required): This includes:

      • Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.

      • Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.

    • Show Previous Value (optional): This includes:

      • Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.

      • Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.

  16. Click Next. The Summary page is displayed with the details of the user certification.

  17. Click Create to create the user certification. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.

    Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.

    The new user certification definition is displayed in the Certification Definition page.

Note:

For multi-phased review with advanced delegation:

  • The certification is not 100% complete till the Phase 2 reviewers or technical reviewers have completed all the reviews. The certification status displays the phase and percentage completion in each phase the certification is in during the two phased review. To view this status, click the In Progress certification in the Inbox or Dashboard.

  • The certification goes to the Phase 1 primary reviewer for final review. In Page 2, the Phase 1 primary reviewer can review the actions made by the users in the first and second phases (greyed out) as well as the system-generated default actions, which the Phase 1 primary reviewer can override.

13.3.1.2 Creating a Role Certification Definition

To create a role certification definition:

  1. Log in to Oracle Identity Self Service.

  2. Click the Compliance tab.

  3. Click the Identity Certification box, and select Definitions. The Certification Definitions page is displayed.

  4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.

  5. Enter values as follows:

    • Name: Enter a name for the certification.

    • Type: Select Role to create a role certification definition.

    • Description: Optionally enter a description for the new role certification definition.

  6. Click Next. The Base Selection page of the New Certification wizard is displayed.

  7. In the Base Selection section of the page, select a role selection strategy from the list, as shown:

    • All Roles in All Organizations: Selects all roles in all the organizations in Oracle Identity Manager.

    • Roles from Selected Organizations: Selects the roles from the organizations that you specify. Click Add to search and select an organization. To remove a selected organization, click Remove.

      Note:

      When completing a certification, a certifier cannot see the organization name or any other details about the organization unless that person is also the organization administrator. If the certifier is not the organization administrator, only the users in the organization are displayed.

    • All Roles: Selects all roles in Oracle Identity Manager.

    • Role criteria: Selects all of the roles that meet the given search condition. You can preview the results of this selection.

      Tip:

      You can save the search and use it for specifying role criteria while creating another role certification definition. The saved search is not mapped to a specific certification. To use the role criteria saved search for another role certification definition:

      1. During certification creation, after selecting the Role Criteria option and specifying the search condition, you must click Update and Preview Results. This associates the selected criteria with the definition.

      2. If you want to save this search criteria as a template, then click Save. You are prompted to enter a name for the template that you are saving. You can then save this template and reuse it.

      3. The saved template is not specific to a certification. While creating another certification, this template is displayed by default. If you create another new template, then that template is displayed. In other words, the latest template is displayed for all criteria screens associated with a type of certification.

      4. If you do not want to use the generated template, then change the value in the Saved Search list to something else that you want to use.

    • Selected roles: Allows you to manually select the roles.

  8. Select any one of the following options to specify constraints:

    • Roles with Any Level of Risk

    • Only High Risk Roles

  9. Click Next. The Content Selection page is displayed.

  10. Select Certify Policies to specify the certification of policies. Select Certify Members to specify the certification of role members.

  11. Click Next. The Configuration page is displayed.

  12. Select the configuration options, as described in Table 13-3, and click Next. The Reviewers page is displayed.

  13. From the Reviewer list, select a primary reviewer. The primary reviewer can be any one of the following:

    • Role (Certifier User): Selects the certifier user as the primary reviewer.

    • Role (Certifier Role): Selects the certifier role as the primary reviewer.

    • Organization Certifier: Selects the organization certifier as the primary reviewer.

    • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

    • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

      Group certifier assignments are not supported with CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

  14. Click Next. The Incremental page is displayed.

    Incremental certification is not supported for group/role certification. Therefore, if you have selected the Search for a Role option in the Reviewers page, then the Incremental page is skipped and the Summary page is displayed.

  15. Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.

    When Incremental Certification is enabled, it takes the following parameters:

    • Incremental Date Range (required): This includes:

      • Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.

      • Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.

    • Show Previous Value (optional): This includes:

      • Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.

      • Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.

  16. Click Next. The Summary page is displayed with the details of the user certification.

  17. Click Create. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.

    Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.

    The new role certification definition is displayed in the Certification Definition page.

13.3.1.3 Creating an Application Instance Certification Definition

To create an application instance certification definition:

  1. Log in to Oracle Identity Self Service.
  2. Click the Compliance tab.
  3. Click the Identity Certification box, and select Definition. The Certification Definitions page is displayed.
  4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.
  5. Enter values as follows:

    • Name: Enter a name for the certification.

    • Type: Select Application Instance to create an application instance certification definition.

    • Description: Optionally enter a description for the new application instance certification definition.

  6. Click Next. The Base Selection page of the New Certification wizard is displayed.
  7. In the Base Selection section of the page, select an application instance selection strategy from the list, as shown:

    • All Application Instances: Selects all application instances in Oracle Identity Manager.

    • Selected application instances only: Allows you to manually select the application instances. Click Add to search and select the application instances. To remove any selected application instance, click Remove.

  8. Select any one of the following options to specify constraints:

    • Application Instances with Any Level of Risk

    • Only High Risk Application Instances

  9. Click Next. The Content Selection page is displayed.
  10. Select any one of the following:

    • Accounts of Users from All Organizations: Selects the accounts of users from all organizations in Oracle Identity Manager.

    • Accounts of Users from Selected Organizations: Allows you to manually select the organizations whose user accounts will be certified.

    • Accounts of All Users: Selects the accounts of all users in Oracle Identity Manager.

    • Accounts of Selected Users: Allows you to manually select the users whose accounts will be certified.

  11. Click Next. The Configuration page is displayed.
  12. Select the configuration options, as described in Table 13-3, and click Next. The Reviewers page is displayed.
  13. From the Reviewer list, select a primary reviewer. The primary reviewer can be application instance certifier, user manager, application instance certifier, organization certifier, or any other user that you select. The primary reviewer can be any one of the following:

    • Application Instance (Certifier User): Selects the application instance certifier user as the primary reviewer.

    • Application Instance (Certifier Role): Selects the application instance certifier role as the primary reviewer.

    • User Manager: Selects the user’s manager as the primary reviewer.

    • Organization Certifier: Selects the organization certifier as the primary reviewer.

    • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

    • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

      Group certifier assignments are not supported with CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

  14. Click Next. The Incremental page is displayed.

    Incremental certification is not supported for group/role certification. Therefore, if you have selected the Search for a Role option in the Reviewers page, then the Incremental page is skipped and the Summary page is displayed.

  15. Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.

    When Incremental Certification is enabled, it takes the following parameters:

    • Incremental Date Range (required): This includes:

      • Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.

      • Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.

    • Show Previous Value (optional): This includes:

      • Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.

      • Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.

  16. Click Next. The Summary page is displayed with the details of the user certification.
  17. Click Create. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.

    Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.

    The new application instance certification definition is displayed in the Certification Definition page.

13.3.1.4 Creating an Entitlement Certification Definition

To create an entitlement certification definition:

  1. Log in to Oracle Identity Self Service.
  2. Click the Compliance tab.
  3. Click the Identity Certification box, and select Definition. The Certification Definitions page is displayed.
  4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.
  5. Enter values as follows:

    • Name: Enter a name for the certification.

    • Type: Select Entitlement to create an entitlement certification definition.

    • Description: Optionally enter a description for the new entitlement certification definition.

  6. Click Next. The Base Selection page of the New Certification wizard is displayed.
  7. In the Entitlement Selection Strategy section of the page, select a role selection strategy from the list, as shown:

    • Selected entitlements: Allows you to manually select the entitlements. Click Add to search and select the entitlements. To remove any selected entitlement, click Remove.

    • All Entitlements with Selected Certifiers: Allows you to select a list of users including all the entitlements for which they are the certifier user in the catalog.

    • All Entitlements: Allows you to select all entitlements from the catalog.

    • Entitlement Criteria: Allows you to select entitlements based on a criteria.

  8. (Optional) Under Selection Constraints, deselect the Include entitlements provisioned by access policy option to exclude the entitlements from the certification definition that are provisioned by access policies.

    Deselecting this option filters out all access granted via access policies during certification creation. For example, entitlement (Ent1) was granted to users (User1 and User2), and User2 got this Ent1 via role/policy. When you create an entitlement certification with this option deselected to exclude access policy grants, then the newly created certification will contain only User1.

    This option is selected by default, which means that the certification definition will include all entitlements that are provisioned by access policy and other mechanisms, such as direct provisioning, request, or reconciliation.

  9. Select any one of the following options to specify constraints:

    • Entitlements with Any Level of Risk

    • Only High Risk Entitlements

  10. Click Next. The Content Selection page is displayed.
  11. Click Next. The Configuration page is displayed.
  12. Select the configuration options, as described in Table 13-3, and click Next. The Reviewers page is displayed.
  13. From the Reviewer list, select a primary reviewer. The primary reviewer can be any one of the following:

    • Entitlement (Certifier User): Selects the entitlement certifier user as the primary reviewer.

    • Entitlement (Certifier Role): Selects the entitlement certifier role as the primary reviewer.

    • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

    • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

      Group certifier assignments are not supported with CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

  14. Click Next. The Incremental page is displayed.

    Incremental certification is not supported for group/role certification. Therefore, if you have selected the Search for a Role option in the Reviewers page, then the Incremental page is skipped and the Summary page is displayed.

  15. Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.

    When Incremental Certification is enabled, it takes the following parameters:

    • Incremental Date Range (required): This includes:

      • Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.

      • Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.

    • Show Previous Value (optional): This includes:

      • Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.

      • Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.

  16. Click Next. The Summary page is displayed with the details of the user certification.
  17. Click Create. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.

    Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.

    The new entitlement certification definition is displayed in the Certification Definition page.

13.3.2 Modifying Certification Definitions

You can edit certification definitions by selecting them in the Certification Definitions page and using the Edit option.

To modify a certification definition:

  1. In the Compliance tab of Oracle Identity Self Service, click the Identity Certification box, and select Definition. The Certification Definitions page is displayed.
  2. Select the certification definition that you want to modify.

    Note:

    If there is a periodic scheduled task tied to this definition, then the next execution of the scheduled task will be run by using the modified changes.

  3. From the Actions menu, select Edit. Alternatively, you can click Edit on the toolbar.

    A message is displayed stating that the definition is referenced by scheduled jobs and event listeners and asking for confirmation. This message is not displayed if you try to edit a certification definition for which you have not created certification jobs.

  4. Click Edit to confirm. The Certification Definition pages are displayed on which you can edit the values in the fields.
  5. Edit the fields to modify the certification definition by navigating through the pages by clicking the Next and Back buttons.
  6. When finished, click Save. A message is displayed stating that the definition has been successfully updated.
  7. Click OK.

13.3.3 Deleting Certification Definitions

You can delete certification definitions by selecting them in the Certification Definitions page and using the Delete option.

To delete a certification definition:

  1. In the Compliance tab of Oracle Identity Self Service, click the Identity Certification box, and select Definition. The Certification Definitions page is displayed.
  2. Select the certification definition that you want to delete.
  3. From the Actions menu, select Delete. Alternatively, you can click Delete on the toolbar.

    A message is displayed stating that the definition is referenced by scheduled jobs and event listeners and asking for confirmation. This message is not displayed if you try to delete a certification definition for which you have not created certification jobs.

  4. Click Delete to confirm. A message is displayed asking for confirmation.
  5. Click OK.

13.4 Scheduling Certifications

You must create a certification definition before you can schedule it.

Certifications are scheduled as part of the certification creation process. For more information, see Creating Certification Definitions. Certifications can be scheduled to run once, or to repeat on a daily, weekly, or monthly basis.

After you create a certification definition by clicking Create on the Summary page of the New Certification wizard, a message is displayed asking if you want to create a certification job and run it. You can edit the scheduled job name in the Job Name box. When you click Yes, the certification job is created for the new certification definition and is run. You can go to the Scheduler section in Oracle Identity System Administration and search for the job. The default name of the job is Cert_DEFINITION_NAME.

The certification job is created based on the Certification Creation Task scheduled task. This scheduled task is used to create new certification jobs for a defined certification definition. When the job runs, the certification definition is used and certifications are generated.

See "Predefined Scheduled Tasks" in the Administering Oracle Identity Governance for information about the Certification Creation Task scheduled task. You can modify the certification jobs from the Scheduler section of Oracle Identity System Administration. See "Modifying Jobs" in the Administering Oracle Identity Governance for details.

You can also schedule a certification from the Scheduler section of Oracle Identity System Administration. To do so, follow the instructions in "Creating Jobs" in the Administering Oracle Identity Governance. In this method, select Certification Creation Task in the Task field in the Create Job page.

When you modify a certification job, specify the certification definition name in the Certification Definition Name field of the Job Details page.

13.5 About How Risk Summaries are Calculated

You can directly assign high, medium, and low risk levels to roles, application instances, and entitlements, as well as to certain predefined risk factors.

A risk-aggregation job calculates Risk Summaries for the remaining higher-order data objects that are required to support identity certification. These objects include every user, user-role assignment, account, and entitlement-assignment in Oracle Identity Manager. During identity certification, certifiers use Risk Summaries to separate high-risk certification items from medium-risk and low-risk items.

This section describes how the system processes risk levels to arrive at Risk Summaries. It also describes the risk-aggregation job, which you can run manually or on a scheduled basis. It contains the following topics:

Note:

Roles, application instances, and entitlements are metadata objects, whereas users, accounts, and entitlement-assignments are instance-data objects.

Metadata objects are structural objects that represent and describe your information systems within Oracle Identity Manager, whereas instance-data objects are the individual instances of application data that populate the systems. For example, consider a customer service application (a resource) that has a predefined role that enables users to create trouble tickets (an entitlement). In this example, a single resource object represents the application and a single entitlement object represents a specific privilege within that application.

Now consider there might be thousands of user accounts on this resource, some subset of which has the entitlement-assignment that allows the user to create a trouble ticket. A single resource (metadata object) can have multiple accounts (instance-data objects), and a single entitlement (metadata object) can have multiple assignment instances (instance-data objects). Oracle Identity Manager calculates the risk levels for instance-data objects because it would not be feasible for a human to process risk levels for every user, account, and entitlement-assignment on a recurring basis.

13.5.1 Understanding Item Risk and Risk-Factor Mappings

Item risk refers to the risk levels that you and other administrators can assign to specific roles, application instances, and entitlements. Risk-Factor Mappings are settings that map risk levels to certain predefined conditions.

Item risk and the risk-factor mappings are settings that are under your direct control.

This section contains the following topics:

13.5.1.1 Setting Item Risk

Item risk refers to the risk levels that you and other administrators can assign to specific roles, application instances, and entitlements.

Note:

Three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.

If you do not directly assign an item-risk level to a metadata object, then Oracle Identity Manager assigns a default item-risk level for you. Roles, application instances, and entitlements can each have a default value.

To set the default item-risk level for the metadata objects:

  1. Login to Oracle Identity Self Service.
  2. Click the Compliance tab.
  3. Click the Identity Certification box, and select Risk Configuration. The Risk Configuration page is displayed.
  4. Select the High, Medium, or Low risk radio buttons for each item.
  5. Click Save.

You should reserve high item-risk levels for metadata objects that confer highly-restricted privileges to users. Note that setting a high item-risk level on an object will cause its parent object to also have a high Risk Summary value. Similarly, setting a medium item-risk level on an object will cause its parent object to have at least a medium Risk Summary value. In order for a higher-order object to have a low Risk Summary value, all of the objects under it in the system hierarchy would have to have low risk settings.

13.5.1.2 About Risk-Level Mappings (Risk Factors)

Risk-Factor Mappings are settings that map risk levels to certain predefined conditions. For example, you might configure "items with open audit violations" as high risk, whereas "items that are closed as risk-accepted" you might configure as medium risk.

Generally speaking, you should reserve high Risk-Factor levels for conditions in which privileges are being extended to users that may be irregular or dangerous.

There are three Risk-Factor categories in Oracle Identity Manager, and each category contains multiple settings. Risk-Factor categories are described in Table 13-4.

Table 13-4 Risk Factors

Risk Factor Description

Provisioning Scenarios / Assignment Scenarios

Provisioning Scenarios define the risk levels that should be associated with the method or mechanism used to assign a role, account, or entitlement-assignment to a user.

For example, you might configure a risk level of Medium for objects that are provisioned directly by an administrator, and a risk level of Low for objects that are provisioned based on Policies that are tied to Roles. You might configure a risk-level of High for objects that are pulled into Oracle Identity Manager via reconciliation.

Last Certification Action

Defines risk level based on the status of the last certification for the account, entitlement-assignment, or user-role assignment under consideration.

For example, configure a risk level of Low for any item for which the previous certification decision was to approve, and configure a risk level of Medium for any item for which the previous certification decision was to Certify Conditionally. Finally, you might configure a value of High for any item for which the previous certification decision was Abstain or Revoke.

Identity Audit Violation

Defines risk levels associated with causes contained in open identity audit violations. A cause may be associated with an account, entitlement-assignment, or user-role assignment. For example, you might configure a risk level of High for objects that have an associated cause in an active violation, because such a situation represents a Segregation of Duties (SoD) violation. Note that if an object has no associated causes in an open identity audit violation, then this risk factor is skipped when computing risk summaries.

Note:

Changing Risk-Level mappings on the Risk Configuration page in the UI can cause major ripple effects that impact Risk Summaries throughout Oracle Identity Manager. During your initial setup you should configure mappings on the Risk Level configuration page, and then avoid making additional unnecessary changes. See About How Changing Risk Configuration Values Impacts the System for more information about the ripple effects that impact Risk Summaries.

13.5.2 About Risk Aggregation and Risk Summaries

The Risk Aggregation Task scheduled job processes Item-Risk levels and Risk-Factor levels, and calculates Risk Summaries for each higher-order object that supports identity certification.

Risk aggregation Task is used to seed the predefined Risk Aggregation Job. You do not need to create new jobs using this task. When a job of this task type runs, it calculates the risk of all the users in Oracle Identity Manager since they have been last updated. See "Predefined Scheduled Tasks" in the Administering Oracle Identity Governance for information about this scheduled task. You can enable the Risk Aggregation Task scheduled job by following the instructions in "Disabling and Enabling Jobs" in the Administering Oracle Identity Governance.

In the first phase of risk aggregation, the Risk Aggregation Task scheduled job evaluates each individual object's Item-Risk level and its three Risk-Factor levels, and assigns the highest of the four levels to the object's Risk Summary property. A Risk Summary value is calculated for each individual User object, User-Role Assignment object, Account object, and entitlement-assignment object. The following diagram illustrates this process.

This image illustrates the Risk Factor Levels.

Once Risk Summaries are calculated for every object, the next phase of aggregation begins, in which the Risk Summary of each individual object rolls up to the Risk Summary of the parent object that contains it.

Above the entitlement-assignment level, each data object's Risk Summary value contributes to the Risk Summary of the parent-object that contains it. For example, Account objects are one hierarchy-level up from entitlement-assignment objects, and User objects are one hierarchy level up from there. So, the Risk Summary of every entitlement-assignment object within an Account object contributes to the Risk Summary for that Account, and, similarly, the Risk Summary for every Account object within the User object contributes to the Risk Summary for that User.

User objects are also one level above User-Role Assignment objects, so the Risk Summary for every User-Role Assignment object contributes to the Risk Summary for that User.

The following diagram illustrates this process.

This image illustrates the process of Risk Summary for a User.

In the diagram, the Risk-Summary value of the entitlement-assignment rolls up to the Account object. The Risk-Summary values of Accounts and the Risk-Summary values of User-Role Assignments roll up to the Risk Summary of any associated User.

13.5.3 About How Changing Risk Configuration Values Impacts the System

There are three main actions or system events that can impact Risk Summary values. Depending on the action or system event, the impact can be minor, moderate, or major.

Each action or event that can impact Risk Summary values and its consequences is described in Table 13-5.

Table 13-5 Actions or System Events That can Impact Risk Summary Values

Action or Event Impact Description

Users and/or Oracle Identity Manager make changes to individual entitlements

Minor

Applies to changes to individual data objects, such as accounts, entitlements, and user-role assignments. These values might change frequently. For example, the following types of changes are included in this category:

  • An entitlement is added to or removed from an account.

  • An account is added to or removed from a user.

  • A role assignment is added to or removed from a user.

  • A risk factor on an individual data object changes.

The impact within Oracle Identity Manager is relatively minor because the changes happen at the level of each individual entitlement.

An administrator makes item-risk changes to roles, resources, and entitlements

Moderate

Applies to situations where you or another administrator change the risk-level of a role, an application instances, or an entitlement.

The ripple-effect of these changes can be large. Changing the risk level on a metadata object can change the item-risk level on every data-object associated with the metadata object. Changing the risk level on a data-object may affect its risk summary and, in turn, the risk summary of every other data-object that contains it.

For example, changing the risk level on an entitlement definition will change the Item Risk on every assignment of that entitlement that corresponds to it. Changing the Item Risk on an entitlement-assignment may change its Risk Summary. Changing the Risk Summary of an entitlement-assignment may affect the Risk Summary of the parent Account. Changing the Risk Summary of an Account may affect the Risk Summary of the User who owns the Account.

An administrator makes configuration changes to the Risk-Level Mappings

Major

Applies to situations where you or another administrator change the Risk-Level Mappings on the Risk Configuration page in Oracle Identity System Administration.

Changing the risk level associated with a specific value of a specific risk factor could affect the risk summary of any user-role assignment, account, or entitlement-assignment that has that risk-factor value. Changing the risk summary of any user-role assignment, account, or entitlement assignment could in turn affect every user associated with an affected user-role assignment, account, or entitlement assignment.

For this reason, you should change risk-level mappings only rarely.

13.6 About Closed-Loop Remediation and Remediation Tracking

Closed-loop remediation is a feature that allows you to directly revoke roles, application accounts, and entitlements from the provisioning solution as a result of roles and entitlements revoked during the certification process.

When a certification is complete and all primary review tasks have been signed off, Oracle Identity Manager attempts to remove every user and privilege for which the final decision was to revoke. Requests are created to de-assign any role-assignment that is revoked, to de-provision any account that is revoked, to remove any entitlement-assignment that is revoked, and to delete or disable any user that is revoked. Specifically:

  • Revoking a user deletes/disables the user and removes all privileges of that user.

  • Revoking a user's role-assignment removes that member from the role. This might eventually cause provisioning to remove accounts and entitlement-assignments granted by the role (if those accounts and entitlement-assignments are not otherwise granted to the user.)

  • Revoking a user's account deletes/disables the account. This implicitly removes/disables any entitlement-assignments associated with that account.

  • Revoking a user's entitlement-assignment removes the assignment from the account that contains it.

The remediation status can be tracked in the request catalog for auditing purposes. Each remediation-request contains the certification ID of the certification that spawned the request, which allows the Dashboard to link to the Track Requests page of Oracle Identity Self Service to display the status of all the requests associated with the certification that is being displayed.

13.7 Configuring Challenge Workflows

Some requests that are generated as a result of closed-loop remediation go through a challenge workflow. You can configure the requests that are auto-approved.

This section describes how to configure challenge workflows in the following topics:

13.7.1 About Challenge Workflows

The requests generated as a result of closed-loop remediation are either auto-approved or goes through a challenge workflow.

By default, closed-loop remediation functions in the following way:

  • If the person who signed-off the certification (final reviewer) is the user's (beneficiary's) manager, then the requests are auto-approved.

  • If the final reviewer is not the user's manager, then the requests go through a challenge workflow, which is as follows:

    1. A request is sent to the user (beneficiary) whose access is revoked.

    2. If the beneficiary accepts the revoke by approving the request, then closed-loop remediation takes place and access is revoked.

    3. If the beneficiary challenges the revoke by rejecting the request, then the request is sent back to the person who signed off the certification (final reviewer).

      1. If the final reviewer accepts the challenge, then the process stops and the beneficiary's access is not revoked.

      2. If the final reviewer rejects the challenge, then closed-loop remediation takes place and the access is revoked.

13.7.2 Modifying Rules of Auto-Approval

The auto-approval logic is defined within the DefaultRequestApproval composites in SOA by using rules. You can modify the rules to have all the closed-loop remediation requests to be auto-approved.

To modify the rules to have all the closed-loop remediation requests to be auto-approved:

  1. Login to Oracle SOA Composer with Admin credentials, such as weblogic, by navigating to the following URL:

    http://HOST_NAME:PORT_NUMBER/soa/composer

  2. Click Open, and select Open Rules. The Select a Dictionary to open dialog box is displayed.
  3. For the DefaultRequestApproval_rev2.0 composite, click Ruleset1 in the Contents column.
  4. Click Edit.
  5. Expand Rule 1, as shown in Figure 13-1:

    Figure 13-1 Rule for Auto-approval

    Description of Figure 13-1 follows
    Description of "Figure 13-1 Rule for Auto-approval"
  6. Under THEN, click the pencil icon.
  7. In the pop-up, change the value from challenge to auto. This value specifies that all the closed-loop remediation requests will be auto-approved, and the challenge workflow will not be invoked.
  8. Click OK.
  9. Click Save, and then click Commit.

13.8 About Event Listeners

The Event Listener mechanism detects specific business events and stores the event details for certification.

The stored event details are called Certification Event Triggers, and these are processed into certifications by the Certification Event Trigger Task, running as a scheduled job. The business events currently detected by event listeners are modifications of Oracle Identity Manager users, either individually or in bulk.

Every event listener contains a ruleset and a certification definition, as described in Managing Certification Definitions. The ruleset contains one or more rules, each of which tests one or more conditions and specifies an action to take if its conditions are met. The standard action for event listener rules is to store a Certification Event Trigger that identifies the event listener, the user or users that were modified, and the certification definition that should be generated in response to this event.

Triggers accumulate between runs of the Certification Event Trigger Job. When the job runs, it groups the triggers by their event listener identifiers, and then processes each group according to the corresponding event listener's properties. By default, the trigger job creates a certification for all users in each group of triggers, using the listener's certification definition as the template for the certification. After this, the triggers from the completed group are deleted.

There are several properties that affect how an event listener's triggers will be processed by the trigger job. The first property determines whether the listener is in active or disabled state. If a listener is disabled, then its rules are no longer evaluated when business events occur, and therefore, no triggers are stored from that listener. If a listener stored triggers before being disabled, then the next trigger job run deletes those triggers without processing them. When a disabled listener is set back to active state, it can once again store triggers that are processed by the trigger job.

Another event listener property that affects trigger processing is its Event Count, which limits how many triggers may be processed for the listener during a single run of the trigger job. This setting is optional. If it is not specified, then the number is unlimited. If the event count is specified, then it represents the maximum number of triggers that may be processed. When the trigger job runs, it checks the listener's event count for each batch of triggers, and if the number of triggers exceeds the event count, then the triggers are discarded without generating a certification. This feature is useful for preventing huge certifications from being created when users are modified in bulk.

Finally, the trigger job itself may be configured to process the triggers from certain event listeners, but not others. This feature is controlled by a Certification Event Trigger Task parameter titled Event Listener Name List. If this parameter is left blank in the definition of the trigger job, then triggers from all listeners are processed when the trigger job runs. If the name list is defined, then only the listeners in that list have their triggers processed when the job runs; triggers from other listeners are ignored and retained for future trigger job runs. When multiple instances of scheduled jobs are defined for the Certification Event Trigger Task, then each list of event listeners can have its triggers processed on the most appropriate schedule.

Note:

If a listener name appears in more than one Event Listener Name List, or if one of the trigger jobs has an empty Event Listener Name List, then the first of these jobs to run consumes all of that listener's triggers. Triggers are always discarded after the first time they are processed.

13.9 Configuring Event Listeners and Certification Event Trigger Jobs

Configuring event listeners involves creating, modifying, and deleting event listeners. Configuring certification event trigger jobs involve setting the event listener name and adding mode trigger jobs.

This section describes about configuring event listeners and certification event trigger jobs in the following topics:

13.9.1 Creating an Event Listener

Creating an event listener involves providing values for the event listener attributes and adding a rule containing conditions that will be evaluated when an event takes place.

To create a new event listener:

Note:

Before creating an event listener, you must create a user certification definition or an application instance definition that will be executed when the Certification Event Trigger job is run.

  1. Login to Oracle Identity Self Service.

  2. Click the Compliance tab.

  3. Click the Identity Certification box, and select Event Listeners. The Event Listeners page is displayed.

  4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Event Listener page is displayed.

  5. In the Listener Properties section, specify the name with which the event will be identified, and the description.

  6. From the Certification Definition list, select a certification definition that will be executed.

  7. In the Event Count box, enter the maximum number of events that should be processed for this listener at the time the Certification Event Trigger Job runs. Use this to avoid executing an action for bulk updates.

  8. From the Status list, select Active or Disabled status.

  9. In the Event Trigger section, add a rule containing conditions that will be evaluated when an event takes place. For example, when a user is updated, a condition can check if the user's title property or location property has changed. Another example can be change of manager for a user.

    To add a condition:

    1. In the Rules panel, click the plus (+) icon, click the down arrow key and select General Rule. A new rule is included.

    2. Select the rule, and the rule details are displayed on the right side.

    3. Under IF, click the plus (+) icon, and then click the down arrow key to select the type of rule from the list. For example, Simple Test.

    4. Click the lookup icon to open the Condition Browser.

    5. Click Modified User, previousValue. Select manager, and click OK. This sets ModifiedUser.previousValue.Manager.

    6. Select the condition operation, such as isn't.

    7. Click the second lookup icon, search and select the attribute name and click OK, so that the following condition is set: 

      ModifiedUser.previousValue.Manager isn't ModifiedUser.currentValue.Manager

    8. Under THEN, click the plus (+) icon to the left of Add Action.

    9. Click the down arrow key and select call.

    10. From the list, select certifyThisUser.

    When multiple rules are configured, you can set advanced properties like, priority, mode, and status. To provide advanced property for a rule:

    1. In the Rules panel, select the rule. The rule details are displayed on the right side.

    2. Click Properties link to open the Advanced Property window.

    3. Provide the following information: Name, Description, Priority, Active, Advanced Mode, Tree Mode, and Effective Date.

      For more information on the Advanced Property Setting for a rule, see How to Show and Edit Advanced Settings for Rules in Designing Business Rules with Oracle Business Process Management.

  10. Click Create to create the event listener.

When the Certification Event Trigger job is run, a certification will be created for a user whose manager has changed.

An example of the event listener rule can be to check for an attribute's change to a specific value. For example:

ModifiedUser.previousValue.country isn't ModifiedUser.currentValue.country and ModifiedUser.currentValue.country is "Brazil"

ModifiedUser.previousValue.country isn't ModifiedUser.currentValue.country checks for a change in the Country attribute. Any change causes this condition to evaluate to TRUE. Then, and ModifiedUser.currentValue.country is "Brazil" adds a second condition to the rule. This checks whether the attribute has changed to a specific value, for example Brazil. This condition is applicable if some special certification is required for employees moving to Brazil. For other employees who have moved to some other place, the rule's action is not triggered.

Note:

User-Defined Fields (UDFs) or custom attributes do not appear in ModifiedUser's lists of current and previous values, but these attributes can be specified in the Event Listener rule conditions. To do so, type an expression in the following format into the rule's condition field:

ModifiedUser.{current|previous}Value.get{String|Integer|Long|Date|Boolean}Attribute("NAME")

Here, NAME is the internal name of the UDF. For example, to retrieve the previous value of a string-valued UDF named FavoriteColor, insert the following expression: 

ModifiedUser.previousValue.getStringAttribute("FavoriteColor")

13.9.2 Modifying an Event Listener

Modifying an event listener involves selecting the event listener in the Event Listeners page and editing the event listener attributes in the event listener details page.

To modify an event listener:

  1. In the Compliance tab of Oracle Identity Self Service, click the Identity Certification box and select Event Listeners. The Event Listeners page is displayed with a list of event listeners.
  2. Select the event listener that you want to modify.
  3. From the Actions menu, select Open. Alternatively, click Open on the toolbar. The event listener details page is displayed.
  4. Edit the values in the fields to modify the event listener.
  5. Click Save.

13.9.3 Deleting an Event Listener

Deleting an event listener involves selecting the event listener in the Event Listeners page and using the Delete option.

To delete an event listener:

  1. In the Compliance tab of Oracle Identity Self Service, click the Identity Certification box and select Event Listeners. The Event Listeners page is displayed with a list of event listeners.
  2. Select the event listener that you want to delete.
  3. From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
  4. Click Yes to confirm.

13.9.4 Configuring Certification Event Trigger Jobs

The Certification Event Trigger Job offers an optional parameter called Event Listener Name List. If one or more event listener names are supplied in this field, then the trigger job will only process the triggers for those listeners, which implies that you will need multiple trigger jobs to cover processing for your full set of listeners.

This section describes how to set the Event Listener Name List parameter and how to define multiple trigger jobs. It contains the following topics:

13.9.4.1 Setting the Event Listener Name List

To set the Event Listener Name List:

  1. Login to Oracle Identity System Administration.
  2. On the left pane, under System Configuration, click Scheduler.
  3. In the search field, enter Certification Event Trigger Job, and perform the search.
  4. Click the job name in the search result to display the trigger job details.
  5. Scroll down to the Parameters section, where you can see a parameter titled Event Listener Name List (comma separated).
  6. Enter one or more event listener names in this field, separated by commas. Make sure to type each listener's name exactly as it appears in the Name column of the Event Listeners table.
  7. Click Apply to save the changes.
13.9.4.2 Adding More Trigger Jobs

In addition to the predefined instance of the Certification Event Trigger Job, you can create new trigger job instances by performing the following steps:

  1. Login to Oracle Identity System Administration.
  2. On the left pane, under System Configuration, click Scheduler.
  3. On the left pane, from the Actions menu, select Create. Alternatively, you can click the icon with the plus (+) sign beside the View list.
  4. In the Create Job panel, expand the Task field by clicking the icon to its right.
  5. In the Search field, enter Certification Event Trigger Task, and perform the search.
  6. In the search result, click the Certification Event Trigger Task row, and then click Confirm.
  7. Enter the Job Name and any desired scheduling details for this trigger job instance.
  8. In the Event Listener Name List field, enter a comma-separated list of the listener names that this trigger job instance will process.

Every instance of the trigger job can have its own schedule or can be run manually, and can be restricted to handling triggers for a specified subset of listeners. This enables you to trigger different event listeners at different intervals.

13.10 Configuring Certification Reports

Certification reports can be generated in PDF, RTF, HTML, Microsoft Excel, and CSV formats.

To configure the display of the Reports tab in the Detailed Information section of the Dashboard:

  1. Log in to Oracle Identity System Administration.
  2. Click the Compliance tab.
  3. Click the Identity Certification box, and select Certification Configuration. The Certification Configuration page is displayed.
  4. Select the Enable Certification Reports option.
  5. Click Save.

Reports can be generated in the following formats:

  • PDF

  • RTF

  • HTML

  • Microsoft Excel

  • CSV

13.11 Understanding Multi-Phased Review in User Certification

Two-phased review and advanced delegation (TPAD) is supported for user certifications only. It involves multiple phases of review, delegation to multiple reviewers within each phase, and stages of certification in TPAD.

This section describes two-phased review with advanced delegation in the following sections:

13.11.1 About Functionality of Two-Phased Review with Advanced Delegation

TPAD combines the perspectives of business-oriented and technical reviewers and allows a certifier to delegate decision-making to other reviewers.

Collaborative certification or TPAD provides the following functionalities:

  • Two-phased review, which allows to combine within a single certification the perspectives of business-oriented and technical reviewers.

  • Advanced delegation, which allows a certifier to retain overall responsibility while delegating decisions to others. Advanced delegation of individual line-items within a certification allows a reviewer to spread the work among several people who can work simultaneously. This allows those who are responsible for reviewing access within an enterprise to spread the burden and thus complete the work more quickly.

Note:

Oracle Identity Manager supports TPAD for user certification only. TPAD is not supported for role certification, application instance certification, and entitlement certification.

13.11.2 Multiple Phases of Review

Multiple phases of review combines multiple perspectives on the same set of user-access-privileges.

For user certification, the phases are:

  • Business Review: This is the required first phase of review. The business reviewer, typically the manager of each user, views all the certifiable access privileges of a user. First, the manager confirms that the user is a valid holder of privileges, such as an employee, within that enterprise. Then the manager confirms that the user's position within the enterprise justifies the user's access privileges, such as role assignments, account assignments, and entitlement assignments. The business reviewer certifies or approves any privilege that seems appropriate and revokes any privilege that seems unnecessary or unreasonable.

  • Technical Review: This is an optional second phase of review. The technical reviewer, typically the owner or an authorizer of each privilege, reviews the members of the privilege or the assignments of that privilege to specific users or to specific accounts of specific users. The technical reviewer certifies or approves any privilege that seems appropriate and revokes any assignment of that privilege that seems unnecessary or unreasonable.

  • Final Review: This is an optional final phase review. If the certification is configured to enable final review, then the primary reviewer from the first phase, for example the manager of each user, can see the decisions that reviewers made in the first two phases and can override those decisions if required.

See Also:

Who Is Involved in Completing Identity Certifications? for information about primary reviewer, technical reviewer, final reviewer, and delegated reviewer.

13.11.3 Delegation to Multiple Reviewers Within Each Phase

The primary reviewer in Phase One or Phase Two can reassign responsibility, and delegate and undelegate line-items.

The primary reviewer in Phase One or Phase Two can spread the work to other users in the following ways:

  • The primary reviewer can reassign responsibility for any set of line items to another user. Reassignment transfers the responsibility to another person, whereas delegation retains the responsibility with the primary reviewer. Reassignment of line items in Phase One creates a new certification.

  • The primary reviewer can delegate each line-item, or any set of line-items, to any user that the primary reviewer selects. This user is called a delegated reviewer. Delegating a line-item marks that line-item as delegated in the primary reviewer's task, and prevents the primary reviewer from acting on that line-item.

  • The primary reviewer can undelegate any delegated line-item at any time within the phase before signing off the certification task. Undelegating a line-item removes it from the delegated reviewer's task, and allows the primary reviewer to act on the line-item, for example, by making certification-decisions or delegating or reassigning it.

In Phase One or Phase Two, whenever the primary reviewer delegates line-items and signs off with at least one line-item still delegated, which means that the primary reviewer has not undelegated all of those line-items before signing off, then Oracle Identity Manager generates a review task for Phase-One Verification or Phase-Two Verification, and assigns this task to the primary reviewer. This task allows the primary reviewer to see and override any decision that a delegated reviewer made in that phase.

13.11.4 Stages of Certification in TPAD

The stages of certification in TPAD are phase one with verification, phase two with verification, and final review.

The certification stages in TPAD are described in the following sections:

13.11.4.1 About Stages of Certification in TPAD

Figure 13-2 illustrates the stages of certification in TPAD by combining the required Phase One, the optional Phase Two, and the optional Final Review phase that depends on Phase Two, with the conditional verification tasks.

Figure 13-2 Stages of Certification in TPAD

Description of Figure 13-2 follows
Description of "Figure 13-2 Stages of Certification in TPAD"

As shown in Figure 13-2, the overall sequence of stages within TPAD certification are:

  1. start: Certification is created, and certification task is generated by running the Certification Creation Task scheduled job.

  2. Phase One Review: This is always required.

  3. Phase One Verification: This takes place only if Phase One is completed with delegations.

  4. Phase Two Review: This is optional depending on configuration.

  5. Phase Two Verification: This takes place only if Phase Two is completed with delegations.

  6. Final Review: This is optional depending on configuration and takes place only if Phase Two is completed.

  7. end: Certification task is completed. If any access has been revoked as a part of the certification completion, then closed-loop remediation takes place.

13.11.4.2 Phase One With Verification

Figure 13-3 shows the first phase of certification review with TPAD.

Figure 13-3 Phase One With Verification

Description of Figure 13-3 follows
Description of "Figure 13-3 Phase One With Verification"

Following is the process flow of the Phase One review with verification in TPAD:

  1. Start: A set of certification objects are generated, and the review process starts. Every line-item within each particular certification object is assigned to a Phase One Primary Reviewer (P1PR).

  2. Task P1PR: When the scheduled jobs for certification generation are run, Oracle Identity Manager uses Service-Oriented Architecture (SOA) to create a task, for each certification object, which is assigned to the Phase One Primary Reviewer (P1PR).

    When the primary reviewer opens the task, the primary reviewer can see every line-item within the certification object. If the primary reviewer opens any particular line-item, then the primary reviewer can see every line-item-detail for that line-item.

