Certification processes are very important when we speak of Access Governance using Sailpoint IdentityIQ. Generally the concepts remain the same as in any other Access Governance product ,but let us try to gain some more insight into IdentityIQ certifications.
The Certification processes allow reviewersmanagerscertifiers to review and remediate accesses granted to users on various resources such as applications,entitlements,accounts and roles etc.Based on the type of resources, certifications in IdentiyIQ are divided into categories listed below:
- Manager Certifications
- Application Owner Certifications
- Entitlement Owner Certifications
- Advanced Certifications
- Account Group Certifications
- Role Certifications
- Identity Certifications
- Event?Based Certifications
Although there has been the classification of certifications on basis of functionality,still all the above types of certifications go through same phases during their lifecycle. Some of these phases are optional while others can be mandatory.These 4 phases are:
- Generation Phase
- Active Phase
- Challenge Phase
- Sign Off Phase
- RemediationRevocation Phase
- End Phase
Generation Phase: This phase includes configuring certification parameters on the Basic, Lifecycle, Notifications, Behavior and Advanced page from the UI. The combination of these parameter values decides which phases would the certification go through.It is in this phase that parameters like Certification owner,certification frequency, notification scenarios and other similar parameters are defined.
- It is during the Active phase that the certifiers are required to take their decisions(approverevoke).
- Delegations and reassignments,if any, needs to be completed during this phase.
- The Active period duration is mentioned on the Lifecycle page.
- The Challenge Phase starts when the Active Period Duration is over.
- Challenge phase is a phase in which a user whose access is being affected by a reviewers decision can challenge the decision.
- It is enabled only if the “Enable Challenge Period” option was selected from the Lifecycle page.
- The Sign Off phase starts at the end of Challenge phase.
- Once the Sign Off button is clicked , no further changes to Access Reviews can be made by reviewers.
Depending upon the parameters selected in the generation phase,next phase can be either Revocation phase or end phase.
- In this phase remediation action(e.g. revocation of access rights) is performed on the source application using the provisioning mechanism(manually or automatically)
- Remediation generally consists of sending email messages,creating work items for resource owners to take action.
- When a Revocation Period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are submitted for processing but are not tracked.
- The Access Review reaches its End Phase when all Phases configured for it have passed their end date or when all actions required for the process (as configured) are complete.
- If a Certification does not have a Challenge or Revocation Periods enabled, clicking Sign Off initiates the End Phase.
- If a Revocation Period enabled, End Phase will start only once all remediation requests have been completed or when the Revocation Period’s end date passes.