12 Using Identity Certification
This chapter provides an overview of identity certification, describes the identity certification user interface, and includes information about how to complete identity certifications. It contains the following topics:
12.1 Identity Certification Overview
Understand identity certification and certification types, the various types of reviewers, and the certification types that can be accessed by each reviewer.
This section describes what, why, and how identity certifications are conducted. It also discusses who is typically involved in the identity certification process.
12.1.1 What Is Identity Certification?
Identity certification is the process of reviewing user entitlements and access-privileges within an enterprise to ensure that users have not acquired entitlements that they are not authorized to have. It also involves either approving (certifying) or rejecting (revoking) each access-privilege. Identity certification can be for the user, role, organization, and entitlement entities.
Certifications can be scheduled to run on a regular basis to meet compliance requirements. Managers use the identity certification feature to review their employees' entitlements to access applications and data. Based on changes reported by the identity certification module, managers can authorize or revoke employee access as needed.
You can create four types of certifications. Each type of certification addresses a particular use-case—a specific type of review that enterprises commonly perform. Each type of reviewer reviews a different subset of access-related data from a specific point of view.
Table 12-1 lists the four types of identity certification that are possible in Oracle Identity Manager.
Table 12-1 The Four Types of Identity Certification
Identity Certification Type | Description |
---|---|
User Certification |
Allows managers to certify employee access to roles, accounts, and entitlements. Typically, each manager in an organization reviews the access-privileges of the people who report directly to that manager. Each reviewer in a certification of this type is focused on his or her direct-reports, but is expected to review all of the access-privileges for each direct report. User certification optimizes review from the perspective of the line-of-business (LOB) manager, who must review all access-privileges for each user who reports to the LOB manager. User certification also supports a two-phased review, in which user access rights can be reviewed by managers first, and subsequently by any of the other IT owners, such as role owner, application instance owner, or entitlement owner, all within a single certification campaign. |
Role Certification |
Allows role owners to certify role content and/or role members. This certification is used in organizations that have implemented role-based access control (RBAC). Typically, the owner of a role is the person responsible for reviewing its definition (that is, the set of access-privileges that it conveys) as well as its membership (the set of users to whom the role has been assigned). Each reviewer in a certification of this type is focused on a particular enterprise role. Role certification optimizes review from the perspective of the role authorizer or role administrator, who must review the definition and the membership of each role that are owned by the role authorizer or role administrator. |
Application Instance Certification |
This certification allows the person who is responsible for a particular system or application to review the set of users who have accounts on that system or application. The reviewer can drill down and view the details of the access-privileges of each account. Each reviewer in a certification of this type is focused on one specific system or application. Application instance certification optimizes review from the perspective of the Application Instance Authorizer or Application Instance Administrator, who must review the membership (accounts) and the set of privileges (entitlement-assignments) for each application that are owned by the Application Instance Authorizer or Application Instance Administrator. |
Entitlement Certification |
Allows entitlement owners to certify user accounts that have a particular privilege. This certification is used if a specific person is responsible for a particular entitlement (that is, an Attribute Value or a group membership that confers a specific access-privilege). The entitlement owner can review the set of user accounts that have that particular entitlement. Each reviewer in a certification of this type is focused on one specific privilege within one specific resource. Entitlement certification optimizes review from the perspective of the Entitlement Authorizer or Entitlement Administrator, who must review the definition and the membership (entitlement-assignments) for each privilege (entitlement-definition) that are owned by the Entitlement Authorizer or Entitlement Administrator. |
A scheduled job generates certifications based on a specified certification definition. Oracle Identity Manager applies the selection criteria within the certification definition to select the privilege assignments (and/or privilege definitions) that will be reviewed and by whom. Oracle Identity Manager generates a separate certification for each primary reviewer. Oracle Identity Manager also generates a review task for each primary reviewer. Oracle Identity Manager creates a new review task whenever a primary reviewer delegates or reassigns line-items to another reviewer. As each reviewer acts on the review task assigned to that reviewer, this updates the overall certification. Overall progress for each certification is visible from the Dashboard.
12.1.2 Who Is Involved in Completing Identity Certifications?
Identity certification allows personnel in an organization to review and certify user entitlement data, role content data, application instance data, and entitlement data.
This section provides descriptions of the types of users that are typically involved in the identity certification process, as well as the certifications that each user type can authorize or revoke. In Oracle Identity Manager, personnel who participate in the identity certification process are called reviewers.
