Skip to main content

Schedule a Certification Campaign

How to create and schedule access certification campaigns, defining their scope.

Overview

The aim of an access certification campaign is to review specific access and entitlements for specific identities, in order to certify them and express an audit opinion that justifies their necessity.

Here, you will learn how to create and schedule a certification campaign, defining its scope via the filters specifying the reviewers and items to be reviewed.

Participants and Artifacts

This operation should be performed in cooperation with the staff in charge of auditing, because they know what entitlements need to be reviewed.

InputOutput
Identity Repository (required) Create Roles in the Role Catalog
(optional) Manage Risks		Scheduled certification campaign(s)

See the Create the Workforce Repository topic for additional information.

Create a Certification Campaign

Create an access certification campaign by proceeding as follows:

  1. Click on Access Certification Campaigns in the Administration section on the home page.

    Home - Access Certification Campaigns

  2. Click on the addition button at the top right and fill in the fields.

    Addition Icon

    New Certification Campaign

    • Identifier: Must be unique among certification campaigns and must not contain whitespace.

    • Name: Will be displayed in the UI to identify the campaign.

    • Start Date: Date when the campaign begins and becomes visible on the reviewers' Access Certification screen. The campaign will review access existing at this date; changes after this date are not included.

    • End Date: Date when the campaign ends.

    • Target Entity Type: Entity type targeted by the campaign.

    • Target Reviewers: Set of identities responsible for the access review. Available reviewers are configured via the Access Certification policies.

    • Target Specificities: AccessCertificationDataFilter defines the campaign scope (e.g., by object type, category, approval state). The campaign uses the union of all specificities.

      Target Specificities

      The campaign will target permissions that meet the intersection (AND) of all criteria.

      When listing role tags, roles with any matching tag (OR) will be included.

    • Target Owners: Filters based on identity attributes for those whose access is being reviewed. All filters are combined using intersection (AND) logic.

      Target Owner Filters

      Additional filters may be available depending on the target entity type.

      Target Owner Additional Filters

      • Individual Owner: A single identity whose access is to be certified.

      • Active Target: Identities with a specific property (from Directory_UserRecord) modified since a given date.

        Only properties not calculated by Identity Manager can be used to filter the target owners of the certification campaign.

        The following campaign targets all assigned single roles for two specific users:

        Campaign Example

  3. Click Create to add the campaign to the list.

    Campaigns Page

  4. Apply changes by clicking Launch to run the access certification job.

    The job's logs are available via the Job Results button.

    Example:

    Execute Access Reviews Job

Impact of Modifications

You may modify any field of a certification campaign before its start date. After it starts, only the name, identifier, and end date can be changed. Campaigns can be deleted at any time.

Verify Campaign Scheduling

To verify the process, check the Access Certification Campaigns page to confirm the campaign’s parameters are correct.