Using Identity Certification

12 Using Identity Certification

Identity certification concepts include certification types, reviewer types, certification name formats, and the Certification Dashboard. Using the Dashboard, you can search, filter, and view certifications from the Dashboard, complete user certifications in offline mode, and generate certification reports.

This chapter provides an overview of identity certification, describes the identity certification user interface, and includes information about how to complete identity certifications. It contains the following topics:

12.1 Identity Certification Overview

Understand identity certification and certification types, the various types of reviewers, and the certification types that can be accessed by each reviewer.

This section describes what, why, and how identity certifications are conducted. It also discusses who is typically involved in the identity certification process.

12.1.1 What Is Identity Certification?

Identity certification is the process of reviewing user entitlements and access-privileges within an enterprise to ensure that users have not acquired entitlements that they are not authorized to have. It also involves either approving (certifying) or rejecting (revoking) each access-privilege. Identity certification can be for the user, role, organization, and entitlement entities.

Certifications can be scheduled to run on a regular basis to meet compliance requirements. Managers use the identity certification feature to review their employees' entitlements to access applications and data. Based on changes reported by the identity certification module, managers can authorize or revoke employee access as needed.

You can create four types of certifications. Each type of certification addresses a particular use-case—a specific type of review that enterprises commonly perform. Each type of reviewer reviews a different subset of access-related data from a specific point of view.

Table 12-1 lists the four types of identity certification that are possible in Oracle Identity Manager.

Table 12-1 The Four Types of Identity Certification

Identity Certification Type	Description
User Certification	Allows managers to certify employee access to roles, accounts, and entitlements. Typically, each manager in an organization reviews the access-privileges of the people who report directly to that manager. Each reviewer in a certification of this type is focused on his or her direct-reports, but is expected to review all of the access-privileges for each direct report. User certification optimizes review from the perspective of the line-of-business (LOB) manager, who must review all access-privileges for each user who reports to the LOB manager. User certification also supports a two-phased review, in which user access rights can be reviewed by managers first, and subsequently by any of the other IT owners, such as role owner, application instance owner, or entitlement owner, all within a single certification campaign.
Role Certification	Allows role owners to certify role content and/or role members. This certification is used in organizations that have implemented role-based access control (RBAC). Typically, the owner of a role is the person responsible for reviewing its definition (that is, the set of access-privileges that it conveys) as well as its membership (the set of users to whom the role has been assigned). Each reviewer in a certification of this type is focused on a particular enterprise role. Role certification optimizes review from the perspective of the role authorizer or role administrator, who must review the definition and the membership of each role that are owned by the role authorizer or role administrator.
Application Instance Certification	This certification allows the person who is responsible for a particular system or application to review the set of users who have accounts on that system or application. The reviewer can drill down and view the details of the access-privileges of each account. Each reviewer in a certification of this type is focused on one specific system or application. Application instance certification optimizes review from the perspective of the Application Instance Authorizer or Application Instance Administrator, who must review the membership (accounts) and the set of privileges (entitlement-assignments) for each application that are owned by the Application Instance Authorizer or Application Instance Administrator.
Entitlement Certification	Allows entitlement owners to certify user accounts that have a particular privilege. This certification is used if a specific person is responsible for a particular entitlement (that is, an Attribute Value or a group membership that confers a specific access-privilege). The entitlement owner can review the set of user accounts that have that particular entitlement. Each reviewer in a certification of this type is focused on one specific privilege within one specific resource. Entitlement certification optimizes review from the perspective of the Entitlement Authorizer or Entitlement Administrator, who must review the definition and the membership (entitlement-assignments) for each privilege (entitlement-definition) that are owned by the Entitlement Authorizer or Entitlement Administrator.

A scheduled job generates certifications based on a specified certification definition. Oracle Identity Manager applies the selection criteria within the certification definition to select the privilege assignments (and/or privilege definitions) that will be reviewed and by whom. Oracle Identity Manager generates a separate certification for each primary reviewer. Oracle Identity Manager also generates a review task for each primary reviewer. Oracle Identity Manager creates a new review task whenever a primary reviewer delegates or reassigns line-items to another reviewer. As each reviewer acts on the review task assigned to that reviewer, this updates the overall certification. Overall progress for each certification is visible from the Dashboard.

12.1.2 Who Is Involved in Completing Identity Certifications?

Identity certification allows personnel in an organization to review and certify user entitlement data, role content data, application instance data, and entitlement data.

