13 Managing Identity Certification
This chapter describes the concepts related to identity certification and the configuration tasks required for identity certification. It contains the following topics:
13.1 Certification Concepts
Key concepts related to identity certification are lines of business and line items, certification tasks, objects, definitions, and jobs, closed-loop remediation, remediation tracking, event listeners, certification authorization, and custom reviewer for user certification.
The concepts related to identity certification are described in the following sections.
13.1.1 Line of Business and Line Item
Line of Business (LOB) is a category of industry or business function. A line item is a row of data that appears on Page One of a certification.
LOB is a category of industry or business function. For example, an LOB manager is oriented to a business function within an enterprise, such as Sales.
A line item is a row of data that appears on Page One of a certification. Each line item collects or groups together according to the type of certification the set of privilege-assignments related to a particular identity or privilege. A reviewer can open any line-item to see its line item details. For example, within phase one of a user certification, each line item represents a user. Opening the user details displays the access-privileges of that user.
13.1.2 Certification Task
Certification task consists of a set of work to be done within a certification process.
Each set of line-items that is assigned to a particular reviewer initiates a Service-Oriented Architecture (SOA) task that contains that particular set of line items and that is routed to SOA Inbox of that particular reviewer. The SOA component also notifies the reviewer that a certification task has been assigned to the reviewer.
13.1.3 Certification Object
Certification object consists of a certification ID and a set of line items.
Certification object is a generated certification that is assigned to a particular certifier or primary reviewer. Each certification object consists of:
-
A unique certification ID
-
A set of line-items, each of which contains a set of details
13.1.4 Certification Definition
Certification definition is a named set of parameters that is used as input to a certification job to generate certification objects.
A certification definition specifies the following:
-
The type of certification to generate, such as user certification, role certification, application instance certification, or entitlement certification
-
Selection criteria that describe which line items, for example users, to select
-
Content-restriction criteria that describe which details to select for each line item
-
Other parameters that control the generation of certification objects or the behavior of review tasks
13.1.5 Certification Jobs
Certification jobs are used to create certifications as requested or as scheduled.
A certification job is a background execution-task that generates certification objects based on a specified certification definition. Certification jobs can be:
-
Scheduled to run at regular intervals, such as weekly, monthly, or quarterly, as required
-
Run immediately from the Scheduler section of Oracle Identity System Administration
-
Triggered from an event-listener action
You can create and run certification-generation jobs to create certifications as requested or as scheduled. You can enable and run the risk-aggregation job to calculate the risk-values of entities, such as users, accounts, role-assignments, and entitlement-assignments.
13.1.6 Closed-Loop Remediation
Closed-loop remediation is used to revoke access privileges as an outcome of the certification process.
Closed-loop remediation is a feature that utilizes the provisioning system of Oracle Identity Manager to automatically revoke accounts, roles, and entitlements based on the results of the Oracle Identity Manager certification process.
13.1.7 Remediation Tracking
The access request catalog is used for remediation tracking.
You can use the request catalog to track the remediation status of revoked accounts, access within accounts, or roles. This records whether and when each revocation request is fulfilled.
13.1.8 Event Listener
Event listener is a service that responds to changes in users. Event listeners are supported for all certification types.
Each event listener for certification contains:
-
The selection-criteria specified by an administrator
-
The certification definition to use in response
13.1.9 Certification Authorization
Certification authorization is controlled by assigning or revoking the Certification Administrator and Certification Viewer administrative roles.
The following Oracle Identity Manager admin roles grant the assignee privileges required to administer the certification feature and monitor the progress of certification instances:
-
Certification Administrator: The Certification Administrator admin role grants the assignee super-user privileges for the certification feature. In particular, this admin role grants access to the certification configuration and scheduler in the Oracle Identity Manager System Administration. This role also grants full access to certification where you can view or take action on any certifications.
-
Certification Viewer: The Certification Viewer is a read-only role, allowing a compliance administrator to view new, in progress, and completed certifications.
13.1.10 Custom Reviewer for User Certifications
Custom reviewer for user certifications can be specified by defining certification rules in the CERT_CUSTOM_ACCESS_REVIEWERS table.
13.1.10.1 About Custom Access Reviewer
You can define your own custom access reviewer for user certifications by specifying certification rules for specific user accounts, roles, entitlements, or application instances, or a combination of these entities, with a particular reviewer. In addition, you can group the certification rules and assign a map name to the certification rule to specify a reviewer for that map name.
Note:
The CERT_CUSTOM_ACCESS_REVIEWERS table must be populated before running the intended certification jobs. The data in the table is to be maintained by Oracle Identity Manager administrators.Table 13-1 CERT_CUSTOM_ACCESS_REVIEWERS Table Definition
Column | Data Type | Description |
---|---|---|
reviewer_login | varchar2(256) | OIM login ID for the reviewer user.
This field can have the following special values:
|
user_login | varchar2(256) | OIM user login for the user whose access needs to be filtered. This field can have the following special value:
<ANY>: Specifies special reviewer mapping to be applied for any user |
access_type | number(2) | Access type has numeric value and the possible value is one of the following:
|
app_instance_name | varchar2(4000) | Name of the application instance. |
account_name | varchar2(300) | Name of the specific account on the application instance. |
entitlement_name | varchar2(4000) | Name of the entitlement. |
role_name | varchar2(4000) | Name of the role. |
map_name | varchar2(4000) | The map name that can be used to tag mappings and used in certification definitions. |
13.1.10.2 Conditions for Using Custom Access Reviewer
Certain conditions must be met for using the custom access reviewer for user certifications.
-
Reviewer table does not support any wildcards for any of the fields/columns.
-
Reviewer table has mappings defined for each and every user to be included in certification.
-
Application instance information is required for all account and entitlement mappings.
-
Only one instance of default reviewer and alternate reviewer mapping is allowed per map name.
13.1.10.3 Sample CERT_CUSTOM_ACCESS_REVIEWERS Table
Table 13-2 Sample CERT_CUSTOM_ACCESS_REVIEWERS Table
Row # | REVIEWER_LOGIN | USER_LOGIN | ACCESS_TYPE | Application Instance Name | Account name | Entitlement Name | Map Name |
---|---|---|---|---|---|---|---|
1 | ACERTUSER2 | VCERTUSER2 | 3 | VISDU1 | VCERTUSER2SERVICE | 2015 Review | |
2 | ACERTUSER1 | VCERTUSER3 | 4 | VISDU1 | VCERTUSER3 | EntTestDB~CN=VISDU11,DC=abc,DC=com | 2015 Review |
3 | ACERTUSER3 | VCERTUSER2 | 4 | VISDU1 | VCERTUSER2 | EntTestDB~CN=VISDU11,DC=abc,DC=com | 2015 Review |
4 | VCERTUSER10 | VCERTUSER2 | 1 | NA | NA | NA | <GLOBAL> |
-
Row #1 has a mapping defined for the specific application instance VISDU1 owned by the user account VCERTUSER2SERVICE of user VCERTUSER2 with a particular reviewer ACERTUSER2.
-
Row #2 has a mapping defined for the specific entitlement EntTestDB~CN=VISDU11,DC=abc,DC=com with an application instance VISDU1 owned by the user account VCERTUSER3 of user VCERTUSER3 with a particular reviewer ACERTUSER1.
-
Row #3 has a mapping defined for the specific entitlement EntTestDB~CN=VISDU11,DC=abc,DC=com with an application instance VISDU1 owned by the user account VCERTUSER2 of user VCERTUSER2 with a particular reviewer ACERTUSER3.
13.1.10.4 Custom Access Reviewer Scenarios
The following is a list of supported custom access reviewer configuration scenarios.
Custom reviewer for specific user
Reviewer table has mapping defined for a specific user U1 with a particular reviewer R1.
This mapping is treated as whole access responsibility mapping. Reviewer R1 will review the entire access for user U1, and user U1 will be included in a certification for reviewer R1. Any access for user U1 will be excluded for which R1 is not a reviewer in reviewer table.
Custom reviewer for account owned by specific user
Reviewer table has mapping defined for a specific user account U1A1 of user U1 with a particular reviewer R2.
This mapping is treated as limited access responsibility mapping. Reviewer R2 will only review account U1A1 for user U1, and user U1 will be included in a certification for reviewer R2. Oracle Identity Manager will include U1A1 account along with all the entitlements that are part of U1A1 for reviewer R2.
Custom reviewer for entitlement owned by specific user account
Reviewer table has mapping defined for a specific entitlement U1A1E1 owned by a specific account U1A1 with a particular reviewer R3.
This mapping is treated as limited access responsibility mapping. Reviewer R3 will only review entitlement U1A1E1 for user U1, and user U1 will be included in a certification for reviewer R3. Oracle Identity Manager will include account U1A1 and only entitlement U1A1E1 for reviewer R3.
Custom reviewer for entitlement within an application instance (without any account name)
Reviewer table has mapping defined for a specific entitlement E3 with an application instance name APP2 with a particular reviewer R5. Account name is not defined for this mapping.
This mapping is treated as limited responsibility mapping. Reviewer R5 will review all the entitlements with name E3 from all the user accounts available in the application instance APP2. Certifications will be generated for all users who have entitlement E3 in the application instance APP2 and assigned to reviewer R5. Oracle Identity Manager will include accounts with only entitlement E3 in the certification for reviewer R5.
Custom reviewer for role owned by specific user
Reviewer table has mapping defined for a specific user role U1R1 of user U1 with a particular reviewer R4.
This mapping is treated as limited access responsibility mapping. Reviewer R4 will only review role U1R1 for user U1, and user U1 will be included in a certification for reviewer R4. Oracle Identity Manager will include only role U1R1 for reviewer R4.
Custom reviewers for different access types specified in the reviewer table
Certifications are created for each of the reviewers defined in the table. Each reviewer will only see the access elements for which mappings are defined. Each reviewer will have only one certification created in one certification job run.
