What can be certified
At the highest level, Access Certifier can be used to review that each user is still affiliated with an organization and that data indicating who the user reports to is correct. This process supports corrections, such as deactivating the user or transferring him to another manager.
Access Certifier can be used to periodically review security entitlements held by users and, for each entitlement, either certify that it remains appropriate or request that it be removed, perhaps after closer examination by another business user.
This process can be used to certify several kinds of security entitlements which users may have:
- Login IDs on directories, systems and applications, which have been associated with a user's profile.
- Membership of a user in security groups.
- Assignment of roles (which may aggregate other login IDs, groups or roles) to a user.
- Previously approved exceptions to segregation of duties (SoD) policies.
- Previously approved exceptions to RBAC policies.
The certification process also supports reviews of the configuration of roles and SoD policies (as distinct from who is assigned a role and who has an approval to violate an SoD rule).
Access Certifier also (uniquely among Identity and access management (IAM) products) supports:
- Review/remediation of identity attributes. For example, a manager may update the job code, cost center, etc. of a subordinate.
- Bulk onboarding of users, via the same rows-of-users, columns-of-attributes UI.
Finally, the certification workflow and UI can be used to review and correct identity attribute data. Reviewers may be users themselves or people affiliated with them (managers, HR staff, etc.) and are asked to review and correct identity attributes -- location, department, job code, charge code, contact information, etc.
When a reviewer performs an access certification, they assess whether any given entitlement, assigned to an in-scope user, is business appropriate or should be revoked. Revocation is not an intrinsically well-defined term, however: does it mean disabling or deleting a login account? Should revocation happen immediately or at a later date? Should action be taken as soon as the certifier signs off on their review, or be subject to approval by other stake-holders?
Access Certifier supports flexible revocation actions by linking the revocation of each type of entitlement in a review (accounts, groups, roles) to one or more pre-defined request forms. The request form may specify additional inputs required from the reviewer and defines what actions to take -- delete/disable, move, set attributes, add/remove group memberships, etc.
Using this mechanism, entitlement revocation can be immediate or deferred, may require the reviewer to specify additional information, etc. Accounts may be disabled, deleted, moved to a different container or attached to a group of disabled users. User profiles may be disabled or deleted.
If multiple revocation actions are defined for a single entitlement type, the reviewer must specify what type of revocation he would like and fill in any additional information.
Reviewers can select multiple entitlements and apply the same revocation action to all of them.
Once a certifier signs off on a review, each item marked for revocation is transformed into a request, fed back into the Access Certifier workflow queue, for validation, calculation, authorization, etc. These requests are no different than any other request -- e.g., they are the same as those submitted via the request portal.