Table 12-2 lists the reviewers involved in identity certification.
Table 12-2 Identity Certification Reviewers
Reviewer Name | Description | Certification Types That Can Be Accessed |
---|---|---|
Certifier |
A generic term that signifies a person who is responsible for reviewing and completing any kind of certification. |
|
User manager |
A manager with direct reports. Users report to a user manager. |
|
Business reviewer |
A user within an enterprise who reviews the access-privileges of other users from a business-oriented perspective. Typically, this is a Line-Of-Business (LOB) manager who is responsible for the access-privileges of users who report to him/her. Note: LOB is a category of industry or business function. For example, an LOB manager is oriented to a business function within an enterprise, such as Sales. |
|
Primary Reviewer |
The person who is primarily responsible for making certification decisions on a particular set of line-items. The primary reviewer can reassign a line-item to another user, in which case that user becomes the new primary reviewer for that line-item, and the original primary reviewer never sees that line-item again. The primary reviewer can also delegate any of his line-items to another person, in which case that user becomes the delegated reviewer for that line-item, but the primary reviewer still retains responsibility for that line-item. Note: For information about line-item, see Line of Business and Line Item. |
|
Technical Reviewer |
A user within an enterprise who reviews the access-privileges of others from a technically-oriented perspective. Typically, this is an IT expert or an application-owner who is responsible for access-privileges being specified correctly, or for limiting access within the enterprise to a specific access-privilege. |
|
Delegated Reviewer |
A person who is assigned to help with the certification work. The delegated reviewer is secondarily responsible for making certification-decisions on a particular set of line-items, but the primary reviewer remains ultimately responsible. Any decision made by the delegated reviewer eventually returns to the primary reviewer, who can override that decision. |
|
Final Reviewer |
The person who has the final say over the certification-decisions. The final reviewer can review and override the certification decisions of other reviewers. Final Review is performed only after a two-phased review (and only when an administrator has configured the certification-definition to enable this). The primary reviewer from the first phase can then make a final review of the certification actions made by all the reviewers in the first two phases. |
|
12.2 Certification UI
You can view and work with certification objects by using the Pending Certifications page and the Certification Dashboard in the Identity Self Service.
You can view and work with certification objects by using the following in Oracle Identity Self Service:
-
Pending Certifications page: The Pending Certifications page lists all the tasks assigned to the logged-in user in a single screen. It enables the logged-in user to filter task views into user preferences, such as assigned tasks, completed tasks, and tasks for which information has been requested. The user can select a task to open it in a new tab and then perform necessary actions on the task. This allows the user to work on multiple tasks at a time by opening them in different tabs.
To access the Pending Certifications page, login to Oracle Identity Self Service, and in the Self Service tab, click the Certification box.
See Also:
Managing Certification Review Tasks for detailed information about the Pending Certifications page and the operations you can perform by using the Pending Certifications page
-
Dashboard: The Identity Certification Dashboard provides an overview of in-progress and completed certifications in the system. The certifications displayed in the dashboard depends on your role. A user with either the Certification Administrator or Certification Viewer admin role can see all certifications in the system. A non-administrative user, for example, a manager, can see any certification for which that user is assigned as a primary reviewer. A primary reviewer or user with the Certification Viewer admin role can view the certification information. A user assigned the Certification Administrator admin role can view any certification, and take basic actions on in-progress certifications. The primary reviewer cannot take actions on the certifications in the Dashboard.
To access the Dashboard, login to Oracle Identity Self Service, click the Compliance tab, click the Identity Certification box, and select Dashboard.
12.3 Certification Name Formats
The certification task names are displayed is different formats depending on the review phase and reviewer.
Table 12-3 lists the certification task names in various review phases.
See Also:
-
"Certification Task" for information about certification tasks
-
Understanding Multi-Phased Review in User Certification for information about the review phases in multi-phased review for user certification
Table 12-3 Certification Name Formats
Review Phase | Name Format | Example |
---|---|---|
Phase 1 (P1) |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ] |
Q1 Access 2012[ Robert Klein ] |
Phase 1 Reassign |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Reassigned[ NEW_PRIMARY_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Reassigned[ Jane Doe ] |
Phase 1 Delegate |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Delegated[ P1_DELEGATED_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Delegated[ Jane Doe ] |
Phase 1 Verification |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Verification |
Q1 Access 2012[ Robert Klein ]Verification |
Phase 2 (P2) |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Roles[ Terence Hill ] |
Phase 2 (P2) |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ] |
Phase 2 (P2) |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ] |
Phase 2 Reassign |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Roles[ Terrence Hill ]Reassigned[ Jane Doe ] |
Phase 2 Reassign |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Reassigned[ Jane Doe ] |
Phase 2 Reassign |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Reassigned[ Jane Doe ] |
Phase 2 Delegate |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Roles[ Terrence Hill ]Delegated[ Jane Doe ] |
Phase 2 Delegate |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Delegated[ Jane Doe ] |
Phase 2 Delegate |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ] |
Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Delegated[ Jane Doe ] |
Phase 2 Verification |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Verification |
Q1 Access 2012[ Robert Klein ]Roles[ Terence Hill ]Verification |
Phase 2 Verification |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Verification |
Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Verification |
Phase 2 Verification |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Verification |
Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Verification |
Final review |
CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Final Review |
Q1 Access 2012[ Robert Klein ]Final Review |
12.4 Searching and Viewing Certifications
You can search, sort, and view certifications, and access pre-upgrade certifications by using the Dashboard.
This section describes how to search and filter certifications in the Certification Dashboard, and how to view the details of certifications. It contains the following topics:
12.4.1 Searching Certifications in the Dashboard
The Dashboard enables you to perform basic search and advanced search for certifications.
This section contains the following topics:
12.4.2 Sorting Certification Search Results
Certification search results can be sorted in ascending and descending orders.
You can sort the certification search results in ascending and descending orders. To do so, see Sorting Data in Search Results.
In this release of Oracle Identity Manager, you can sort and list the certifications by the percentage completion of the certifications. In the certification search results in the Dashboard, you can place the mouse pointer on the Percent Complete column to display the up and down arrow keys. Clicking the up arrow key sorts the certifications in ascending order of percentage completion, and clicking the down arrow key sorts the certifications in descending order or percentage completion.
12.4.3 Viewing Certifications From the Dashboard
Only the primary reviewers, who have been selected as certifiers during the certification creation process, can see the certifications in the Dashboard.
You can open and view certification details from the Pending Certifications page or the Dashboard. However, all users cannot see the certifications in the Dashboard. Only the primary reviewers, who have been selected as certifiers during the certification creation process, can see the certifications in the Dashboard. All other users can access certification tasks only from the Pending Certifications page. For example, the delegated reviewers cannot see the particular certification in the Dashboard, but can see a certification task in the Pending Certifications page. Similarly, phase 2 reviewers for user certification cannot see any certification in the Dashboard. For non-admin users, the Dashboard provides a read-only access to certifications for the purpose of monitoring.
See Also:
Understanding Multi-Phased Review in User Certification for information about the phases of reviews in multi-phased review for user certification.
To open and view certification details from the Dashboard:
12.4.4 Accessing Pre-Upgrade Certifications in the Dashboard
Run the Certification Maintenance Job scheduled job to populate pre-upgrade certifications in the Dashboard.
If you have upgraded Oracle Identity Manager from an earlier release, then no certifications are available in the Certification Dashboard. To populate the Dashboard with the pre-upgrade certifications, run the Certification Maintenance Job scheduled job. For information about this scheduled job and its parameters, see Predefined Scheduled Tasks in Administering Oracle Identity Governance.
Time required to complete the execution of the Certification Maintenance Job scheduled job depends on the number of pre-upgrade certifications and their content. If the upgraded system has large number of pre-upgrade certification, then this job execution might take a long time to finish. This job processes few certifications (depending on Batch Size parameter) at a time.
If the job execution is interrupted before the job is finished, then the Certification Dashboard will only display the certifications that have been successfully processed by the job. This job is re-entrant and can be run multiple times if required. It will process each pre-upgrade certification once and populate the relevant data. Certification Maintenance Job execution does not impact other features or functionality. Run this job if any pre-upgrade certifications are found to be missing from the dashboard.
12.5 Completing User Certifications in Offline Mode
The Dashboard allows working on user certifications in offline mode. Offline certification is not allowed for other entities, such as role, organization, and entitlement.
This section describes user certification in offline mode. It contains the following topics:
12.5.1 Understanding User Certifications in Offline Mode
The availability of offline user certification is controlled by enabling or disabling the Enable Interactive Excel option in the Certification Configuration page in the Identity Self Service.
