Certification processes are very important when we speak of Access Governance using Sailpoint IdentityIQ. Generally, the concepts remain the same as in any other Access Governance product, but let us try to gain some more insight into IdentityIQ certifications.
The Certification processes allow managers to review and remediate accesses granted to users on various resources such as applications, entitlements, accounts roles etc. Based on the type of resources, certifications in IdentiyIQ are divided into categories listed below:
Manager Certifications
Application Owner Certifications
Entitlement Owner Certifications
Advanced Certifications
Account Group Certifications
Role Certifications
Identity Certifications
Event?Based Certifications
Although there has been the classification of certifications on the basis of functionality, all the above types of certifications go through the same phases during their lifecycle. Some of these phases are optional while others can be mandatory. These 4 phases are:
Generation Phase
Active Phase
Challenge Phase
Sign Off Phase
RemediationRevocation Phase
End Phase
Generation Phase: This phase includes configuring certification parameters on the Basic, Lifecycle, Notifications, Behavior and Advanced page from the UI. The combination of these parameter values decides which phases would the certification go through.It is in this phase that parameters like Certification owner, certification frequency, notification scenarios and other similar parameters are defined.
Active Phase:
It is during the Active phase that the certifiers are required to take their decisions(approve or revoke).
Delegations and reassignments,if any, need to be completed during this phase.
The Active period duration is mentioned on the Lifecycle page.
Challenge Phase:
The Challenge Phase starts when the Active Period Duration is over.
The challenge phase is a phase in which a user whose access is being affected by a reviewer's decision can challenge the decision.
It is enabled only if the “Enable Challenge Period” option was selected from the Lifecycle page.
Sign-Off Phase:
The Sign Off phase starts at the end of the Challenge phase.
Once the Sign-Off button is clicked, no further changes to Access Reviews can be made by reviewers.
Depending upon the parameters selected in the generation phase,next phase can be either the Revocation phase or end phase.
RemediationRevocation Phase:
In this phase remediation action(e.g. revocation of access rights) is performed on the source application using the provisioning mechanism(manually or automatically)
Remediation generally consists of sending email messages, and creating work items for resource owners to take action.
When a Revocation Period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are submitted for processing but are not tracked.
End Phase:
The Access Review reaches its End Phase when all Phases configured for it have passed their end date or when all actions required for the process (as configured) are complete.
If a Certification does not have a Challenge or Revocation Periods enabled, clicking Sign Off initiates the End Phase.
If a Revocation Period enabled, End Phase will start only once all remediation requests have been completed or when the Revocation Period’s end date passes.