This section provides descriptions of the types of users that are typically involved in the identity certification process, as well as the certifications that each user type can authorize or revoke. In Oracle Identity Manager, personnel who participate in the identity certification process are called reviewers.

Table 12-2 lists the reviewers involved in identity certification.

Table 12-2 Identity Certification Reviewers

Reviewer Name	Description	Certification Types That Can Be Accessed
Certifier	A generic term that signifies a person who is responsible for reviewing and completing any kind of certification.	User certification Role certification Application instance certification Entitlement certification
User manager	A manager with direct reports. Users report to a user manager.	User entitlement
Business reviewer	A user within an enterprise who reviews the access-privileges of other users from a business-oriented perspective. Typically, this is a Line-Of-Business (LOB) manager who is responsible for the access-privileges of users who report to him/her. Note: LOB is a category of industry or business function. For example, an LOB manager is oriented to a business function within an enterprise, such as Sales.	User certification Role certification Application instance certification Entitlement certification
Primary Reviewer	The person who is primarily responsible for making certification decisions on a particular set of line-items. The primary reviewer can reassign a line-item to another user, in which case that user becomes the new primary reviewer for that line-item, and the original primary reviewer never sees that line-item again. The primary reviewer can also delegate any of his line-items to another person, in which case that user becomes the delegated reviewer for that line-item, but the primary reviewer still retains responsibility for that line-item. Note: For information about line-item, see Line of Business and Line Item.	User certification Role certification Application instance certification Entitlement certification
Technical Reviewer	A user within an enterprise who reviews the access-privileges of others from a technically-oriented perspective. Typically, this is an IT expert or an application-owner who is responsible for access-privileges being specified correctly, or for limiting access within the enterprise to a specific access-privilege.	User certification
Delegated Reviewer	A person who is assigned to help with the certification work. The delegated reviewer is secondarily responsible for making certification-decisions on a particular set of line-items, but the primary reviewer remains ultimately responsible. Any decision made by the delegated reviewer eventually returns to the primary reviewer, who can override that decision.	User certification Role certification Application instance certification Entitlement certification
Final Reviewer	The person who has the final say over the certification-decisions. The final reviewer can review and override the certification decisions of other reviewers. Final Review is performed only after a two-phased review (and only when an administrator has configured the certification-definition to enable this). The primary reviewer from the first phase can then make a final review of the certification actions made by all the reviewers in the first two phases.	User Certification

12.2 Certification UI

You can view and work with certification objects by using the Pending Certifications page and the Certification Dashboard in the Identity Self Service.

You can view and work with certification objects by using the following in Oracle Identity Self Service:

Pending Certifications page: The Pending Certifications page lists all the tasks assigned to the logged-in user in a single screen. It enables the logged-in user to filter task views into user preferences, such as assigned tasks, completed tasks, and tasks for which information has been requested. The user can select a task to open it in a new tab and then perform necessary actions on the task. This allows the user to work on multiple tasks at a time by opening them in different tabs.

To access the Pending Certifications page, login to Oracle Identity Self Service, and in the Self Service tab, click the Certification box.

See Also:

Managing Certification Review Tasks for detailed information about the Pending Certifications page and the operations you can perform by using the Pending Certifications page
Dashboard: The Identity Certification Dashboard provides an overview of in-progress and completed certifications in the system. The certifications displayed in the dashboard depends on your role. A user with either the Certification Administrator or Certification Viewer admin role can see all certifications in the system. A non-administrative user, for example, a manager, can see any certification for which that user is assigned as a primary reviewer. A primary reviewer or user with the Certification Viewer admin role can view the certification information. A user assigned the Certification Administrator admin role can view any certification, and take basic actions on in-progress certifications. The primary reviewer cannot take actions on the certifications in the Dashboard.

To access the Dashboard, login to Oracle Identity Self Service, click the Compliance tab, click the Identity Certification box, and select Dashboard.

12.3 Certification Name Formats

The certification task names are displayed is different formats depending on the review phase and reviewer.

Table 12-3 lists the certification task names in various review phases.