Custom reviewer table with tag/map name defined in reviewer table
The reviewer table is scoped per the tag/map name defined in the certification definition. If the certification definition does not have a tag/map name specified, then the reviewer table is scoped for the <GLOBAL> tag/map name.
Default reviewer mapping for a specific map name
Reviewer table has mapping defined in default reviewer row as <Default Reviewer> - <USER_MANAGER> - <ANY> for map name MAP1.
This mapping is treated as default user reviewer mapping and will default the reviewer for any user to be the user’s manager. All user’s managers are included as reviewers. Oracle Identity Manager will NOT include a user in the certification for user’s manager if there is another User access type mapping defined in the reviewer table. This mapping will NOT affect other mappings in any way.
Reviewer table with user-level mappings as subset of base selection in certification definition
Base selection consists of users U1, U2, U3 and reviewer table with mapping for U1::U1A1-> R1 (account type), U2::U2A1E1-> R2 (entitlement type). Default reviewer mapping is <USER_MANAGER>-<ANY>. Managers are available as U1->M1, U2->M2, and U3->M3.
Certifications are generated for all users U1, U2 and U3. Each user’s manager will review each user’s access. Reviewer M3 will review all access for U3. Reviewer M2 will review all access for U2 except entitlement U2A1E1. Reviewer R2 will review only U2A1E1 for user U2. Reviewer M1 will review all access for U1 except account U1A1. Reviewer R1 will review only U1A1 for user U1.
Reviewer table with default reviewer mapping and overriding user-level mapping
Reviewer table has default reviewer mapping as <Default Reviewer> - <USER_MANAGER> - <ANY> for <GLOBAL> map name. Reviewer table also has user type mapping for U1 -> R1. User U1 has manager M1 defined in system. One certification is generated for reviewer R1, and no certification is generated for manager M1.
Reviewer table with default reviewer mapping and alternate reviewer mapping
Reviewer table has default reviewer mapping as <Default Reviewer> -< USER_MANAGER> - <ANY> for <GLOBAL> map name. Reviewer table has alternate reviewer mapping as <Alternate Reviewer> - <AR1> - <ANY> for <GLOBAL> map name. User U1 has manager M1 defined in system. Reviewer M1 is an inactive user in system.
Any certification will not be generated for manager M1 because the user is inactive. One certification will be generated for reviewer AR1 with user U1.
13.2 Configuring Certifications
After certain prerequisites for certification configuration are met, you can set the certification configuration properties in the Certification Configuration page of the Identity Self Service.
This section describes how to configuring certifications in the following topics:
13.2.1 Prerequisites for Configuring Certifications
Prerequisites for configuring certifications include marking a catalog item as certifiable, setting the certifier, user manager, organization certifier, user attributes for certification snapshot, and risk levels for individual entities, tagging attributes, and configuring the availability of identity certification, reminders, notifications, escalations, and expiry for certifications.
Configuring certifications has the following prerequisite steps:
Note:
Some of the preconfiguration steps require you to use the request catalog. For detailed information about the request catalog, see the following sections:
-
Managing the Access Request Catalog in the Administering Oracle Identity Governance
13.2.1.1 Marking a Catalog Item as Certifiable
A requestable entity, such as role assignment, role membership, application instance, or entitlement, is available for certification only after it is marked as certifiable in the request catalog. Any entity that is not marked as certifiable does not appear in the certification.
By default, all items in the catalog are marked as certifiable. You can deselect the Certifiable option if you do not want a certification task to be generated for that entity.
To mark an entity as certifiable:
13.2.1.2 Setting the Certifier in the Request Catalog
When you set a user as the certifier for an entity and select some of the options for selecting reviewers, such as Role Certifier or Application Instance Certifier, the user is automatically set as the certifier or primary reviewer for certifying that entity. For example, if user John Doe is selected as the certifier for the Vision Developers role, then John Doe is automatically set as the primary reviewer for certifying the Vision Developers role depending on the selection in the Reviewers screen of creating certifications. In this example, after the user is set as the certifier for the Vision Developers role and you are creating a Role Certification, selecting the Role Certifier option will pick up this field.
Note:
Setting the certifier in the request catalog is required if you want to use some of the options for selecting reviewers in the certification creation screen, such as Role Certifier or Application Instance Certifier.
To set the certifier in the catalog:
13.2.1.3 Setting User Manager and Organization Certifier
The user manager and organization certifier are available for selection as the primary reviewer in the certification creation process.
User manager is the user selected in the Manager field in the Attributes tab of the User Details page in Oracle Identity Self Service. If Jane Doe is specified as the manager for Terence Hill, then while creating a user certification definition, as described in Creating Certification Definitions, when you select user manager as the primary reviewer, Jane Doe is automatically set as the primary reviewer for the certification tasks generated for Terence Hill.
The organization certifier is the user selected in the Certifier User Login field in the Attributes tab of the Organization Details page in Oracle Identity Self Service. If Robert Klein is specified as the organization certifier for the Vision North organization, then while creating the certification definition, when you select organization certifier as the primary reviewer, Robert Klein is automatically set as the primary reviewers for the certifications tasks generated for Vision North.
Note:
-
Setting the user manager or organization certifier is required if you want to use the Reviewer option of User Manager or Organization Certifier. Otherwise, this is not required.
-
Role organization certifier does not support the Hierarchy aware option. For the organization certifier, the role must be available in the organization. In other words, the specific organization must be specified for the role. Otherwise, certification will not be generated. Make sure that the role and organization are linked and organization has the certifier user assigned.
13.2.1.4 Setting User Attributes for Certification Snapshot
Certification snapshots the following user attributes in Oracle Identity Manager:
UserManagerConstants.AttributeName.USER_KEY.getId()); UserManagerConstants.AttributeName.USER_ORGANIZATION.getId()); UserManagerConstants.AttributeName.USER_LOGIN.getId()); UserManagerConstants.AttributeName.MANAGER_KEY.getId()); UserManagerConstants.AttributeName.STATUS.getId()); UserManagerConstants.AttributeName.EMAIL.getId()); UserManagerConstants.AttributeName.FIRSTNAME.getId()); UserManagerConstants.AttributeName.LASTNAME.getId()); UserManagerConstants.AttributeName.DISPLAYNAME.getId()); UserManagerConstants.AttributeName.EMPTYPE.getId()); UserManagerConstants.AttributeName.PHONE_NUMBER.getId()); UserManagerConstants.AttributeName.EMPLOYEE_NUMBER.getId()); UserManagerConstants.AttributeName.USER_UPDATE.getId()); UserManagerConstants.AttributeName.USER_CREATEBY.getId()); UserManagerConstants.AttributeName.USER_UPDATEBY.getId()); UserManagerConstants.AttributeName.USER_CREATED.getId()); UserManagerConstants.AttributeName.DEPARTMENT_NUMBER.getId()); UserManagerConstants.AttributeName.LOCALITY_NAME.getId()); UserManagerConstants.AttributeName.POSTAL_CODE.getId()); UserManagerConstants.AttributeName.STATE.getId()); UserManagerConstants.AttributeName.STREET.getId()); UserManagerConstants.AttributeName.USER_COUNTRY.getId()); UserManagerConstants.AttributeName.LOCALE.getId()); UserManagerConstants.AttributeName.TITLE.getId()); UserManagerConstants.AttributeName.GENERATION_QUALIFIER.getId()) UserManagerConstants.AttributeName.COMMONNAME.getId()); UserManagerConstants.AttributeName.HIRE_DATE.getId()); UserManagerConstants.AttributeName.ACCOUNT_STATUS.getId()); UserManagerConstants.AttributeName.MIDDLENAME.getId());
All other user attributes can be added to the certification snapshots if the attributes are marked as certifiable . These attributes are stored along with the other user defined attributes. Note that marking an attribute as certifiable can impact performance, and therefore, it is recommended to mark the attributes as certifiable only if required.
13.2.1.5 Setting Risk Levels for Individual Entities
To set the risk levels for individual entities:
Note:
See About How Risk Summaries are Calculated for information about the impact of setting risk levels and how Oracle Identity Manager processes risk levels to arrive at risk summaries.
- In Oracle Identity Self Service, navigate to the Catalog page.
- Search and select the role, application instance, or entitlement for which you want to set the risk level.
- Under Detailed Information, from the Risk Level list, select High Risk, Medium Risk, or Low Risk.
- Click Apply.
After setting the risk level for an individual entity, you must run the Risk Aggregation scheduled job so that the new risk level is correctly picked up when new certifications are created. Note that existing certification objects do not reflect the new risk level.
13.2.1.6 Tagging Attributes
Accounts, IT resources, and entitlements must be tagged for certification in the Design Console. Without tagging, certification for the entities are not generated.
You can check if the accounts, IT resources, and entitlements are already tagged by following the navigation in the Design Console as described in this section. If the entities are already tagged, then you can skip this section. Otherwise, configure account and IT resource tagging by performing the steps in this section.
Note:
For the certification creation to work, the value of the following properties must be set totrue
, as described in the procedure in this section.
-
Entitlement
-
ITResource
-
AccountName
To configure account and IT resource tagging:
13.2.1.7 Configuring the Availability of Identity Certification
The certification feature is part of Compliance in Oracle Identity Manager. Therefore, the certification feature is available when the value of the Identity Auditor Feature Set Availability
system property is set to TRUE
. When the value of this property is TRUE
, role lifecycle management, Segregation of Duties (SoD), and identity certification are enabled.
If you change the value of this property, then you must restart Oracle Identity Manager server.
Note:
For information about system properties and setting the values of system properties, see “Managing System Properties” in the Administering Oracle Identity Governance.
