Skip to main content

Schedule a Certification Campaign

How to create and schedule access certification campaigns, defining their scope.

Overview

The aim of an access certification campaign is to review specific access and entitlements for specific identities, in order to certify them and express an audit opinion that justifies their necessity.

Here, you will learn how to create and schedule a certification campaign, defining its scope via the filters specifying the reviewers and items to be reviewed.

Participants and Artifacts

This operation should be performed in cooperation with the staff in charge of auditing, because they know what entitlements need to be reviewed.

InputOutput
Create the Workforce Repository (required)
Create Roles in the Role Catalog (optional)
Manage Risks (optional)		Scheduled certification campaign(s)

Create a Certification Campaign

Create an access certification campaign by proceeding as follows:

  1. Click on Access Certification Campaigns in the Administration section on the home page.

    Home - Access Certification Campaigns

  2. Click the addition button at the top right and fill in the fields:

    Addition Icon

    New Certification Campaign

    • Identifier: Must be unique among campaigns, without whitespace.

    • Name: Displayed in the UI to identify the campaign.

    • Start Date: Determines the access snapshot that will be reviewed. Only permissions existing at this date will be included.

    • End Date: Campaign deadline.

    • Target Entity Type: Entity type the campaign targets.

    • Target Reviewers: Identities responsible for the review, configured via Access Certification policies.

    • Target Specificities: AccessCertificationDataFilter that define what permissions to include (object type, category, approval state, etc.). The campaign scope is a union of all specificities.

      Target Specificities

      The campaign targets permissions that meet the intersection (AND) of all filters. When using role tags, roles with any of the listed tags are included (OR logic).

    • Target Owners: Filters based on identity dimensions. These are combined using AND logic.

      Target Owner Filters

      Additional filters may be available depending on the selected entity type:

      Target Owner Additional Filters

      • Individual Owner: A single identity whose access will be certified.

      • Active Target: Identities for which a specific property (from Directory_UserRecord) was modified since a given date.

        Only properties not calculated by Identity Manager can be used to filter target owners.

        Example: The following campaign certifies all single roles assigned to two specific users:

        Campaign Example

  3. Click Create. The campaign appears in the list.

    Campaigns Page

  4. Click Launch to apply the changes and start the certification job.

    Logs for this job are available via the Job Results button.

    Example:

    Execute Access Reviews Job

Impact of Modifications

You can modify any field in a certification campaign before its start date.
After it begins, only the name, identifier, and end date can be changed.
You may delete the campaign at any time.

Verify Campaign Scheduling

To verify the setup, go to the Access Certification Campaigns page and check that the created campaign has the correct parameters.