Review Phase	Name Format	Example
Phase 1 (P1)	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]	Q1 Access 2012[ Robert Klein ]
Phase 1 Reassign	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Reassigned[ NEW_PRIMARY_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Reassigned[ Jane Doe ]
Phase 1 Delegate	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Delegated[ P1_DELEGATED_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Delegated[ Jane Doe ]
Phase 1 Verification	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Verification
Phase 2 (P2)	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Roles[ Terence Hill ]
Phase 2 (P2)	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]
Phase 2 (P2)	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]
Phase 2 Reassign	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Roles[ Terrence Hill ]Reassigned[ Jane Doe ]
Phase 2 Reassign	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Reassigned[ Jane Doe ]
Phase 2 Reassign	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Reassigned[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Reassigned[ Jane Doe ]
Phase 2 Delegate	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Roles[ Terrence Hill ]Delegated[ Jane Doe ]
Phase 2 Delegate	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Delegated[ Jane Doe ]
Phase 2 Delegate	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Delegated[ NEW_P2_TECHNICAL_REVIEWER ]	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Delegated[ Jane Doe ]
Phase 2 Verification	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Roles[ P2_TECHNICAL_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Roles[ Terence Hill ]Verification
Phase 2 Verification	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Application Instances[ P2_TECHNICAL_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Application Instances[ Martha Smith ]Verification
Phase 2 Verification	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Entitlements[ P2_TECHNICAL_REVIEWER ]Verification	Q1 Access 2012[ Robert Klein ]Entitlements[ Hattori Hanzo ]Verification
Final review	CERT_DEFINITION[ P1_PRIMARY_REVIEWER ]Final Review	Q1 Access 2012[ Robert Klein ]Final Review

12.4 Searching and Viewing Certifications

You can search, sort, and view certifications, and access pre-upgrade certifications by using the Dashboard.

This section describes how to search and filter certifications in the Certification Dashboard, and how to view the details of certifications. It contains the following topics:

12.4.1 Searching Certifications in the Dashboard

The Dashboard enables you to perform basic search and advanced search for certifications.

This section contains the following topics:

12.4.1.1 Performing Basic Search for Certification

To perform a basic search for certifications:

Login to Oracle Identity Self Service.
Click the Compliance tab.
Click the Identity Certification box, and select Dashboard. The Dashboard page is displayed.
From the Search list, select any one of the following, and enter a search criterion in the box adjacent to the list:
- Certification Name: To search the certifications by certification name.
- Organization Name: To search the certifications by the organization name selected for the certification.
- Type: To search the certifications by the certification type.
- Create Date: To search the certifications by certification creation date.
Click the search icon. The certifications that match your search criteria are displayed in the search results table.

Tip:

To sort the data in the search results table, place the mouse pointer on a column name. Up and down arrows are displayed on the column names. Click the up arrow to sort in ascending order. Click the down arrow to sort in descending order.

12.4.1.2 Performing Advanced Search for Certification

To perform an advanced search for certifications:

Login to Oracle Identity Self Service.
Click the Compliance tab.
Click the Identity Certification box, and select Dashboard. The Dashboard is displayed with a list of certifications in a table. The table consists of columns, such as Name, Percent Complete, and Organization.

You can personalize the table to display or hide certification attributes that are displayed as columns in the table. You can also change the order in which the columns are displayed in the table.
To show or hide columns and change the order of the columns, follow the instructions in Personalizing the Search Result.
In the Search Certifications section, click Advanced.
Select any one of the following options:
- All: To specify that the search result must match all the specified search criteria.
- Any: To specify that the search result must match any one of the specified search criteria.
Enter values in the certification search attributes.
Click the Search icon. The certifications that match your search criteria are displayed in the table.

Tip:

To sort the data in the search results table, place the mouse pointer on a column name. Up and down arrows are displayed on the column names. Click the up arrow to sort in ascending order. Click the down arrow to sort in descending order.
(Optional) You can refine the certification search result. To do so, from the Show list, select any one of the following to filter the list of certifications displayed in the Dashboard:
- New and In Progress: Lists the certifications that are assigned to you and the certifications in progress.
- New: Lists only the new certifications that are assigned to you.
- In Progress: Lists only the certifications in progress.
- Completed: Lists the certifications that are in the completed state.
- Expired: Lists the certifications whose end date has passed.
- All: Lists all types of certifications including new, in progress, and expired certifications.

12.4.2 Sorting Certification Search Results

Certification search results can be sorted in ascending and descending orders.

You can sort the certification search results in ascending and descending orders. To do so, see Sorting Data in Search Results.

In this release of Oracle Identity Manager, you can sort and list the certifications by the percentage completion of the certifications. In the certification search results in the Dashboard, you can place the mouse pointer on the Percent Complete column to display the up and down arrow keys. Clicking the up arrow key sorts the certifications in ascending order of percentage completion, and clicking the down arrow key sorts the certifications in descending order or percentage completion.

12.4.3 Viewing Certifications From the Dashboard

Only the primary reviewers, who have been selected as certifiers during the certification creation process, can see the certifications in the Dashboard.

You can open and view certification details from the Pending Certifications page or the Dashboard. However, all users cannot see the certifications in the Dashboard. Only the primary reviewers, who have been selected as certifiers during the certification creation process, can see the certifications in the Dashboard. All other users can access certification tasks only from the Pending Certifications page. For example, the delegated reviewers cannot see the particular certification in the Dashboard, but can see a certification task in the Pending Certifications page. Similarly, phase 2 reviewers for user certification cannot see any certification in the Dashboard. For non-admin users, the Dashboard provides a read-only access to certifications for the purpose of monitoring.

12.4.4 Accessing Pre-Upgrade Certifications in the Dashboard

Run the Certification Maintenance Job scheduled job to populate pre-upgrade certifications in the Dashboard.

If you have upgraded Oracle Identity Manager from an earlier release, then no certifications are available in the Certification Dashboard. To populate the Dashboard with the pre-upgrade certifications, run the Certification Maintenance Job scheduled job. For information about this scheduled job and its parameters, see Predefined Scheduled Tasks in Administering Oracle Identity Governance.

Time required to complete the execution of the Certification Maintenance Job scheduled job depends on the number of pre-upgrade certifications and their content. If the upgraded system has large number of pre-upgrade certification, then this job execution might take a long time to finish. This job processes few certifications (depending on Batch Size parameter) at a time.

If the job execution is interrupted before the job is finished, then the Certification Dashboard will only display the certifications that have been successfully processed by the job. This job is re-entrant and can be run multiple times if required. It will process each pre-upgrade certification once and populate the relevant data. Certification Maintenance Job execution does not impact other features or functionality. Run this job if any pre-upgrade certifications are found to be missing from the dashboard.

12.5 Completing User Certifications in Offline Mode

The Dashboard allows working on user certifications in offline mode. Offline certification is not allowed for other entities, such as role, organization, and entitlement.

This section describes user certification in offline mode. It contains the following topics:

12.5.1 Understanding User Certifications in Offline Mode

The availability of offline user certification is controlled by enabling or disabling the Enable Interactive Excel option in the Certification Configuration page in the Identity Self Service.

You have the option to download user certification data to your local computer and work on it in an offline mode by using Microsoft Excel without having an active session with Oracle Identity Manager. After making decisions on the certifications, you can connect to Oracle Identity Manager and upload your decisions. The availability of this option can be controlled by enabling or disabling the Enable Interactive Excel option in the Certification Configuration page in Oracle Identity Self Service. For information about this option, see Configuring Certification Options.

Note:

The option to download user certification data to your local computer and work on it in an offline mode is available for user certifications only. This functionality is not available for role, application instance, and entitlement certifications.
For this functionality to work, you must have Microsoft Excel 2016 or Excel for Microsoft Office 365. To configure Microsoft Excel for this functionality:
1. Ensure that the prerequisites described in Configuring Excel to work with ADF Desktop Integration in the Desktop Integration Developer's Guide for Oracle Application Development are met.
2. Perform the one-time configuration, as described in How to Install ADF Desktop Integration on Your System in the Desktop Integration Developer's Guide for Oracle Application Development.
For applications running in an environment using Oracle Access Manager, ensure that the URL for the ADF Desktop Integration Remote servlet is configured as a protected resource for Oracle Access Manager. The ADF Desktop Integration Remote servlet is:
```
http://IDM_HOST.IDM_DOMAIN.com:OIG_PORT/identity/adfdiRemoteServlet
```

When the Enable Interactive Excel option is enabled, the Download to Editable Excel menu option is available in the Actions menu in the certification detail and certification summary pages of the user certification.