13.2.1.8 Configuring Reminders, Notifications, Escalations, and Expiry for Certifications (Optional)
If email notifications is configured in SOA, as described in "Configuring SOA Email Notification" in Administering Oracle Identity Governance, then email notifications are sent by default in the following scenarios:
-
When a task is assigned to a user
-
When a task is completed
By default, two reminders are sent one day after and two days after the certification has been created. There is no escalation or expiry set for the certifications by default.
To change the default configuration for certification:
-
Login to Oracle SOA Composer with Admin credentials, such as weblogic, by navigating to the following URL:
http://HOST_NAME:PORT_NUMBER/soa/composer
-
Click Open, and select Open Tasks. The Select a Task to open dialog box is displayed.
-
Select CertificationProcess_rev1.0, and click Open. The CertificationTask : Event Driven Configuration page is displayed.
-
In the Notification Settings section, perform the following:
-
The assignees of the task are selected as recipients of the notification for Assign and Complete tasks. To change the default setting, you can select the task status in the Task Status column, and select the notification recipient in the Recipient column. You can click the pencil icon for each task to edit the default notification message, and click OK.
-
In the drop-down below, change the default setting for reminders.
-
-
In the Expiry and Escalation Policy section, you can change the default value for escalation and expiry.
-
Click OK.
-
Click Save, and then click Commit.
13.2.2 Configuring Certification Options
You can set default options in Oracle Identity Self Service that are used during certification creation based on the type of certification. These options can be changed during the certification creation process for each certification definition.
To configure certification options:
13.3 Managing Certification Definitions
Managing certification definitions include creating, modifying, and deleting the definitions for user, role, application instance, and entitlement certification.
This section describes about certification definitions in the following topics:
13.3.1 Creating Certification Definitions
You can create user, role, application instance, and entitlement certification definitions by launching the New Certification wizard from the Certification Definitions page.
Creating certification definitions is described in the following sections:
13.3.1.1 Creating a User Certification Definition
To create a user certification definition:
-
Log in to Oracle Identity Self Service.
-
Click the Compliance tab.
-
Click the Identity Certification box, and select Definitions. The Certification Definitions page is displayed.
-
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.
-
Enter values as follows:
-
Certification Name: Enter a name for the certification.
-
Type: Select User to create a user certification.
-
Description: Optionally enter a description for the new user certification.
-
-
Click Next. The Base Selection page of the New Certification wizard is displayed.
-
Select a user-selection strategy in the Base Selection section, as follows:
-
Users from All Organizations: Selects users from all organizations in Oracle Identity Manager.
-
Only Users from Selected Organizations: Allows you to manually select specific organizations. You can select the organizations by clicking Add. To remove a selected organization, click Remove.
Note:
When completing a certification, a certifier cannot see the organization name or any other details about the organization unless that person is also the organization administrator for that organization. If the certifier is not the organization administrator, only the users in the organization are displayed.
-
All users: Selects all the users in Oracle Identity Manager.
-
Users criteria: Selects all the users that meet the given search condition. You can filter the criteria based on various user attributes and user-defined fields (UDFs). To do so, select the Apply further criteria option in the Selection Constraints section, and then select the attributes and UDFs.
-
Selected users: Allows you to select specific users from a list of users in the system. To select users, click Add. To remove selected users, click Remove.
Note:
You can save the search and use it for specifying user criteria while creating another user certification definition. The saved search is not mapped to a specific certification. To use the user criteria saved search for another user certification definition:
- During certification creation, after selecting the Users criteria option and specifying the search condition, you must click Update and Preview Results. This associates the selected criteria with the definition.
- If you want to save this search criteria as a template, then click Save. You are prompted to enter a name for the template that you are saving. You can then save this template and reuse it.
The saved template is not specific to a certification. While creating another certification, this template is displayed by default. If you create another new template, then that template is displayed. In other words, the latest template is displayed for all criteria screens associated with a type of certification.
- If you do not want to use the generated template, then change the value in the Saved Search list to something else that you want to use.
-
-
Select any one of the following options to specify constraints to the base selection:
-
Users with Any Level of Risk
-
Only Users with High Risk Summaries
-
Only Users with High Risk Roles
-
Only Users with High Risk Application Instances
-
Only User with High Risk Entitlements
-
-
Click Next. The Content Selection page is displayed.
-
In the Content Selection section, select the following:
-
Select the Include Users with no accounts option to include users who have no access within the certification.
-
In the Roles section, select any one of the following options to limit the role assignments to certify for each user:
Note:
The list of roles per user can be restricted to the selected option. For example, if you select selected roles or selected criteria and add one role, then that role only will show up in the certification if it is marked as certifiable in the catalog even if the user has other roles.
-
All Roles: Select to show all roles.
-
Only High Risk Roles: Select to show only the roles with high risk level, and exclude the roles with medium and low risk levels.
-
Selected Roles Only: Select this option to manually select the roles.
-
Selected Roles Criteria: Select to show the roles based on a filter criteria.
-
Roles Outside Rules: Select to exclude the roles that have been granted to users through membership rules.
-
High Risk Roles Outside Rules: Select to exclude the roles with high risk level that have been granted to users through membership rules, and include only the high risk roles that have not been granted through membership rules.
Note:
The Roles Outside Rules and High Risk Roles Outside Rules options are available after you apply Oracle Identity Governance Bundle Patch 12.2.1.4.210428.
-
None: Select to exclude all roles from the certification.
-
-
In the Application Instances section, select the following:
-
Selct the Include accounts with no certification attributes option to include the accounts in the selected application instances even if there are no certifiable entitlements (access) within the target system. If you deselect this option, then accounts in the target system that do not have any entitlements do not appear in the certification.
-
Select any one of the following options to limit the application instance assignments to certify for each user:
Note:
Similar to roles, you can restrict the application instances you want to see within the certification.
-
All Application Instances: Select to include all application instances.
-
Only High Risk Application Instances: Select to include only the application instances with high risk level, and exclude the application instances with medium and low risk levels.
-
Selected Application Instances Only: Select this option to manually select the application instances.
-
Selected Application Instances Criteria: Select to show the application instances based on a filter criteria.
-
-
-
Select any one of the following options to limit the entitlements that you can see within the certification:
-
All Entitlements: Select to show all entitlements.
-
Entitlements Outside Roles: Select to show only the entitlements that are not provisioned by roles/access policies, and exclude access granted via roles/access policies.
-
Accounts with High-Risk Entitlements: Select to show account information for high-risk entitlements only.
-
Only High-Risk Entitlements: Select to show only the high-risk entitlements, and exclude the entitlements with medium and low risk levels.
-
Only High-Risk Entitlements Outside Roles: Select to show only high-risk entitlements, exclude the entitlements with medium and low risk levels, and exclude all entitlements (with any risk) granted via roles/access policies.
-
Selected Entitlements Criteria: Select to show entitlements based on a filter criteria.
-
-
-
Click Next. The Configuration page is displayed.
-
Select the options, as described in Table 13-3, and click Next. The Reviewers page is displayed.
If you want to enable multi-phased review with advanced delegation, then select the Allow advanced delegation and Allow multi-phased review options.
If you want to enable certification oversight in the certification workflow, then click the search icon, search for the available composites, select the CertificationOverseerProcess composite, and click Add.
Note:
In the Configuration page, if you select the Prevent self certification option and choose an alternate reviewer, then the Search for a Role reviewer option is not available for selection. -
From the Reviewer list, select a primary reviewer. The primary reviewer can be user manager, organization certifier, any other user that you select, or any other role that you select. The primary reviewer can be any one of the following:
-
User Manager: Selects the user’s manager as the primary reviewer.
-
Organization Certifier: Select’s the organization certifier as the primary reviewer.
-
Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.
-
Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.
Group certifier assignments are not supported with CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.
-
Custom Access Reviewer: A custom reviewer that you specify as the primary reviewer by populating the CERT_CUSTOM_ACCESS_REVIEWERS table in Oracle Identity Manager database. For detailed information about defining a custom access reviewer, see Custom Reviewer for User Certifications.
For multi-phased review, perform the following:
-
In the Phase 1 section, select any one of the following to select the Phase 1 reviewer:
-
User Manager: Selects the user's manager as the Phase 1 reviewer.
-
Organization Certifier: Selects the organization certifier as the Phase 1 reviewer.
-
Search for a User: Selects any user as the Phase 1 reviewer that you search and specify by clicking the lookup icon.
-
Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the Phase 1 reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.
Group certifier assignments are not supported with CertificationProcess composite. If you want to select this option, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.
-
Custom Access Reviewer: A custom reviewer that you specify as the Phase 1 reviewer by populating the CERT_CUSTOM_ACCESS_REVIEWERS table in Oracle Identity Manager database. For detailed information about defining a custom access reviewer, see Custom Reviewer for User Certifications.
-
-
In the Phase 2 (Optional) section, select the Enable Phase 2 review process option to specify that the privilege certifier will be the primary Phase 2 reviewer for each user privilege, such as role, account, and entitlement assignments. Then, select any one of the following as the Phase 2 reviewer:
-
Certifier User: Selects the catalog certifier user as the Phase 2 reviewer.
-
Certifier Role: Selects the catalog certifier role as the Phase 2 reviewer. If a catalog item does not have a certifier role, then the task goes to the certifier user. If entitlement certifier (both user and role) are not defined, then the task falls back to application instance (certifier user/role).
-
-
In the Final Review (Optional) section, select the Enable Final Review process option to enable a final review process by the Phase 1 reviewer for final validation and sign off.
-
-
Click Next. The Incremental page is displayed.
Incremental certification is not supported for group/role certification. Therefore, if you have selected the Search for a Role option in the Reviewers page, then the Incremental page is skipped and the Summary page is displayed.
-
Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.
When Incremental Certification is enabled, it takes the following parameters:
-
Incremental Date Range (required): This includes:
-
Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.
-
Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.
-
-
Show Previous Value (optional): This includes:
-
Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.
-
Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.
-
-
-
Click Next. The Summary page is displayed with the details of the user certification.
-
Click Create to create the user certification. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.
Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.
The new user certification definition is displayed in the Certification Definition page.
Note:
For multi-phased review with advanced delegation:
-
The certification is not 100% complete till the Phase 2 reviewers or technical reviewers have completed all the reviews. The certification status displays the phase and percentage completion in each phase the certification is in during the two phased review. To view this status, click the In Progress certification in the Inbox or Dashboard.
-
The certification goes to the Phase 1 primary reviewer for final review. In Page 2, the Phase 1 primary reviewer can review the actions made by the users in the first and second phases (greyed out) as well as the system-generated default actions, which the Phase 1 primary reviewer can override.
13.3.1.2 Creating a Role Certification Definition
To create a role certification definition:
-
Log in to Oracle Identity Self Service.
-
Click the Compliance tab.
-
Click the Identity Certification box, and select Definitions. The Certification Definitions page is displayed.
-
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.
-
Enter values as follows:
-
Name: Enter a name for the certification.
-
Type: Select Role to create a role certification definition.
-
Description: Optionally enter a description for the new role certification definition.
-
-
Click Next. The Base Selection page of the New Certification wizard is displayed.
-
In the Base Selection section of the page, select a role selection strategy from the list, as shown:
-
All Roles in All Organizations: Selects all roles in all the organizations in Oracle Identity Manager.
-
Roles from Selected Organizations: Selects the roles from the organizations that you specify. Click Add to search and select an organization. To remove a selected organization, click Remove.
Note:
When completing a certification, a certifier cannot see the organization name or any other details about the organization unless that person is also the organization administrator. If the certifier is not the organization administrator, only the users in the organization are displayed.
-
All Roles: Selects all roles in Oracle Identity Manager.
-
Role criteria: Selects all of the roles that meet the given search condition. You can preview the results of this selection.
Tip:
You can save the search and use it for specifying role criteria while creating another role certification definition. The saved search is not mapped to a specific certification. To use the role criteria saved search for another role certification definition:
-
During certification creation, after selecting the Role Criteria option and specifying the search condition, you must click Update and Preview Results. This associates the selected criteria with the definition.
-
If you want to save this search criteria as a template, then click Save. You are prompted to enter a name for the template that you are saving. You can then save this template and reuse it.
-
The saved template is not specific to a certification. While creating another certification, this template is displayed by default. If you create another new template, then that template is displayed. In other words, the latest template is displayed for all criteria screens associated with a type of certification.
-
If you do not want to use the generated template, then change the value in the Saved Search list to something else that you want to use.
-
-
Selected roles: Allows you to manually select the roles.
-
-
Select any one of the following options to specify constraints:
-
Roles with Any Level of Risk
-
Only High Risk Roles
-
-
Click Next. The Content Selection page is displayed.
-
Select Certify Policies to specify the certification of policies. Select Certify Members to specify the certification of role members.
-
Click Next. The Configuration page is displayed.
-
Select the configuration options, as described in Table 13-3, and click Next. The Reviewers page is displayed.
Note:
In the Configuration page, if you select the Prevent self certification option and choose an alternate reviewer, then the Role - Certifier User and Role - Certifier Role reviewer options are not available for selection. -
From the Reviewer list, select a primary reviewer. The primary reviewer can be any one of the following:
-
Role (Certifier User): Selects the certifier user as the primary reviewer.
-
Role (Certifier Role): Selects the certifier role as the primary reviewer.
-
Organization Certifier: Selects the organization certifier as the primary reviewer.
-
Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.
-
Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.
Group certifier assignments are not supported with CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.
-
-
Click Next. The Incremental page is displayed.
Incremental certification is not supported for group/role certification. Therefore, if you have selected the Search for a Role option in the Reviewers page, then the Incremental page is skipped and the Summary page is displayed.
-
Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.
When Incremental Certification is enabled, it takes the following parameters:
-
Incremental Date Range (required): This includes:
-
Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.
-
Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.
-
-
Show Previous Value (optional): This includes:
-
Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.
-
Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.
-
-
-
Click Next. The Summary page is displayed with the details of the user certification.
-
Click Create. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.
Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.
The new role certification definition is displayed in the Certification Definition page.
13.3.1.3 Creating an Application Instance Certification Definition
To create an application instance certification definition:
13.3.2 Modifying Certification Definitions
You can edit certification definitions by selecting them in the Certification Definitions page and using the Edit option.
To modify a certification definition:
13.4 Scheduling Certifications
You must create a certification definition before you can schedule it.
Certifications are scheduled as part of the certification creation process. For more information, see Creating Certification Definitions. Certifications can be scheduled to run once, or to repeat on a daily, weekly, or monthly basis.
After you create a certification definition by clicking Create on the Summary page of the New Certification wizard, a message is displayed asking if you want to create a certification job and run it. You can edit the scheduled job name in the Job Name box. When you click Yes, the certification job is created for the new certification definition and is run. You can go to the Scheduler section in Oracle Identity System Administration and search for the job. The default name of the job is Cert_DEFINITION_NAME.
The certification job is created based on the Certification Creation Task scheduled task. This scheduled task is used to create new certification jobs for a defined certification definition. When the job runs, the certification definition is used and certifications are generated.
See "Predefined Scheduled Tasks" in the Administering Oracle Identity Governance for information about the Certification Creation Task scheduled task. You can modify the certification jobs from the Scheduler section of Oracle Identity System Administration. See "Modifying Jobs" in the Administering Oracle Identity Governance for details.
You can also schedule a certification from the Scheduler section of Oracle Identity System Administration. To do so, follow the instructions in "Creating Jobs" in the Administering Oracle Identity Governance. In this method, select Certification Creation Task in the Task field in the Create Job page.
When you modify a certification job, specify the certification definition name in the Certification Definition Name field of the Job Details page.
13.5 About How Risk Summaries are Calculated
You can directly assign high, medium, and low risk levels to roles, application instances, and entitlements, as well as to certain predefined risk factors.
A risk-aggregation job calculates Risk Summaries for the remaining higher-order data objects that are required to support identity certification. These objects include every user, user-role assignment, account, and entitlement-assignment in Oracle Identity Manager. During identity certification, certifiers use Risk Summaries to separate high-risk certification items from medium-risk and low-risk items.
This section describes how the system processes risk levels to arrive at Risk Summaries. It also describes the risk-aggregation job, which you can run manually or on a scheduled basis. It contains the following topics:
Note:
Roles, application instances, and entitlements are metadata objects, whereas users, accounts, and entitlement-assignments are instance-data objects.
Metadata objects are structural objects that represent and describe your information systems within Oracle Identity Manager, whereas instance-data objects are the individual instances of application data that populate the systems. For example, consider a customer service application (a resource) that has a predefined role that enables users to create trouble tickets (an entitlement). In this example, a single resource object represents the application and a single entitlement object represents a specific privilege within that application.
Now consider there might be thousands of user accounts on this resource, some subset of which has the entitlement-assignment that allows the user to create a trouble ticket. A single resource (metadata object) can have multiple accounts (instance-data objects), and a single entitlement (metadata object) can have multiple assignment instances (instance-data objects). Oracle Identity Manager calculates the risk levels for instance-data objects because it would not be feasible for a human to process risk levels for every user, account, and entitlement-assignment on a recurring basis.
13.5.1 Understanding Item Risk and Risk-Factor Mappings
Item risk refers to the risk levels that you and other administrators can assign to specific roles, application instances, and entitlements. Risk-Factor Mappings are settings that map risk levels to certain predefined conditions.
Item risk and the risk-factor mappings are settings that are under your direct control.
This section contains the following topics:
13.5.1.1 Setting Item Risk
Item risk refers to the risk levels that you and other administrators can assign to specific roles, application instances, and entitlements.
Note:
Three bars signifies high risk, two bars signifies medium risk, one bar signifies low risk.
If you do not directly assign an item-risk level to a metadata object, then Oracle Identity Manager assigns a default item-risk level for you. Roles, application instances, and entitlements can each have a default value.
To set the default item-risk level for the metadata objects:
- Login to Oracle Identity Self Service.
- Click the Compliance tab.
- Click the Identity Certification box, and select Risk Configuration. The Risk Configuration page is displayed.
- Select the High, Medium, or Low risk radio buttons for each item.
- Click Save.
You should reserve high item-risk levels for metadata objects that confer highly-restricted privileges to users. Note that setting a high item-risk level on an object will cause its parent object to also have a high Risk Summary value. Similarly, setting a medium item-risk level on an object will cause its parent object to have at least a medium Risk Summary value. In order for a higher-order object to have a low Risk Summary value, all of the objects under it in the system hierarchy would have to have low risk settings.
13.5.1.2 About Risk-Level Mappings (Risk Factors)
Risk-Factor Mappings are settings that map risk levels to certain predefined conditions. For example, you might configure "items with open audit violations" as high risk, whereas "items that are closed as risk-accepted" you might configure as medium risk.
Generally speaking, you should reserve high Risk-Factor levels for conditions in which privileges are being extended to users that may be irregular or dangerous.
There are three Risk-Factor categories in Oracle Identity Manager, and each category contains multiple settings. Risk-Factor categories are described in Table 13-4.