    The primary reviewer can act on any line-item within the task. The primary reviewer can delegate any line-item to another person, or can reassign any line-item to another person. By default, the primary reviewer owns every line-item and can decide, such as certify or revoke, the line-item-details.

    After decision has been made for each line-item, or each detail for the line-item has a Phase-One Decision, or has been delegated or reassigned, the primary reviewer can sign off or complete the task.

  3. P1PR Reassigns Item(s): If the primary reviewer during Phase One reassigns any set of line-items to another person, then Oracle Identity Manager removes those reassigned line-items (and their details) from the original certification and puts them into a new and separate certification. The person to whom the line-items were reassigned becomes the P1PR for that new and separate certification.

    The reassigned line-items disappear from the task of the original P1PR, and does not reappear within this review process. Even if the new P1PR reassigns or delegates the line-items back to the original P1PR, this creates a new task for the original P1PR so that it is part of a different review process in the following way:

    • If the new P1PR reassigns line-items back to the original P1PR, this will be a new certification with its own P1PR task.

    • If the new P1PR delegates the line-items back to the original P1PR, then this will be a new delegated review (P1DR) task within the review-process of the new P1PR.

  4. P1PR Delegates Item(s): If the primary reviewer delegates any set of line-items to another person, then that person is the phase one delegated reviewer (P1DR) for each of those line-items. A new task is created and assigned to the new P1DR.

    Note:

    In order to minimize the number of tasks, it is recommended that you select the set of line-items that you intend to delegate to a particular reviewer. Otherwise, the delegated reviewer can receive any number of tasks, each of which contains some subset of line-items from the same phase of the same certification object.

    When the primary reviewer delegates a particular set of line-items, the line-items are marked as delegated within the task from which the primary reviewer delegated them. The primary reviewer can no longer act within that task on those line-items unless the primary reviewer undelegates them. The primary reviewer has an opportunity during Phase One Verification to see and override the decisions made by any delegated reviewer.

  5. P1PR Undelegates Item(s): The primary reviewer can undelegate or take back from a delegated reviewer any line-item that is delegated. Undelegating a line-item allows the primary reviewer to act on that line-item and removes that line-item from the task of the current delegated reviewer, which prevents the delegated reviewer from acting on it further.

  6. P1PR Signs Off: After every line-item has been completed or delegated or reassigned, the primary reviewer can sign off on the task, which completes the task. A line-item is completed when all of its details have a decision for the current phase. At this point, Oracle Identity Manager determines whether or not Phase One Verification (P1V) is required.

  7. SOA (De)Proxies Assignee (P1PR): A proxy can be assigned for the assigned reviewer, such as P1PR. For example, when the reviewer is scheduled to go on vacation, the reviewer can activate a proxy. When the reviewer returns from vacation, the proxy is deactivated. When the newly assigned (proxy) reviewer opens the task, the proxy reviewer can view and act on each line-item and line-item-details. See Managing Proxies for information about adding, modifying, and removing proxies.

  8. SOA Escalates Task (P1PR): The certification task can be escalated depending on configuration of the SOA composite that Oracle Identity Manager uses for certification-review tasks. For example, if the reviewer has not signed off or completed a task within a configured time-limit, SOA can escalate the task and reassign it to the manager of the currently-assigned reviewer. After the task is escalated the maximum number of times or has reached some other condition that terminates escalation, the task expires.

  9. SOA Expires Task (P1PR): A certification review task can expire in certain conditions. For example, if the reviewer has not signed off a task within a configured time-limit, then the task can expire. If the task is configured to escalate before expiring, then SOA expires the task only after it has escalated the maximum number of times or reaches some other condition that terminates escalation. When a task expires, it cannot be acted upon.

  10. Task: P1DR: Each delegated-review task contains a set of line-items that the primary reviewer has delegated to the delegated reviewer. When the delegated reviewer opens the task, the delegated reviewer can see only the line-items that are delegated in the particular delegation-event that produced the task. If the phase-one delegated reviewer (P1DR) opens any particular line-item, P1DR can see every detail for that line-item.

    The delegated reviewer can act on any line-item within the task. The delegated reviewer cannot delegate any line-item to another person, cannot undelegate any line-item, and cannot reassign any line-item to another person. By default, the delegated reviewer owns every line-item and can decide, such as certify or revoke, its line-item-details. After every line-item has been decided, or all the details for the line-item has a Phase-One Decision, the delegated reviewer can sign off or complete the task.

  11. P1DR Signs Off: After every line-item within a delegated-review task has been decided, the delegated reviewer can sign off or the task. Every delegated-review task must complete or must expire before the certification review process can proceed to Phase-One Verification.

  12. Any line-item has P1DR: This branch-point decides whether the Phase One Verification stage is required. This depends on whether any line-item is delegated:

    • If any line-item that is not reassigned remains delegated when the P1PR signs off, then the review process moves to Phase One Verification.

    • If no line-item that is not reassigned remains delegated when the P1PR signs off, then the review-process moves to Phase Two.

  13. All P1DR tasks are signed off or expired: This branch loops until every Phase One delegated-review task has either been signed off (completed) or has expired.

  14. Task: P1V: After the primary-reviewer (P1PR) has signed off and every delegated-review-task (P1DR) has either completed or expired, Phase One Verification begins. Another task for the same certification-object is created and assigned to the primary reviewer. Within this task, the primary reviewer can see and override any decision made in Phase One. The primary reviewer also can complete any line-item that no delegated reviewer has completed. The primary reviewer cannot reassign and delegate, and therefore, cannot undelegate any line-item within this task.

  15. P1PR Signs Off (P1V): After every line-item-detail within the certification-object for every line-item that has not been reassigned to another primary reviewer has a decision, the Phase-One Primary Reviewer can sign off. When the reviewer signs off on the Phase-One Verification task, the certification review process proceeds to Phase Two.

  16. SOA can proxy the assignee, and escalate or expire the P1V task (similar to the P1PR task). See steps 7 through 9 for details.

13.11.4.3 Phase Two With Verification

Phase Two is an optional, plural, and rotated version of Phase One.

Optional: Phase Two is optional because it occurs only if Phase Two is enabled in configuration, the administrator specified a strategy to select a Phase Two Primary Reviewer, and the specified strategy assigned a Phase Two Primary Reviewer to at least one line-item within the certification.

Plural: There can be multiple Phase Two Primary Reviewers because each reviewer administers or authorizes a line-item-detail rather than a line-item. For example, in a user certification, each role assignment, account assignment, or entitlement assignment can have a different primary reviewer.

Rotated: Each reviewer in Phase Two can see a rotated view. For example, in Phase One of user certification, the business-reviewer can see users as line-items and each user's access-privileges as line-item-details. In Phase Two of user certification, each technical reviewer can see privilege-definitions, such as role, application instance, or entitlement definitions, as line-items and can see members of each privilege as line-item-details. This privilege-centric view is more useful to a technical-reviewer, who can delegate or reassign responsibility for individual privilege-definitions.

Figure 13-4 shows the second phase of certification review with TPAD.

Figure 13-4 Phase Two With Verification

Description of Figure 13-4 follows
Description of "Figure 13-4 Phase Two With Verification"

The stages in Phase Two are similar to Phase One, except for the following:

  • Task: P2PR: A review task is generated for each type of privilege for which each Phase Two primary reviewer (P2PR) must review assignments within that certification. When a Phase Two primary reviewer opens a P2PR task, that primary reviewer can see a list of line-items for which that primary reviewer is responsible within the certification object. For example, in Phase Two of a user certification, the Technical Reviewer who opens a P2PR task can see a list of privileges, such as role definitions, application instance definitions, or entitlement definitions, for which that primary reviewer is the certifier and for which that certification object contains assignments. Because this type of certification is user-centric, the rotated view is privilege-centric.

    If the primary reviewer opens any particular line-item, the primary reviewer can see every line-item-detail for that line-item. The primary reviewer can act on any line-item within the task. The primary reviewer can delegate any line-item to another person or can reassign any line-item to another person. By default, the primary reviewer owns every line-item and can decide, such as certify or revoke, its line-item-details.

  • P2PR Reassigns Item(s): If the primary reviewer in Phase Two reassigns any set of line-items to another person, then that person becomes the new primary reviewer (P2PR) for those line-items. Oracle Identity Manager creates a new primary-review task and assigns it to the new P2PR.

    Note:

    The Reassign operation in Phase Two does not generate a new certification. For example, if a primary technical reviewer reassigns a (rotated) line-item, then this does not split the certification.

    The reassigned line-items disappear from the task of the original P2PR. The line-items are displayed within a separate task that is assigned to the new P2PR.

13.11.4.4 Final Review

Final Review is optional and is a tie-breaker. It is the simplest phase in TPAD.

Optional: Final Review occurs only if it is enabled in configuration, the administrator specified in the certification definition that Final Review is to be performed, and Phase Two is performed because at least one line-item had a Phase Two Primary Reviewer.

Tie-breaker: Because the Phase Two reviewers may have made different decisions than the Phase One reviewers, the Phase One primary reviewer can view and override the decisions made in the two earlier phases. Therefore, Final Review is a tie-breaker.

Simplest phase: There is only one Final Reviewer, who is the Phase One Primary Reviewer. The Final Reviewer cannot delegate and cannot reassign. The Final Reviewer can see the decisions made during Phase One, the decisions made during Phase Two, and can override the decisions.

Figure 13-5 depicts the optional Final Review phase of certification review with TPAD.

Figure 13-5 Final Review Phase

Description of Figure 13-5 follows
Description of "Figure 13-5 Final Review Phase"

In Final Review, the following stages are different from other review phases:

  • System Calculates FRD: Oracle Identity Manager calculates a Final Review Decision (FRD) in the following manner:

    • For any line-item detail that has a Phase Two decision other than Abstain, the Phase Two decision becomes the Final Review decision.

    • If a particular line-item detail lacks a Phase Two decision, or if the Phase Two decision is to abstain, then the Phase One decision becomes the Final Review decision.

  • Final Review is enabled: This branch decides whether or not to generate a task for Final Review and assign it to the Phase One Primary Reviewer. If Phase Two is disabled in configuration, or if Phase Two is not used in this certification review, or if Final Review is disabled in configuration, then task for Final Review is not generated. If Phase Two decisions have been made and Final Review is enabled in configuration, then the task for Final Review is generated.

  • Task: FR: The Final Reviewer opens the Final Review task, and can see the following:

    • The decision made during Phase One on each line-item detail.

    • The decision made during Phase Two on each line-item detail.

    • The Final Review Decision.

    The Final Reviewer can override the FRD in the context of the Phase One and Phase Two decisions. The Final Reviewer cannot reassign and delegate, and therefore, cannot undelegate any line-item within the task. The Final Reviewer can sign off after validating each FRD. At that point, the Final Review task is complete and the overall certification process is complete with the exception of closed-loop remediation, which Oracle Identity Manager performs automatically following signoff. If the Final Reviewer does not sign off and allows the Final Review task to expire, then the certification process is dead.

You can use Final Review to compare the Phase One decision with the Phase Two decisions and make a final decision. If you prefer the Phase Two decision, then do not enable Final Review in configuration.

13.12 About Certification Oversight

Certification oversight is the activity of reviewing, and possibly overriding, the decisions of the primary reviewer within the scope of a particular primary-review task.

A person who has the opportunity to override the certification decisions of a primary reviewer within the scope of a particular primary-review task is called an overseer. The overseer has the following characteristics:

  • An overseer must be an Oracle Identity Manager user.

  • Only one overseer at a time can oversee a primary-review task.

  • An overseer has the right to view and override the decisions made by the primary reviewer or by any previous overseer.

As a part of the certification configuration, you can select a certification composite that defines the certification oversight workflow. A certification composite is a SOA workflow that the certification server launches for each primary reviewer, or delegated reviewer, during a phase of certification.

By default, the CertificationOverseerProcess composite defines the following behavior:

  • A primary-review task is not completed until the primary reviewer and every overseer in the sequence has signed off.

  • Decisions signed off by the final overseer in the sequence of overseers are final for that primary-review task.

  • Closed-loop remediation begins after the overall certification is complete. No phase of certification is complete until every primary-review task is complete.

  • For Phase Two and Final Review phase of certification:

    • Since Phase Two can have multiple primary reviewers, each primary-review task can have a separate sequence of overseers, one primary-review task per each primary reviewer. For detailed information about multi-phased reviews, see Understanding Multi-Phased Review in User Certification.

  • For delegation, oversight takes place only for the verification task of a primary reviewer. If the primary reviewer delegates during the primary-review task, then the primary-review task does not have oversight. Instead, oversight takes place during the subsequent verification-task, which contains all the decisions for that phase.

  • Reassignment of a line-item during Phase One of certification creates a new certification and creates a new primary-review task that is assigned to the re-assignee. Here, a new sequence of overseers are calculated for the new primary-review task.

You can extend the default oversight functionality to specify different levels of oversight or stop the oversight process when a certain stage is reached. To do so, you must create and deploy custom certification composites. For more information on creating and deploying custom certification composites, see Customizing Certification Oversight in Developing and Customizing Applications for Oracle Identity Governance.

13.13 Troubleshooting Identity Certification

Verify the certification configuration settings and ensure that the required SOA patches have been applied.

Table 13-6 lists possible issues encountered while using identity certification and the steps to resolve the issues.

Table 13-6 Troubleshooting Identity Certification Issues

Problem Solution

You create certification definition and run the Certification Creation Task scheduled job, but no certification tasks are generated.

Make sure that all the certification configuration steps, as described in Configuring Certifications, have been performed.

Note:

Ensure that all required SOA patches are applied.