12.5.2 Working on a User Certification in Offline Mode

To work on a user certification in offline mode:

Open a user certification from the Dashboard or Pending Certifications page.
From the Actions menu, select Download to Editable Excel. A message box is displayed with the options to open or save the file.
Select Open with.
Make sure that Microsoft Office Excel is selected instead of Microsoft Office Excel (Default). Microsoft Office Excel (Default) is the version of Excel for which the plugin for this functionality is not enabled.
Click OK. A message box is displayed asking whether you want to connect to the corresponding server where the application is running and from where the spreadsheet was downloaded.
Click Yes. The page to login to Oracle Identity Self Service is displayed. This provides an extra layer of security before you can download the data to work on.
Login to Oracle Identity Self Service by providing the credentials. The user certification data is downloaded into a spreadsheet.
Click the Certification tab. This displays the list of options available when you work on a record. Figure 12-1 shows the Certification tab.

Figure 12-1 The Certification Tab

Description of "Figure 12-1 The Certification Tab"
Select the decisions from the drop-down for each user. When a decision is selected, the Changed column displays a flag that indicates the change. The area highlighted in grey color is a read-only area and no changes can be made there.
Decisions other than Certify cannot be updated unless certain conditions are met, and as a result, the data upload will fail. To view these errors, double-click the error field under the status column. Then, you can perform the necessary action to fix it before trying to upload again. The actions can be:
- Revoke: Comments are required.
- Abstain: Comments are required.
- Certify Conditionally: Comments and an end date are required.
Note:

User-defined field (UDF) data for both user and catalog will show up in the spreadsheet as read-only columns.
When you finish selecting the decisions, you can upload the data back to the server by clicking the Save to Server. The user data is updated on the user certification screens.

Note:

When you upload the spreadsheet data, if the application instance and entitlement decisions are different, the decisions for entitlements maybe be over-ridden on the server side depending on which data gets uploaded to the server first. In other words, data downloaded in a particular order is uploaded in that particular order.

For example, if you revoke an entitlement and certify the account as Certify Conditionally, the entitlement could also be certified as Certify Conditionally if the account is updated last in the server, after the entitlement has been updated.

As a work around, you can download the Excel file again to verify the final value updated on the server.

If you try to download the spreadsheet for a certification that has already been completed, then a different version of the spreadsheet is downloaded, in which all the columns are marked as read-only and the Save to Server button is not available.

12.6 Generating Certification Reports

You can generate certification reports from the Dashboard or from the Pending Certifications page.

This section describes generating certification reports in the following topics:

12.6.1 About Generating Certification

Oracle BI Publisher reports are used for identity certification. These reports select data from the certification tables of the Oracle Identity Manager database.

There are specific templates to control the format and content of reports. For example, many of the certification reports have a template that includes details from action history for each line-item and detail, and another template that does not.

There are a list of predefined or default certification reports in Oracle Identity Manager. For more information about the default certification reports, see "Certification Reports" in the Administering Oracle Identity Governance.

12.6.2 Generating Certification Reports From the Dashboard

Use the Reports tab of the Dashboard to generate certification reports in HTM or PDF formats.

To generate certification reports by using the Dashboard:

In Oracle Identity Self Service, click the Compliance tab. Click the Identity Certification box, and select Dashboard.
Search and select the certification for which you want to generate the report. The Detailed Information section is displayed for the selected certification.
Click the Reports tab.
Select Report Type as Complete Certification, Certified, Revoked, Abstained, or Certified Conditionally.
From the Report Format Output list, select the format in which you want to generate the report, such as HTML or PDF.
Select the Display Action History option to include in the report the action history or trail of actions taken by all reviewers on the certification. Deselecting this option does not show the action history in the certification report.
Click Generate Report. The certification information is exported to the selected option, such as HTML or PDF.
Tip:

On selecting Excel as the report format in step 5, an error message is displayed on opening the report. This is a security alert from Microsoft and can be ignored. However, if you want to avoid the message, then perform the following steps:
1. Go to Windows registry.
2. Search and navigate to the HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security key.
3. Set the following value:
```
(DWORD)"ExtensionHardening" = 0
```

12.6.3 Generating Exported Certification Reports From the Certification Pages

Use the Pending Certifications page to export certification tasks to PDF or Excel.

To generate certification reports by using the Pending Certifications page:

In Oracle Identity Self Service, click the Self Service tab. Click the Certifications box. The Pending Certifications page is displayed.
Click an in-progress certification task name to open Page 1 of the certification task.
From the Actions menu, select Export to PDF or Excel.

The exported certification tasks in PDF or Excel is equivalent to Complete Certification Report.