You have the option to download user certification data to your local computer and work on it in an offline mode by using Microsoft Excel without having an active session with Oracle Identity Manager. After making decisions on the certifications, you can connect to Oracle Identity Manager and upload your decisions. The availability of this option can be controlled by enabling or disabling the Enable Interactive Excel option in the Certification Configuration page in Oracle Identity Self Service. For information about this option, see Configuring Certification Options.
Note:
-
The option to download user certification data to your local computer and work on it in an offline mode is available for user certifications only. This functionality is not available for role, application instance, and entitlement certifications.
-
For this functionality to work, you must have Microsoft Excel 2016 or Excel for Microsoft Office 365. To configure Microsoft Excel for this functionality:
-
Ensure that the prerequisites described in Configuring Excel to work with ADF Desktop Integration in the Desktop Integration Developer's Guide for Oracle Application Development are met.
-
Perform the one-time configuration, as described in How to Install ADF Desktop Integration on Your System in the Desktop Integration Developer's Guide for Oracle Application Development.
-
-
For applications running in an environment using Oracle Access Manager, ensure that the URL for the ADF Desktop Integration Remote servlet is configured as a protected resource for Oracle Access Manager. The ADF Desktop Integration Remote servlet is:
http://IDM_HOST.IDM_DOMAIN.com:OIG_PORT/identity/adfdiRemoteServlet
When the Enable Interactive Excel option is enabled, the Download to Editable Excel menu option is available in the Actions menu in the certification detail and certification summary pages of the user certification.
12.5.2 Working on a User Certification in Offline Mode
You have the option to download user certification data to your local computer and work on it in an offline mode by using Microsoft Excel without having an active session with Oracle Identity Manager. After making decisions on the certifications, you can connect to Oracle Identity Manager and upload your decisions.
To work on a user certification in offline mode:
Note:
When you upload the spreadsheet data, if the application instance and entitlement decisions are different, the decisions for entitlements maybe be over-ridden on the server side depending on which data gets uploaded to the server first. In other words, data downloaded in a particular order is uploaded in that particular order.
For example, if you revoke an entitlement and certify the account as Certify Conditionally, the entitlement could also be certified as Certify Conditionally if the account is updated last in the server, after the entitlement has been updated.
As a work around, you can download the Excel file again to verify the final value updated on the server.
If you try to download the spreadsheet for a certification that has already been completed, then a different version of the spreadsheet is downloaded, in which all the columns are marked as read-only and the Save to Server button is not available.
12.6 Generating Certification Reports
You can generate certification reports from the Dashboard or from the Pending Certifications page.
This section describes generating certification reports in the following topics:
12.6.1 About Generating Certification
Oracle BI Publisher reports are used for identity certification. These reports select data from the certification tables of the Oracle Identity Manager database.
There are specific templates to control the format and content of reports. For example, many of the certification reports have a template that includes details from action history for each line-item and detail, and another template that does not.
There are a list of predefined or default certification reports in Oracle Identity Manager. For more information about the default certification reports, see "Certification Reports" in the Administering Oracle Identity Governance.
12.6.2 Generating Certification Reports From the Dashboard
Use the Reports tab of the Dashboard to generate certification reports in HTM or PDF formats.
To generate certification reports by using the Dashboard:
-
In Oracle Identity Self Service, click the Compliance tab. Click the Identity Certification box, and select Dashboard.
-
Search and select the certification for which you want to generate the report. The Detailed Information section is displayed for the selected certification.
-
Click the Reports tab.
-
Select Report Type as Complete Certification, Certified, Revoked, Abstained, or Certified Conditionally.
-
From the Report Format Output list, select the format in which you want to generate the report, such as HTML or PDF.
-
Select the Display Action History option to include in the report the action history or trail of actions taken by all reviewers on the certification. Deselecting this option does not show the action history in the certification report.
-
Click Generate Report. The certification information is exported to the selected option, such as HTML or PDF.
Tip:
On selecting Excel as the report format in step 5, an error message is displayed on opening the report. This is a security alert from Microsoft and can be ignored. However, if you want to avoid the message, then perform the following steps:
-
Go to Windows registry.
-
Search and navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security
key. -
Set the following value:
(DWORD)"ExtensionHardening" = 0
-