Table 13-4 Risk Factors
Risk Factor | Description |
---|---|
Provisioning Scenarios / Assignment Scenarios |
Provisioning Scenarios define the risk levels that should be associated with the method or mechanism used to assign a role, account, or entitlement-assignment to a user. For example, you might configure a risk level of Medium for objects that are provisioned directly by an administrator, and a risk level of Low for objects that are provisioned based on Policies that are tied to Roles. You might configure a risk-level of High for objects that are pulled into Oracle Identity Manager via reconciliation. |
Last Certification Action |
Defines risk level based on the status of the last certification for the account, entitlement-assignment, or user-role assignment under consideration. For example, configure a risk level of Low for any item for which the previous certification decision was to approve, and configure a risk level of Medium for any item for which the previous certification decision was to Certify Conditionally. Finally, you might configure a value of High for any item for which the previous certification decision was Abstain or Revoke. |
Identity Audit Violation |
Defines risk levels associated with causes contained in open identity audit violations. A cause may be associated with an account, entitlement-assignment, or user-role assignment. For example, you might configure a risk level of High for objects that have an associated cause in an active violation, because such a situation represents a Segregation of Duties (SoD) violation. Note that if an object has no associated causes in an open identity audit violation, then this risk factor is skipped when computing risk summaries. |
Note:
Changing Risk-Level mappings on the Risk Configuration page in the UI can cause major ripple effects that impact Risk Summaries throughout Oracle Identity Manager. During your initial setup you should configure mappings on the Risk Level configuration page, and then avoid making additional unnecessary changes. See About How Changing Risk Configuration Values Impacts the System for more information about the ripple effects that impact Risk Summaries.
13.5.2 About Risk Aggregation and Risk Summaries
The Risk Aggregation Task scheduled job processes Item-Risk levels and Risk-Factor levels, and calculates Risk Summaries for each higher-order object that supports identity certification.
Risk aggregation Task is used to seed the predefined Risk Aggregation Job. You do not need to create new jobs using this task. When a job of this task type runs, it calculates the risk of all the users in Oracle Identity Manager since they have been last updated. See "Predefined Scheduled Tasks" in the Administering Oracle Identity Governance for information about this scheduled task. You can enable the Risk Aggregation Task scheduled job by following the instructions in "Disabling and Enabling Jobs" in the Administering Oracle Identity Governance.
In the first phase of risk aggregation, the Risk Aggregation Task scheduled job evaluates each individual object's Item-Risk level and its three Risk-Factor levels, and assigns the highest of the four levels to the object's Risk Summary property. A Risk Summary value is calculated for each individual User object, User-Role Assignment object, Account object, and entitlement-assignment object. The following diagram illustrates this process.
Once Risk Summaries are calculated for every object, the next phase of aggregation begins, in which the Risk Summary of each individual object rolls up to the Risk Summary of the parent object that contains it.
Above the entitlement-assignment level, each data object's Risk Summary value contributes to the Risk Summary of the parent-object that contains it. For example, Account objects are one hierarchy-level up from entitlement-assignment objects, and User objects are one hierarchy level up from there. So, the Risk Summary of every entitlement-assignment object within an Account object contributes to the Risk Summary for that Account, and, similarly, the Risk Summary for every Account object within the User object contributes to the Risk Summary for that User.
User objects are also one level above User-Role Assignment objects, so the Risk Summary for every User-Role Assignment object contributes to the Risk Summary for that User.
The following diagram illustrates this process.
In the diagram, the Risk-Summary value of the entitlement-assignment rolls up to the Account object. The Risk-Summary values of Accounts and the Risk-Summary values of User-Role Assignments roll up to the Risk Summary of any associated User.
13.5.3 About How Changing Risk Configuration Values Impacts the System
There are three main actions or system events that can impact Risk Summary values. Depending on the action or system event, the impact can be minor, moderate, or major.
Each action or event that can impact Risk Summary values and its consequences is described in Table 13-5.
Table 13-5 Actions or System Events That can Impact Risk Summary Values
Action or Event | Impact | Description |
---|---|---|
Users and/or Oracle Identity Manager make changes to individual entitlements |
Minor |
Applies to changes to individual data objects, such as accounts, entitlements, and user-role assignments. These values might change frequently. For example, the following types of changes are included in this category:
The impact within Oracle Identity Manager is relatively minor because the changes happen at the level of each individual entitlement. |
An administrator makes item-risk changes to roles, resources, and entitlements |
Moderate |
Applies to situations where you or another administrator change the risk-level of a role, an application instances, or an entitlement. The ripple-effect of these changes can be large. Changing the risk level on a metadata object can change the item-risk level on every data-object associated with the metadata object. Changing the risk level on a data-object may affect its risk summary and, in turn, the risk summary of every other data-object that contains it. For example, changing the risk level on an entitlement definition will change the Item Risk on every assignment of that entitlement that corresponds to it. Changing the Item Risk on an entitlement-assignment may change its Risk Summary. Changing the Risk Summary of an entitlement-assignment may affect the Risk Summary of the parent Account. Changing the Risk Summary of an Account may affect the Risk Summary of the User who owns the Account. |
An administrator makes configuration changes to the Risk-Level Mappings |
Major |
Applies to situations where you or another administrator change the Risk-Level Mappings on the Risk Configuration page in Oracle Identity System Administration. Changing the risk level associated with a specific value of a specific risk factor could affect the risk summary of any user-role assignment, account, or entitlement-assignment that has that risk-factor value. Changing the risk summary of any user-role assignment, account, or entitlement assignment could in turn affect every user associated with an affected user-role assignment, account, or entitlement assignment. For this reason, you should change risk-level mappings only rarely. |
13.6 About Closed-Loop Remediation and Remediation Tracking
Closed-loop remediation is a feature that allows you to directly revoke roles, application accounts, and entitlements from the provisioning solution as a result of roles and entitlements revoked during the certification process.
When a certification is complete and all primary review tasks have been signed off, Oracle Identity Manager attempts to remove every user and privilege for which the final decision was to revoke. Requests are created to de-assign any role-assignment that is revoked, to de-provision any account that is revoked, to remove any entitlement-assignment that is revoked, and to delete or disable any user that is revoked. Specifically:
-
Revoking a user deletes/disables the user and removes all privileges of that user.
-
Revoking a user's role-assignment removes that member from the role. This might eventually cause provisioning to remove accounts and entitlement-assignments granted by the role (if those accounts and entitlement-assignments are not otherwise granted to the user.)
-
Revoking a user's account deletes/disables the account. This implicitly removes/disables any entitlement-assignments associated with that account.
-
Revoking a user's entitlement-assignment removes the assignment from the account that contains it.
The remediation status can be tracked in the request catalog for auditing purposes. Each remediation-request contains the certification ID of the certification that spawned the request, which allows the Dashboard to link to the Track Requests page of Oracle Identity Self Service to display the status of all the requests associated with the certification that is being displayed.
13.7 Configuring Challenge Workflows
Some requests that are generated as a result of closed-loop remediation go through a challenge workflow. You can configure the requests that are auto-approved.
This section describes how to configure challenge workflows in the following topics:
13.7.1 About Challenge Workflows
The requests generated as a result of closed-loop remediation are either auto-approved or goes through a challenge workflow.
By default, closed-loop remediation functions in the following way:
-
If the person who signed-off the certification (final reviewer) is the user's (beneficiary's) manager, then the requests are auto-approved.
-
If the final reviewer is not the user's manager, then the requests go through a challenge workflow, which is as follows:
-
A request is sent to the user (beneficiary) whose access is revoked.
-
If the beneficiary accepts the revoke by approving the request, then closed-loop remediation takes place and access is revoked.
-
If the beneficiary challenges the revoke by rejecting the request, then the request is sent back to the person who signed off the certification (final reviewer).
-
If the final reviewer accepts the challenge, then the process stops and the beneficiary's access is not revoked.
-
If the final reviewer rejects the challenge, then closed-loop remediation takes place and the access is revoked.
-
-
13.7.2 Modifying Rules of Auto-Approval
The auto-approval logic is defined within the DefaultRequestApproval composites in SOA by using rules. You can modify the rules to have all the closed-loop remediation requests to be auto-approved.
To modify the rules to have all the closed-loop remediation requests to be auto-approved:
13.8 About Event Listeners
The Event Listener mechanism detects specific business events and stores the event details for certification.
The stored event details are called Certification Event Triggers, and these are processed into certifications by the Certification Event Trigger Task, running as a scheduled job. The business events currently detected by event listeners are modifications of Oracle Identity Manager users, either individually or in bulk.
Every event listener contains a ruleset and a certification definition, as described in Managing Certification Definitions. The ruleset contains one or more rules, each of which tests one or more conditions and specifies an action to take if its conditions are met. The standard action for event listener rules is to store a Certification Event Trigger that identifies the event listener, the user or users that were modified, and the certification definition that should be generated in response to this event.
Triggers accumulate between runs of the Certification Event Trigger Job. When the job runs, it groups the triggers by their event listener identifiers, and then processes each group according to the corresponding event listener's properties. By default, the trigger job creates a certification for all users in each group of triggers, using the listener's certification definition as the template for the certification. After this, the triggers from the completed group are deleted.
There are several properties that affect how an event listener's triggers will be processed by the trigger job. The first property determines whether the listener is in active or disabled state. If a listener is disabled, then its rules are no longer evaluated when business events occur, and therefore, no triggers are stored from that listener. If a listener stored triggers before being disabled, then the next trigger job run deletes those triggers without processing them. When a disabled listener is set back to active state, it can once again store triggers that are processed by the trigger job.
Another event listener property that affects trigger processing is its Event Count, which limits how many triggers may be processed for the listener during a single run of the trigger job. This setting is optional. If it is not specified, then the number is unlimited. If the event count is specified, then it represents the maximum number of triggers that may be processed. When the trigger job runs, it checks the listener's event count for each batch of triggers, and if the number of triggers exceeds the event count, then the triggers are discarded without generating a certification. This feature is useful for preventing huge certifications from being created when users are modified in bulk.
Finally, the trigger job itself may be configured to process the triggers from certain event listeners, but not others. This feature is controlled by a Certification Event Trigger Task parameter titled Event Listener Name List. If this parameter is left blank in the definition of the trigger job, then triggers from all listeners are processed when the trigger job runs. If the name list is defined, then only the listeners in that list have their triggers processed when the job runs; triggers from other listeners are ignored and retained for future trigger job runs. When multiple instances of scheduled jobs are defined for the Certification Event Trigger Task, then each list of event listeners can have its triggers processed on the most appropriate schedule.
Note:
If a listener name appears in more than one Event Listener Name List, or if one of the trigger jobs has an empty Event Listener Name List, then the first of these jobs to run consumes all of that listener's triggers. Triggers are always discarded after the first time they are processed.
13.9 Configuring Event Listeners and Certification Event Trigger Jobs
Configuring event listeners involves creating, modifying, and deleting event listeners. Configuring certification event trigger jobs involve setting the event listener name and adding mode trigger jobs.
This section describes about configuring event listeners and certification event trigger jobs in the following topics:
13.9.1 Creating an Event Listener
Creating an event listener involves providing values for the event listener attributes and adding a rule containing conditions that will be evaluated when an event takes place.
To create a new event listener:
Note:
Before creating an event listener, you must create a user certification definition or an application instance definition that will be executed when the Certification Event Trigger job is run.
-
Login to Oracle Identity Self Service.
-
Click the Compliance tab.
-
Click the Identity Certification box, and select Event Listeners. The Event Listeners page is displayed.
-
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Event Listener page is displayed.
-
In the Listener Properties section, specify the name with which the event will be identified, and the description.
-
From the Certification Definition list, select a certification definition that will be executed.
-
In the Event Count box, enter the maximum number of events that should be processed for this listener at the time the Certification Event Trigger Job runs. Use this to avoid executing an action for bulk updates.
-
From the Status list, select Active or Disabled status.
-
In the Event Trigger section, add a rule containing conditions that will be evaluated when an event takes place. For example, when a user is updated, a condition can check if the user's title property or location property has changed. Another example can be change of manager for a user.
To add a condition:
-
In the Rules panel, click the plus (+) icon, click the down arrow key and select General Rule. A new rule is included.
-
Select the rule, and the rule details are displayed on the right side.
-
Under IF, click the plus (+) icon, and then click the down arrow key to select the type of rule from the list. For example, Simple Test.
-
Click the lookup icon to open the Condition Browser.
-
Click Modified User, previousValue. Select manager, and click OK. This sets
ModifiedUser.previousValue.Manager
. -
Select the condition operation, such as isn't.
-
Click the second lookup icon, search and select the attribute name and click OK, so that the following condition is set:
ModifiedUser.previousValue.Manager isn't ModifiedUser.currentValue.Manager
-
Under THEN, click the plus (+) icon to the left of Add Action.
-
Click the down arrow key and select call.
-
From the list, select certifyThisUser.
When multiple rules are configured, you can set advanced properties like, priority, mode, and status. To provide advanced property for a rule:
-
In the Rules panel, select the rule. The rule details are displayed on the right side.
-
Click Properties link to open the Advanced Property window.
-
Provide the following information: Name, Description, Priority, Active, Advanced Mode, Tree Mode, and Effective Date.
For more information on the Advanced Property Setting for a rule, see How to Show and Edit Advanced Settings for Rules in Designing Business Rules with Oracle Business Process Management.
-
-
Click Create to create the event listener.
When the Certification Event Trigger job is run, a certification will be created for a user whose manager has changed.
An example of the event listener rule can be to check for an attribute's change to a specific value. For example:
ModifiedUser.previousValue.country isn't ModifiedUser.currentValue.country and ModifiedUser.currentValue.country is "Brazil"
ModifiedUser.previousValue.country isn't ModifiedUser.currentValue.country
checks for a change in the Country attribute. Any change causes this condition to evaluate to TRUE. Then, and ModifiedUser.currentValue.country is "Brazil"
adds a second condition to the rule. This checks whether the attribute has changed to a specific value, for example Brazil. This condition is applicable if some special certification is required for employees moving to Brazil. For other employees who have moved to some other place, the rule's action is not triggered.
Note:
User-Defined Fields (UDFs) or custom attributes do not appear in ModifiedUser's lists of current and previous values, but these attributes can be specified in the Event Listener rule conditions. To do so, type an expression in the following format into the rule's condition field:
ModifiedUser.{current|previous}Value.get{String|Integer|Long|Date|Boolean}Attribute("NAME")
Here, NAME is the internal name of the UDF. For example, to retrieve the previous value of a string-valued UDF named FavoriteColor, insert the following expression:
ModifiedUser.previousValue.getStringAttribute("FavoriteColor")
13.9.2 Modifying an Event Listener
Modifying an event listener involves selecting the event listener in the Event Listeners page and editing the event listener attributes in the event listener details page.
To modify an event listener:
- In the Compliance tab of Oracle Identity Self Service, click the Identity Certification box and select Event Listeners. The Event Listeners page is displayed with a list of event listeners.
- Select the event listener that you want to modify.
- From the Actions menu, select Open. Alternatively, click Open on the toolbar. The event listener details page is displayed.
- Edit the values in the fields to modify the event listener.
- Click Save.
13.9.3 Deleting an Event Listener
Deleting an event listener involves selecting the event listener in the Event Listeners page and using the Delete option.
To delete an event listener:
- In the Compliance tab of Oracle Identity Self Service, click the Identity Certification box and select Event Listeners. The Event Listeners page is displayed with a list of event listeners.
- Select the event listener that you want to delete.
- From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
- Click Yes to confirm.
13.9.4 Configuring Certification Event Trigger Jobs
The Certification Event Trigger Job offers an optional parameter called Event Listener Name List. If one or more event listener names are supplied in this field, then the trigger job will only process the triggers for those listeners, which implies that you will need multiple trigger jobs to cover processing for your full set of listeners.
This section describes how to set the Event Listener Name List parameter and how to define multiple trigger jobs. It contains the following topics:
13.9.4.1 Setting the Event Listener Name List
To set the Event Listener Name List:
- Login to Oracle Identity System Administration.
- On the left pane, under System Configuration, click Scheduler.
- In the search field, enter
Certification Event Trigger Job
, and perform the search. - Click the job name in the search result to display the trigger job details.
- Scroll down to the Parameters section, where you can see a parameter titled Event Listener Name List (comma separated).
- Enter one or more event listener names in this field, separated by commas. Make sure to type each listener's name exactly as it appears in the Name column of the Event Listeners table.
- Click Apply to save the changes.
13.9.4.2 Adding More Trigger Jobs
In addition to the predefined instance of the Certification Event Trigger Job, you can create new trigger job instances by performing the following steps:
- Login to Oracle Identity System Administration.
- On the left pane, under System Configuration, click Scheduler.
- On the left pane, from the Actions menu, select Create. Alternatively, you can click the icon with the plus (+) sign beside the View list.
- In the Create Job panel, expand the Task field by clicking the icon to its right.
- In the Search field, enter
Certification Event Trigger Task
, and perform the search. - In the search result, click the Certification Event Trigger Task row, and then click Confirm.
- Enter the Job Name and any desired scheduling details for this trigger job instance.
- In the Event Listener Name List field, enter a comma-separated list of the listener names that this trigger job instance will process.
Every instance of the trigger job can have its own schedule or can be run manually, and can be restricted to handling triggers for a specified subset of listeners. This enables you to trigger different event listeners at different intervals.
13.10 Configuring Certification Reports
Certification reports can be generated in PDF, RTF, HTML, Microsoft Excel, and CSV formats.
To configure the display of the Reports tab in the Detailed Information section of the Dashboard:
- Log in to Oracle Identity System Administration.
- Click the Compliance tab.
- Click the Identity Certification box, and select Certification Configuration. The Certification Configuration page is displayed.
- Select the Enable Certification Reports option.
- Click Save.
Reports can be generated in the following formats:
-
PDF
-
RTF
-
HTML
-
Microsoft Excel
-
CSV
13.11 Understanding Multi-Phased Review in User Certification
Two-phased review and advanced delegation (TPAD) is supported for user certifications only. It involves multiple phases of review, delegation to multiple reviewers within each phase, and stages of certification in TPAD.
This section describes two-phased review with advanced delegation in the following sections:
13.11.1 About Functionality of Two-Phased Review with Advanced Delegation
TPAD combines the perspectives of business-oriented and technical reviewers and allows a certifier to delegate decision-making to other reviewers.
Collaborative certification or TPAD provides the following functionalities:
-
Two-phased review, which allows to combine within a single certification the perspectives of business-oriented and technical reviewers.
-
Advanced delegation, which allows a certifier to retain overall responsibility while delegating decisions to others. Advanced delegation of individual line-items within a certification allows a reviewer to spread the work among several people who can work simultaneously. This allows those who are responsible for reviewing access within an enterprise to spread the burden and thus complete the work more quickly.
Note:
Oracle Identity Manager supports TPAD for user certification only. TPAD is not supported for role certification, application instance certification, and entitlement certification.
13.11.2 Multiple Phases of Review
Multiple phases of review combines multiple perspectives on the same set of user-access-privileges.
For user certification, the phases are:
-
Business Review: This is the required first phase of review. The business reviewer, typically the manager of each user, views all the certifiable access privileges of a user. First, the manager confirms that the user is a valid holder of privileges, such as an employee, within that enterprise. Then the manager confirms that the user's position within the enterprise justifies the user's access privileges, such as role assignments, account assignments, and entitlement assignments. The business reviewer certifies or approves any privilege that seems appropriate and revokes any privilege that seems unnecessary or unreasonable.
-
Technical Review: This is an optional second phase of review. The technical reviewer, typically the owner or an authorizer of each privilege, reviews the members of the privilege or the assignments of that privilege to specific users or to specific accounts of specific users. The technical reviewer certifies or approves any privilege that seems appropriate and revokes any assignment of that privilege that seems unnecessary or unreasonable.
-
Final Review: This is an optional final phase review. If the certification is configured to enable final review, then the primary reviewer from the first phase, for example the manager of each user, can see the decisions that reviewers made in the first two phases and can override those decisions if required.
See Also:
Who Is Involved in Completing Identity Certifications? for information about primary reviewer, technical reviewer, final reviewer, and delegated reviewer.
13.11.3 Delegation to Multiple Reviewers Within Each Phase
The primary reviewer in Phase One or Phase Two can reassign responsibility, and delegate and undelegate line-items.
The primary reviewer in Phase One or Phase Two can spread the work to other users in the following ways:
-
The primary reviewer can reassign responsibility for any set of line items to another user. Reassignment transfers the responsibility to another person, whereas delegation retains the responsibility with the primary reviewer. Reassignment of line items in Phase One creates a new certification.
-
The primary reviewer can delegate each line-item, or any set of line-items, to any user that the primary reviewer selects. This user is called a delegated reviewer. Delegating a line-item marks that line-item as delegated in the primary reviewer's task, and prevents the primary reviewer from acting on that line-item.
-
The primary reviewer can undelegate any delegated line-item at any time within the phase before signing off the certification task. Undelegating a line-item removes it from the delegated reviewer's task, and allows the primary reviewer to act on the line-item, for example, by making certification-decisions or delegating or reassigning it.
In Phase One or Phase Two, whenever the primary reviewer delegates line-items and signs off with at least one line-item still delegated, which means that the primary reviewer has not undelegated all of those line-items before signing off, then Oracle Identity Manager generates a review task for Phase-One Verification or Phase-Two Verification, and assigns this task to the primary reviewer. This task allows the primary reviewer to see and override any decision that a delegated reviewer made in that phase.
13.11.4 Stages of Certification in TPAD
The stages of certification in TPAD are phase one with verification, phase two with verification, and final review.
The certification stages in TPAD are described in the following sections:
13.11.4.1 About Stages of Certification in TPAD
Figure 13-2 illustrates the stages of certification in TPAD by combining the required Phase One, the optional Phase Two, and the optional Final Review phase that depends on Phase Two, with the conditional verification tasks.
Figure 13-2 Stages of Certification in TPAD
Description of "Figure 13-2 Stages of Certification in TPAD"
As shown in Figure 13-2, the overall sequence of stages within TPAD certification are:
-
start: Certification is created, and certification task is generated by running the Certification Creation Task scheduled job.
-
Phase One Review: This is always required.
-
Phase One Verification: This takes place only if Phase One is completed with delegations.
-
Phase Two Review: This is optional depending on configuration.
-
Phase Two Verification: This takes place only if Phase Two is completed with delegations.
-
Final Review: This is optional depending on configuration and takes place only if Phase Two is completed.
-
end: Certification task is completed. If any access has been revoked as a part of the certification completion, then closed-loop remediation takes place.
13.11.4.2 Phase One With Verification
Figure 13-3 shows the first phase of certification review with TPAD.
Following is the process flow of the Phase One review with verification in TPAD:
-
Start: A set of certification objects are generated, and the review process starts. Every line-item within each particular certification object is assigned to a Phase One Primary Reviewer (P1PR).
-
Task P1PR: When the scheduled jobs for certification generation are run, Oracle Identity Manager uses Service-Oriented Architecture (SOA) to create a task, for each certification object, which is assigned to the Phase One Primary Reviewer (P1PR).
When the primary reviewer opens the task, the primary reviewer can see every line-item within the certification object. If the primary reviewer opens any particular line-item, then the primary reviewer can see every line-item-detail for that line-item.
The primary reviewer can act on any line-item within the task. The primary reviewer can delegate any line-item to another person, or can reassign any line-item to another person. By default, the primary reviewer owns every line-item and can decide, such as certify or revoke, the line-item-details.
After decision has been made for each line-item, or each detail for the line-item has a Phase-One Decision, or has been delegated or reassigned, the primary reviewer can sign off or complete the task.
-
P1PR Reassigns Item(s): If the primary reviewer during Phase One reassigns any set of line-items to another person, then Oracle Identity Manager removes those reassigned line-items (and their details) from the original certification and puts them into a new and separate certification. The person to whom the line-items were reassigned becomes the P1PR for that new and separate certification.
The reassigned line-items disappear from the task of the original P1PR, and does not reappear within this review process. Even if the new P1PR reassigns or delegates the line-items back to the original P1PR, this creates a new task for the original P1PR so that it is part of a different review process in the following way:
-
If the new P1PR reassigns line-items back to the original P1PR, this will be a new certification with its own P1PR task.
-
If the new P1PR delegates the line-items back to the original P1PR, then this will be a new delegated review (P1DR) task within the review-process of the new P1PR.
-
-
P1PR Delegates Item(s): If the primary reviewer delegates any set of line-items to another person, then that person is the phase one delegated reviewer (P1DR) for each of those line-items. A new task is created and assigned to the new P1DR.
Note:
In order to minimize the number of tasks, it is recommended that you select the set of line-items that you intend to delegate to a particular reviewer. Otherwise, the delegated reviewer can receive any number of tasks, each of which contains some subset of line-items from the same phase of the same certification object.
When the primary reviewer delegates a particular set of line-items, the line-items are marked as delegated within the task from which the primary reviewer delegated them. The primary reviewer can no longer act within that task on those line-items unless the primary reviewer undelegates them. The primary reviewer has an opportunity during Phase One Verification to see and override the decisions made by any delegated reviewer.
-
P1PR Undelegates Item(s): The primary reviewer can undelegate or take back from a delegated reviewer any line-item that is delegated. Undelegating a line-item allows the primary reviewer to act on that line-item and removes that line-item from the task of the current delegated reviewer, which prevents the delegated reviewer from acting on it further.
-
P1PR Signs Off: After every line-item has been completed or delegated or reassigned, the primary reviewer can sign off on the task, which completes the task. A line-item is completed when all of its details have a decision for the current phase. At this point, Oracle Identity Manager determines whether or not Phase One Verification (P1V) is required.
-
SOA (De)Proxies Assignee (P1PR): A proxy can be assigned for the assigned reviewer, such as P1PR. For example, when the reviewer is scheduled to go on vacation, the reviewer can activate a proxy. When the reviewer returns from vacation, the proxy is deactivated. When the newly assigned (proxy) reviewer opens the task, the proxy reviewer can view and act on each line-item and line-item-details. See Managing Proxies for information about adding, modifying, and removing proxies.
-
SOA Escalates Task (P1PR): The certification task can be escalated depending on configuration of the SOA composite that Oracle Identity Manager uses for certification-review tasks. For example, if the reviewer has not signed off or completed a task within a configured time-limit, SOA can escalate the task and reassign it to the manager of the currently-assigned reviewer. After the task is escalated the maximum number of times or has reached some other condition that terminates escalation, the task expires.
-
SOA Expires Task (P1PR): A certification review task can expire in certain conditions. For example, if the reviewer has not signed off a task within a configured time-limit, then the task can expire. If the task is configured to escalate before expiring, then SOA expires the task only after it has escalated the maximum number of times or reaches some other condition that terminates escalation. When a task expires, it cannot be acted upon.
-
Task: P1DR: Each delegated-review task contains a set of line-items that the primary reviewer has delegated to the delegated reviewer. When the delegated reviewer opens the task, the delegated reviewer can see only the line-items that are delegated in the particular delegation-event that produced the task. If the phase-one delegated reviewer (P1DR) opens any particular line-item, P1DR can see every detail for that line-item.
The delegated reviewer can act on any line-item within the task. The delegated reviewer cannot delegate any line-item to another person, cannot undelegate any line-item, and cannot reassign any line-item to another person. By default, the delegated reviewer owns every line-item and can decide, such as certify or revoke, its line-item-details. After every line-item has been decided, or all the details for the line-item has a Phase-One Decision, the delegated reviewer can sign off or complete the task.
-
P1DR Signs Off: After every line-item within a delegated-review task has been decided, the delegated reviewer can sign off or the task. Every delegated-review task must complete or must expire before the certification review process can proceed to Phase-One Verification.
-
Any line-item has P1DR: This branch-point decides whether the Phase One Verification stage is required. This depends on whether any line-item is delegated:
-
If any line-item that is not reassigned remains delegated when the P1PR signs off, then the review process moves to Phase One Verification.
-
If no line-item that is not reassigned remains delegated when the P1PR signs off, then the review-process moves to Phase Two.
-
-
All P1DR tasks are signed off or expired: This branch loops until every Phase One delegated-review task has either been signed off (completed) or has expired.
-
Task: P1V: After the primary-reviewer (P1PR) has signed off and every delegated-review-task (P1DR) has either completed or expired, Phase One Verification begins. Another task for the same certification-object is created and assigned to the primary reviewer. Within this task, the primary reviewer can see and override any decision made in Phase One. The primary reviewer also can complete any line-item that no delegated reviewer has completed. The primary reviewer cannot reassign and delegate, and therefore, cannot undelegate any line-item within this task.
-
P1PR Signs Off (P1V): After every line-item-detail within the certification-object for every line-item that has not been reassigned to another primary reviewer has a decision, the Phase-One Primary Reviewer can sign off. When the reviewer signs off on the Phase-One Verification task, the certification review process proceeds to Phase Two.
-
SOA can proxy the assignee, and escalate or expire the P1V task (similar to the P1PR task). See steps 7 through 9 for details.
13.11.4.3 Phase Two With Verification
Phase Two is an optional, plural, and rotated version of Phase One.
Optional: Phase Two is optional because it occurs only if Phase Two is enabled in configuration, the administrator specified a strategy to select a Phase Two Primary Reviewer, and the specified strategy assigned a Phase Two Primary Reviewer to at least one line-item within the certification.
Plural: There can be multiple Phase Two Primary Reviewers because each reviewer administers or authorizes a line-item-detail rather than a line-item. For example, in a user certification, each role assignment, account assignment, or entitlement assignment can have a different primary reviewer.
Rotated: Each reviewer in Phase Two can see a rotated view. For example, in Phase One of user certification, the business-reviewer can see users as line-items and each user's access-privileges as line-item-details. In Phase Two of user certification, each technical reviewer can see privilege-definitions, such as role, application instance, or entitlement definitions, as line-items and can see members of each privilege as line-item-details. This privilege-centric view is more useful to a technical-reviewer, who can delegate or reassign responsibility for individual privilege-definitions.
Figure 13-4 shows the second phase of certification review with TPAD.
The stages in Phase Two are similar to Phase One, except for the following:
-
Task: P2PR: A review task is generated for each type of privilege for which each Phase Two primary reviewer (P2PR) must review assignments within that certification. When a Phase Two primary reviewer opens a P2PR task, that primary reviewer can see a list of line-items for which that primary reviewer is responsible within the certification object. For example, in Phase Two of a user certification, the Technical Reviewer who opens a P2PR task can see a list of privileges, such as role definitions, application instance definitions, or entitlement definitions, for which that primary reviewer is the certifier and for which that certification object contains assignments. Because this type of certification is user-centric, the rotated view is privilege-centric.
If the primary reviewer opens any particular line-item, the primary reviewer can see every line-item-detail for that line-item. The primary reviewer can act on any line-item within the task. The primary reviewer can delegate any line-item to another person or can reassign any line-item to another person. By default, the primary reviewer owns every line-item and can decide, such as certify or revoke, its line-item-details.
-
P2PR Reassigns Item(s): If the primary reviewer in Phase Two reassigns any set of line-items to another person, then that person becomes the new primary reviewer (P2PR) for those line-items. Oracle Identity Manager creates a new primary-review task and assigns it to the new P2PR.
Note:
The Reassign operation in Phase Two does not generate a new certification. For example, if a primary technical reviewer reassigns a (rotated) line-item, then this does not split the certification.
The reassigned line-items disappear from the task of the original P2PR. The line-items are displayed within a separate task that is assigned to the new P2PR.
13.11.4.4 Final Review
Final Review is optional and is a tie-breaker. It is the simplest phase in TPAD.
Optional: Final Review occurs only if it is enabled in configuration, the administrator specified in the certification definition that Final Review is to be performed, and Phase Two is performed because at least one line-item had a Phase Two Primary Reviewer.
Tie-breaker: Because the Phase Two reviewers may have made different decisions than the Phase One reviewers, the Phase One primary reviewer can view and override the decisions made in the two earlier phases. Therefore, Final Review is a tie-breaker.
Simplest phase: There is only one Final Reviewer, who is the Phase One Primary Reviewer. The Final Reviewer cannot delegate and cannot reassign. The Final Reviewer can see the decisions made during Phase One, the decisions made during Phase Two, and can override the decisions.
Figure 13-5 depicts the optional Final Review phase of certification review with TPAD.
In Final Review, the following stages are different from other review phases:
-
System Calculates FRD: Oracle Identity Manager calculates a Final Review Decision (FRD) in the following manner:
-
For any line-item detail that has a Phase Two decision other than Abstain, the Phase Two decision becomes the Final Review decision.
-
If a particular line-item detail lacks a Phase Two decision, or if the Phase Two decision is to abstain, then the Phase One decision becomes the Final Review decision.
-
-
Final Review is enabled: This branch decides whether or not to generate a task for Final Review and assign it to the Phase One Primary Reviewer. If Phase Two is disabled in configuration, or if Phase Two is not used in this certification review, or if Final Review is disabled in configuration, then task for Final Review is not generated. If Phase Two decisions have been made and Final Review is enabled in configuration, then the task for Final Review is generated.
-
Task: FR: The Final Reviewer opens the Final Review task, and can see the following:
-
The decision made during Phase One on each line-item detail.
-
The decision made during Phase Two on each line-item detail.
-
The Final Review Decision.
The Final Reviewer can override the FRD in the context of the Phase One and Phase Two decisions. The Final Reviewer cannot reassign and delegate, and therefore, cannot undelegate any line-item within the task. The Final Reviewer can sign off after validating each FRD. At that point, the Final Review task is complete and the overall certification process is complete with the exception of closed-loop remediation, which Oracle Identity Manager performs automatically following signoff. If the Final Reviewer does not sign off and allows the Final Review task to expire, then the certification process is dead.
-
You can use Final Review to compare the Phase One decision with the Phase Two decisions and make a final decision. If you prefer the Phase Two decision, then do not enable Final Review in configuration.
13.12 About Pre-populate Certification Comments
This content applies only to OIG Bundle Patch 12.2.1.4.211010 Bundle Patch and later releases.
For certification definition, when the Pre-populate comments on certify operations configuration property is selected, the comments will be mined for the campaign and pre-populated on the UI against each line item of the campaign details page, where available.
The comment for each line item is populated with the first available in the following order when campaign is executed:
- Non-empty comment from last completed certification for line items
- Comment from the Request Justification from for line items
- For Account/entitlement granted via Access Policy, the justification for the associated Role Request
For more details on pre populated comments, refer to the following flowchart:
Figure 13-6 Certification Comments
Note:
To populate a campaign with the most recent comments, execute the Certification Comments Mining job before you start the run for a certification definition. For more information about this job, refer Predefined Scheduled Tasks.13.13 About Certification UI New Features
This content applies only to OIG Bundle Patch 12.2.1.4.211010 Bundle Patch and later releases.
-
From this release, the UI experience is enhanced based on the following values of the configuration properties:
- Allow comments on certify operations
- Mandatory comments on certify operations
- Allow comments on all non-certify operations
- Mandatory comments on all non-certify operations
The following table provides the complete details:Configuration Property Value UI Behaviour - Comments allowed for certify operation => False
- In this case, when you select one/more rows and click Certify, then no dialog box is shown to enter comments.
- If any comments exists, then it changes to null.
- Comments allowed for certify operation => True
- Mandatory comments for certify operation => False
- In this case the dialog box will not be shown for entering comments when you select one/more rows and click Certify.
- The rows will be certified using the existing comments against each row.
- To add/modify the comment for a row, select the row and use Edit Comments before performing the certify action.
- Comments allowed for certify operation => True
- Mandatory comments for certify operation => True
- Single row selected: The dialog box to set comments is shown if the comment does not exist for the row. If comment is present, then no dialog box is shown and it will be certified using existing comment.
- Multiple rows selected and comments exists for all rows: Then no dialog box is shown and rows will be certified using the existing comment.
- Multiple rows selected and comments doesn’t exist for one or more row: The dialog box is shown with Comments and the check box Use if comment does not exist”. Deselect the check box if you want to use the comment provided for all the selected rows.
If the check box is selected, the new comment is used for only those rows which do not have comments. The other rows will be certified with the existing comments.
- Select All: This uses the existing comments to certify all the rows across pages. If comment is missing for any row, then it displays an error for that and other rows are certified.
- Comments allowed on non-certify action => FALSE
- In this case, when you select one/more rows and click Revoke,then no Dialog box will be shown.
- Also if any comment exists, it will be updated to null.
- Comments allowed for non-certify operation => True
- Mandatory comments for non-certify operation => False/True
- In this case, when you click Revoke, a dialog box is shown to enter the comments and it will always be shown. The comments need to be entered (the comments will be required if Mandatory comments for non-certify operation property is set to TRUE)
- The existing comments against a row will not be used in this case.
13.14 About Certification Oversight
Certification oversight is the activity of reviewing, and possibly overriding, the decisions of the primary reviewer within the scope of a particular primary-review task.
A person who has the opportunity to override the certification decisions of a primary reviewer within the scope of a particular primary-review task is called an overseer. The overseer has the following characteristics:
-
An overseer must be an Oracle Identity Manager user.
-
Only one overseer at a time can oversee a primary-review task.
-
An overseer has the right to view and override the decisions made by the primary reviewer or by any previous overseer.
As a part of the certification configuration, you can select a certification composite that defines the certification oversight workflow. A certification composite is a SOA workflow that the certification server launches for each primary reviewer, or delegated reviewer, during a phase of certification.
By default, the CertificationOverseerProcess composite defines the following behavior:
-
A primary-review task is not completed until the primary reviewer and every overseer in the sequence has signed off.
-
Decisions signed off by the final overseer in the sequence of overseers are final for that primary-review task.
-
Closed-loop remediation begins after the overall certification is complete. No phase of certification is complete until every primary-review task is complete.
-
For Phase Two and Final Review phase of certification:
-
Since Phase Two can have multiple primary reviewers, each primary-review task can have a separate sequence of overseers, one primary-review task per each primary reviewer. For detailed information about multi-phased reviews, see Understanding Multi-Phased Review in User Certification.
-
-
For delegation, oversight takes place only for the verification task of a primary reviewer. If the primary reviewer delegates during the primary-review task, then the primary-review task does not have oversight. Instead, oversight takes place during the subsequent verification-task, which contains all the decisions for that phase.
-
Reassignment of a line-item during Phase One of certification creates a new certification and creates a new primary-review task that is assigned to the re-assignee. Here, a new sequence of overseers are calculated for the new primary-review task.
You can extend the default oversight functionality to specify different levels of oversight or stop the oversight process when a certain stage is reached. To do so, you must create and deploy custom certification composites. For more information on creating and deploying custom certification composites, see Customizing Certification Oversight in Developing and Customizing Applications for Oracle Identity Governance.
13.15 Troubleshooting Identity Certification
Verify the certification configuration settings and ensure that the required SOA patches have been applied.
Table 13-6 lists possible issues encountered while using identity certification and the steps to resolve the issues.
Table 13-6 Troubleshooting Identity Certification Issues
Problem | Solution |
---|---|
You create certification definition and run the Certification Creation Task scheduled job, but no certification tasks are generated. |
Make sure that all the certification configuration steps, as described in Configuring Certifications, have been performed. |
Note:
Ensure that all required SOA patches are applied.