1. Help Topics for Oracle Identity Governance
  2. Identity Self Service
  3. Compliance
  4. New Certification

4.6 New Certification

Use the New Certification wizard to create new certification definitions for user, role, application instance, and entitlement certifications.

General Details

Use the General Details page of the New Certification wizard to enter general information about the certification definition, such as certification name, certification type, and description.
Element Description
Name Enter a name for the certification definition. This is a mandatory field.
Type Select any one of the following:

  • User: Select to create new user certification definition.

  • Role: Select to create new role certification definition.

  • Application Instance: Select to create new application instance certification definition.

  • Entitlement: Select to create new entitlement certification definition.

This is a mandatory field.
Description Enter a description for the new certification definition.
Next Click to go to the Base Selection page of the New Certification wizard.
Cancel Click to quit the New Certification wizard without creating the certification definition.

Base Selection

Use the Base Selection page of the New Certification wizard to select an entity-selection strategy and selection constraints.
Element Description
Base Selection Select any one of the following options for user certification definition:

  • Users from All Organizations: Select to specify users from all organizations in Oracle Identity Manager.

  • Only Users from Selected Organizations: Manually select specific organizations. You can select the organizations by clicking Add. To remove a selected organization, click Remove.

  • All users: Select to specify all the users in Oracle Identity Manager.

  • Users criteria: Select to specify all the users that meet the given search condition. After entering the search conditions, click Update and Preview Results.

  • Selected users: Select to indicate specific users from a list of users in the system. To select users, click Add. To remove selected users, click Remove.

Select any one of the following options for role certification definition:

  • All Roles in All Organizations: Select to specify all roles in all the organizations in Oracle Identity Manager.

  • Roles from Selected Organizations: Select to specify the roles from the organizations that you specify. Click Add to search and select an organization. To remove a selected organization, click Remove.

  • All Roles: Select to specify all roles in Oracle Identity Manager.

  • Role criteria: Select to specify all of the roles that meet the given search condition. You can preview the results of this selection.

  • Selected roles: Select to manually select the roles.

Select any one of the following options for application instance certification definition:

  • All Application Instances: Select to specify all application instances in Oracle Identity Manager.

  • Selected application instances only: Select to manually select the application instances. Click Add to search and select the application instances. To remove any selected application instance, click Remove.

Select any one of the following options for entitlement certification definition:

  • Selected entitlements: Select to manually select the entitlements. Click Add to search and select the entitlements. To remove any selected entitlement, click Remove.

  • All Entitlements with Selected Certifiers: Select to specify a list of users including all the entitlements for which they are the certifier user in the catalog.

  • All Entitlements: Select to specify all entitlements from the catalog.

  • Entitlement Criteria: Select to specify entitlements based on a criteria.

Selection Constraints Select any one of the following self-explanatory options to specify constraints to the base selection for a user certification definition:

  • Users with Any Level of Risk

  • Only Users with High Risk Summaries

  • Only Users with High Risk Roles

  • Only Users with High Risk Application Instances

  • Only User with High Risk Entitlements

Select any one of the following self-explanatory options to specify constraints to the base selection for a role certification definition:

  • Roles with Any Level of Risk

  • Only High Risk Roles

Select any one of the following self-explanatory options to specify constraints to the base selection for a application instance certification definition:

  • Application Instances with Any Level of Risk

  • Only High Risk Application Instances

Select any one of the following self-explanatory options to specify constraints to the base selection for a entitlement certification definition:

  • Entitlements with Any Level of Risk

  • Only High Risk Entitlements

In addition, for entitlement certification definition, optionally deselect the Include entitlements provisioned by access policy option to exclude the entitlements from the certification definition that are provisioned by access policies. This option is selected by default.

Back Click to go back to the General Details page of the New Certification wizard.
Next Click to go to the Content Selection page of the New Certification wizard.
Cancel Click to quit the New Certification wizard without creating the certification definition.

Content Selection

Use the Content Selection page of the New Certification wizard to specify the content of the certifications that will be created based on the certification definition.
Element Description
Content Selection (for user certification definition) Select one or more of the following options:

  • Include users with no accounts: This option includes the users who have no access within the certification.

  • Limit the role-assignments to certify for each user: The list of roles per user can be restricted to the selected option. For example, if you select selected roles and add one role, then that role only will show up in the certification if it is marked as certifiable in the catalog even if the user has other roles.

  • Include accounts with no certification attributes: This includes the accounts in the selected application instances even if there are no certifiable entitlements (access) within the target system. If you deselect this option, then accounts in the target system that do not have any entitlements do not appear in the certification.

  • Limit the application-instance-assignments to certify each user: Similar to roles, you can restrict the application instances you want to see within the certification.

  • Limit the entitlement-assignments to certify for each user: You can limit the entitlements that you can see within the certification.

Content Selection (for role certification definition) Select one or more of the following options:

  • Certify Policies: Select to specify the certification of policies.

  • Certify Members: Select to specify the certification of role members.

Content Selection (for application instance certification definition) Select any one of the following options:

  • Accounts of Users from All Organizations: Selects the accounts of users from all organizations in Oracle Identity Manager.

  • Accounts of Users from Selected Organizations: Allows you to manually select the organizations whose user accounts will be certified.

  • Accounts of All Users: Selects the accounts of all users in Oracle Identity Manager.

  • Accounts of Selected Users: Allows you to manually select the users whose accounts will be certified.

