Phases of a Sailpoint IdentityIQ Certification

Certification processes are very important when we speak of Access Governance using Sailpoint IdentityIQ. Generally the concepts remain the same as in any other Access Governance product ,but let us try to gain some more insight into IdentityIQ certifications.

The Certification processes allow reviewersmanagerscertifiers to  review and remediate  accesses granted to users on various resources such as applications,entitlements,accounts and roles etc.Based on the type of resources, certifications in IdentiyIQ are divided into categories listed below:

  • Manager Certifications
  • Application Owner Certifications
  • Entitlement Owner Certifications
  • Advanced Certifications
  • Account Group Certifications
  • Role Certifications
  • Identity Certifications
  • Event?Based Certifications

Although there has been the classification of certifications on basis of functionality,still all the above types of certifications go through same phases during their lifecycle. Some of these phases are optional while others can be mandatory.These 4 phases are:

  1. Generation Phase
  2. Active Phase
  3. Challenge Phase
  4. Sign Off Phase
  5. RemediationRevocation Phase
  6. End Phase

Generation Phase: This phase includes configuring certification parameters on the Basic, Lifecycle, Notifications, Behavior and Advanced page from the UI. The combination of these parameter values decides which phases would the certification go through.It is in this phase that parameters like Certification owner,certification frequency, notification scenarios and other similar parameters are defined.

Active Phase:

  • It is during the Active phase that the certifiers are required to take their decisions(approverevoke).
  • Delegations and reassignments,if any, needs to be completed during this phase.
  • The Active period duration is mentioned on the Lifecycle page.

Challenge Phase:

  • The Challenge Phase starts when the Active Period Duration is over.
  • Challenge phase is a phase in which a user whose access is being affected by a reviewers decision can challenge the decision.
  • It is enabled only if the “Enable Challenge Period” option was selected from the Lifecycle page.

Sign-Off Phase:

  • The Sign Off phase starts at the end of Challenge phase.
  • Once the Sign Off button is clicked , no further changes to Access Reviews can be made by reviewers.

Depending upon the parameters selected in the generation phase,next phase can be either Revocation phase or end phase.

RemediationRevocation Phase:

  • In this phase remediation action(e.g. revocation of access rights) is performed on the source application using the provisioning mechanism(manually or automatically)
  • Remediation generally consists of sending email messages,creating work items for resource owners to take action.
  • When a Revocation Period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are submitted for processing but are not tracked.

End Phase:

  • The Access Review reaches its End Phase when all Phases configured for it have passed their end date or when all actions required for the process (as configured) are complete.
  • If a Certification does not have a Challenge or Revocation Periods enabled, clicking Sign Off initiates the End Phase.
  • If a Revocation Period enabled, End Phase will start only once all remediation requests have been completed or when the Revocation Period’s end date passes.

4 Responses to“Phases of a Sailpoint IdentityIQ Certification”

  1. Naveen
    June 5, 2013 at 12:21 PM #

    Thank you Vaibhav for the very informative blog. Our company has recently purchase sailpoint as next IDM solution , replacing current BMC Control SA / ESS , However I am bit scared since I am not a java developer and I am not sure how I am going to perform in Saipoint. Could you please suggest if Java developemnet knowledge is required for sailpoint. Core Java or Advance .Thank you

    • June 5, 2013 at 6:51 PM #

      Yes, it would require to have access governance concepts and Advance Java skills.To be specific Sailpoint uses Java Beanshell at the backend.

  2. ILike_SailPoint
    February 10, 2015 at 4:40 PM #


    Nice post and good information. I am new to sailpoint product but worked various security products and I find your post is very useful.

    I need your guidance and tips on this product, is it okay to reach out to you? What is your contact email? or you can reach me at vinodshaATyahooDOTcom

  3. Manoj Kumar
    March 18, 2015 at 12:06 PM #

    Iam new to sailpoint could please let me know the skills required to improve in sailpoint and about the product identityIQ

Leave a Reply

Your email address will not be published. Required fields are marked *


Proudly powered by WordPress   Premium Style Theme by