Content Selection (for entitlement certification definition) Content selection for entitlement certification definitions is not applicable, and therefore, the Content Selection page is skipped for entitlement certification definitions.
Back Click to go back to the Base Selection page of the New Certification wizard.
Next Click to go to the Configuration page of the New Certification wizard.
Cancel Click to quit the New Certification wizard without creating the certification definition.

Configuration

Use the Configuration page of the New Certification wizard to set options that are used during certification creation based on the type of certification.

Set the configuration options, as described in Certification Configuration.

Reviewers

Use the Reviewers page of the New Certification wizard to specify a primary reviewer for the certifications, or a phase one and two reviewers for multi-phased reviews.
Element Description
Reviewer (for user certification definition) Select any one of the following options as the primary reviewer:

  • User Manager: Selects the user’s manager as the primary reviewer.

  • Organization Certifier: Select’s the organization certifier as the primary reviewer.

  • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

  • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

    Group certifier assignments are not supported with CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

  • Custom Access Reviewer: A custom reviewer that you specify as the primary reviewer by populating the CERT_CUSTOM_ACCESS_REVIEWERS table in Oracle Identity Manager database.

For multi-phased review:
  • In the Phase 1 section, select any one of the following to select the Phase 1 reviewer:

    • User Manager: Selects the user's manager as the Phase 1 reviewer.

    • Organization Certifier: Selects the organization certifier as the Phase 1 reviewer.

    • Search for a User: Selects any user as the Phase 1 reviewer that you search and specify by clicking the lookup icon.

    • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the Phase 1 reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox. Group certifier assignments are not supported with CertificationProcess composite. If you want to select this option, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

    • Custom Access Reviewer: A custom reviewer that you specify as the Phase 1 reviewer by populating the CERT_CUSTOM_ACCESS_REVIEWERS table in Oracle Identity Manager database.

  • In the Phase 2 (Optional) section, select the Enable Phase 2 review process option to specify that the privilege certifier will be the primary Phase 2 reviewer for each user privilege, such as role, account, and entitlement assignments. Then, select any one of the following as the Phase 2 reviewer:

    • Certifier User: Selects the catalog certifier user as the Phase 2 reviewer.

    • Certifier Role: Selects the catalog certifier role as the Phase 2 reviewer. If a catalog item does not have a certifier role, then the task goes to the certifier user.

  • In the Final Review (Optional) section, select the Enable Final Review process option to enable a final review process by the Phase 1 reviewer for final validation and sign off.

Reviewer (for role certification definition) Select any one of the following options as the primary reviewer:

  • Role (Certifier User): Selects the certifier user as the primary reviewer.

  • Role (Certifier Role): Selects the certifier role as the primary reviewer.

    Note:

    Group certifier assignments are not supported with the default CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

  • Organization Certifier: Selects the organization certifier as the primary reviewer.

  • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

  • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

Reviewer (for application instance certification definition) Select any one of the following options as the primary reviewer:

  • Application Instance (Certifier User): Selects the application instance certifier user as the primary reviewer.

  • Application Instance (Certifier Role): Selects the application instance certifier role as the primary reviewer.

    Note:

    Group certifier assignments are not supported with the default CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

  • User Manager: Selects the user’s manager as the primary reviewer.

  • Organization Certifier: Selects the organization certifier as the primary reviewer.

  • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

  • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

Reviewer (for entitlement certification definition) Select any one of the following options as the primary reviewer:

  • Entitlement (Certifier User): Selects the entitlement certifier user as the primary reviewer.

  • Entitlement (Certifier Role): Selects the entitlement certifier role as the primary reviewer.

    Note:

    Group certifier assignments are not supported with the default CertificationProcess composite. If you want to specify a role as the primary reviewer, then you must select the CertificationOverseerProcess composite in the Configurations page of the wizard.

  • Search for a User: Selects any user as the primary reviewer that you search and specify by clicking the lookup icon.

  • Search for a Role: Selects all user members of any role that you select by clicking the lookup icon as the primary reviewer. Any user member of the role will be able to claim the task in order to review and certify. When the task is claimed by a user, other users in the role will not be able to view the task in the Inbox.

Back Click to go back to the Configuration page of the New Certification wizard.
Next Click to go to the Incremental page of the New Certification wizard.
Cancel Click to quit the New Certification wizard without creating the certification definition.

Incremental

Use the Incremental page of the New Certification wizard to enable or disable incremental certification.
Element Description
Generate Incremental Data Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.
Show Previous Values (Optional) Select Enabled to specify that all the current values that existed in previous certifications are displayed with the last decisions taken for those access.

Deselect Enabled to specify that the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.

Incremental Date Range (Required) Select any one of the following options:

  • Since Last Base (default): Select to specify that certification data will be generated by comparing the current data against the last recorded, non-incremental certification data, for the same certification type.

  • Since Date: Select to specify that the current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.

Back Click to go back to the Reviewers page of the New Certification wizard.
Next Click to go to the Summary page of the New Certification wizard.
Cancel Click to quit the New Certification wizard without creating the certification definition.

Summary

Use the Summary page of the New Certification wizard to review the details of the certification definition.
Element Description
Name Verify the certification definition name.
Description Verify the description of the certification definition.
Type Verify the certification definition type, such as User, Role, Application Instance, or Entitlement.
Reviewer Verify the primary reviewer of the certifications.
Incremental Verify whether or not incremental certification has been enabled.
Base Selection Verify the base selection and the selection constraints for the certification definition.
Content Selection Verify the content selection for the certification definition.
Back Click to go back to the Incremental page of the New Certification wizard.
Create Click to create the certification definition.

A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job. Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.

Cancel Click to quit the New Certification wizard without creating the certification definition.

Related Topics

Creating Certification Definitions in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance