--- title: Run access reviews description: Access reviews are the final step of certifying access for users. component: pingoneaic page_id: pingoneaic:identity-governance:end-user/access-review-user-cert-items canonical_url: https://docs.pingidentity.com/pingoneaic/identity-governance/end-user/access-review-user-cert-items.html keywords: ["Identity Governance", "User Interface", "Access Certification", "Access Review"] section_ids: quick_links: Quick links governance-user-items-view-certs: View access review tasks end_user_campaign_landing_page_columns: Access reviews landing page columns governance-user-items-view-individual-cert: View individual access review line items campaign_task_columns: Access review task columns high_level_reviewer_steps: High-level reviewer steps governance-user-items-filter-items: Filter and group items filter_items: Filter items group_items: Group items customize_table_columns: Customize table columns governance-user-items-cert-add-comments: Add comment governance-user-items-cert-make-decision: Make a decision (certify) governance-user-items-cert-make-decision-change-access: Decisions change based on how you grant access governance-user-items-cert-view-reviewers: View other certifiers edit_certifier_permissions: Edit certifier privileges governance-user-items-cert-reassign: Reassign an item reassign_from_view_reviewers_screen: Reassign from view reviewers screen reassign_from_bulk_reassign: Reassign from bulk reassign governance-user-items-cert-forward: Forward an item individual_forwarding: Individual forwarding bulk_forwarding: Bulk forwarding governance-user-items-cert-bulk-certify: Bulk certify items --- # Run access reviews Access reviews are the final step of certifying access for users. After you kick off the data review process in a campaign, the data defined for review is sent to the end users you define in the template. Certifying is the process of an end user reviewing the data assigned to them and making a decision on if access should be kept (certified) or removed (revoked) for each record. The data assigned to them is called an *access review*. Notes on access reviews: * An access review consists of one or more line items or records to review and certify. * An end user who has an access review is considered a *reviewer* of the certification, also called a *certifier*. * Multiple certifiers can be assigned to review the same data. * When an end user is designated as a reviewer from a campaign, it displays under Inbox > Access Reviews or in the Dashboard landing page. * You define the certifiers when you create a [template](../administration/access-review-manage-templates.html) and kick off a campaign. A reviewer can also be added through [forwarding](#governance-user-items-cert-forward) or [reassignment](#governance-user-items-cert-reassign) by certifiers and administrators. * Certifiers can change the decision a previous certifier made for a line item; however, changes can't be made to a campaign after a decision is set and the campaign is signed off (completed). Additional changes require remediation through another campaign. For example, if one certifier decides to certify the access for a line item, but another certifier decides to revoke access for it after, then the last certifier's decision is the decision that prevails. Learn more in [Access reviews](../../end-user/hosted-pages-account.html). ## Quick links As there are various features that become enabled or disabled for end user access reviews depending on the configurations in the template, the following is a table to quick links in this page. > **Collapse: Details** > > | Item | Description | > | ------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | [View access review tasks](#governance-user-items-view-certs) | A landing screen that shows access reviews that are assigned to an end user.This includes an explanation of the [access review landing page columns](#end_user_campaign_landing_page_columns). | > | [View individual access review line items](#governance-user-items-view-individual-cert) | The screen where end users complete the access review of the line items for a campaign.A line item is a record for a certifier to review. For example, the user Barbara Jensen's record that details their access to a particular application is a line item.This includes:- [Access review task columns](#campaign_task_columns): A description of the columns that display when end users certify items. > > - [High-level reviewer steps](#high_level_reviewer_steps): An overview of potential steps to take when reviewing items. Since there are various combinations of configurations you can make in the template, this process is subject to change. | > | [Filter and group items](#governance-user-items-filter-items) | Filter campaign items that display data in different ways. | > | [Customize table columns](#customize_table_columns) | Rearrange or hide the table columns. | > | [Add comment](#governance-user-items-cert-add-comments) | Provide a comment on a line item in the access review\.Use cases include:- Justification for why a decision was made. > > - Rationale for reassigning the item. > > - Rationale for forwarding the item. > > - To view/respond to a comment left by another reviewer. | > | [Make a decision (certify)](#governance-user-items-cert-make-decision) | Make a decision to either certify access, revoke access, or provide an exception to access for a specified duration (you must enable the configurations in the template). | > | [View other certifiers](#governance-user-items-cert-view-reviewers) | View other reviewers assigned to a line item in the access review. | > | [Reassign an item](#governance-user-items-cert-reassign)\[[1](#_footnotedef_1 "View footnote.")] | An end user can reassign an item that's assigned to them and define the permissions of the new assignee.There are two ways to reassign a line item:- [Reassign from view reviewers screen](#reassign_from_view_reviewers_screen) > > - [Reassign from bulk reassign](#reassign_from_bulk_reassign) | > | [Forward an item](#governance-user-items-cert-forward)\[[1](#_footnotedef_1 "View footnote.")] | **Remove prior reviewers** and assign the line item to another individual(s). **Full permissions** on the item are given to the forwarded individual(s).There are two ways to forward a line item:- [Individual forwarding](#individual_forwarding) > > - [Bulk forwarding](#bulk_forwarding) | > | [Bulk certify items](#governance-user-items-cert-bulk-certify)\[[1](#_footnotedef_1 "View footnote.")] | Perform a bulk line item certification. Not recommended for every campaign as this will bypass much needed manual oversight on each item. | ## View access review tasks To view the access review tasks, from the Advanced Identity Cloud end-user UI, click Inbox > Access Reviews. The landing screen on Access Reviews is a view of the active campaigns that have a task assigned to an end user. To view campaigns that have a specific status, such as Closed or Canceled, click the Status drop-down and filter the status. | | | | - | --------------------------------------------------------------------------- | | | To view additional tasks, click the caret icons at the bottom of the table. | > **Collapse: Campaign statuses to filter** > > | Status | Description | > | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | Active | The campaign is in progress. In the Status column, this includes the In-progress, Expiring and Overdue states.- In-progress: The campaign is in progress and active. > > - Expiring: The campaign is in process and expires in 2 days or less. The template defines the deadline; however, you can [update the deadline](../administration/access-review-manage-campaigns.html) at any time. > > - Overdue: The campaign is past the expiration date but in process. Tasks still require completion. Identity Governance sets this status when you select one of the following settings in the template: > > * When to Certify > When certification expires > Close open items > Reassign. > > * Do nothing. > > The template defines the deadline; however, you can [update the deadline](../administration/access-review-manage-campaigns.html) at any time. | > | Expired | The campaign expired. Advanced Identity Cloud triggers this status when and end user selects When to Certify > When certification expires > Close open items > immediately in the template. | > | Completed | The campaign finished as expected with no issues. | ### Access reviews landing page columns The campaigns listed on the landing page of the Access Reviews tab consists of a table with various columns. | Field | Description | | -------- | --------------------------------------------------------------------------------------------------------------------------------- | | Name | The name of the campaign. This name is generated from the template. | | Deadline | The date in which the campaign must be completed. | | Status | The state the campaign is in. Learn more in [Campaign statuses to filter](#enduser-statuses-to-filter). | | Progress | The percent complete of the campaign. To view the percentage and number of items that are complete, hover over the progress icon. | | | | | - | ------------------------------------------- | | | To filter a column, click the up/down icon. | To view additional features, such as [forwarding](#governance-user-items-cert-forward) a certifier's items to another person or end users assigned to a role, click [icon: more_horiz, set=material, size=inline] to the right of the table. ## View individual access review line items For an end user to review the line items they need to certify, click an access review (campaign). The top section of the screen shows information about the access review including: * The Status metric shows the percentage of items to complete, as well as a numeric value of items that are complete versus the total amount of items. * The Decisions pie chart is shows the number of records certified versus revoked. * The Deadline is the campaign completion date. Click the View campaign details to view additional information such as the description of the campaign and the campaign owner. ### Access review task columns The columns in the line items table are: | Field | Description | | ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | User | The user in Advanced Identity Cloud. | | Application | The [onboarded application](../../app-management/applications.html) the user has access to. | | Account | The account in the application that correlates to a user in Advanced Identity Cloud. | | Entitlement | The entitlement in the application the user has granted. | | Flags | Information about how access was given. One or more of these flags can display on a line item:- [icon: sync, set=material, size=inline] Reconciliation: Access was granted through a reconciliation process. - [icon: person_add, set=material, size=inline] Request-based: Access was granted through a request. - [icon: assignment_ind, set=material, size=inline] Role-based: Access was granted through a role. - [icon: date_range, set=material, size=inline] Temporal constraints: Access was granted through a role; however, only for a specified period of time. - [icon: add_circle_outline, set=material, size=inline] New access: Access is new and has never been certified. | | Comment | Comments that have been made on a record in a campaign. A number above the comment icon indicates the amount of comments left. | | Decision | The action taken on a record in a certification.Options are:- `Certify access` - `Revoke access` - `Allow an exception`: For this to display, you must configure the Additional options section of the template. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To view information about a line item, click on the item under the column. For example, to review a user's information in Advanced Identity Cloud for an identity certification type, click the user's name and a modal window pops up displaying the information for review. The same is true for each single item in a row\.The following video shows an example:**Video (Video)**<../\_images/mp4/governance-enduser-access-review-modal.mp4> | | | | | - | ---------------------------------------------------------------------------------------------------- | | | To view additional line items in the access review, click the caret icon at the bottom of the table. | ### High-level reviewer steps The following are typical steps when an end user certifies line items in an access review (campaign): 1. Click into a record and review information by clicking into each item in the row. 2. Add a [comment](#governance-user-items-cert-add-comments) if necessary (or mandatory if the campaign requires it). 3. Make a [decision](#governance-user-items-cert-make-decision) by selecting Certify access, Revoke access, or Allow an exception. The last reviewer on the item to make a decision is the decision **that will prevail** for the item. 4. Repeat steps 1 - 3 for each line item in the table. 5. Once an end user certifies every record, click Sign-off. Once this takes place, no changes can be made to the campaign as it acts as the final decision on a certification. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If Allow partial sign-off is enabled in the Additional Options section of the campaign template, then the line items don't have to be completed before the task can be signed off. A gradual fashion can be used whereas a subset of the items can be signed off and the other items can be completed at a later date. Learn more in [additional options](../administration/template-identity-cert.html#governance-admin-create-cert-templates-identity-cert-additional-options). | The following video shows an example: **Video (Video)** <../\_images/mp4/governance-end-user-access-review\.mp4> Subsequent sections display various functions of the certifier process in detail. ### Filter and group items End users can filter and group items to make them more manageable when certifying. The following video shows an example: **Video (Video)** <../\_images/mp4/governance-filter-grouping-enduser.mp4> #### Filter items Certifiers can manipulate the data presented on an access review. To filter the items, click on the filter icon in the top right of the line items table. Once selected, there are two ways to filter: * By decision: Filter the table by the decision made on a line item, either Certified, Revoked, Exception Allowed, or No Decision. * By item attributes: Filter the table by a particular column item, such as a user. Click the item to filter on, then enter the appropriate value in the additional box that's displayed. #### Group items Grouping items aggregates duplicate information. For example, if a user has four entitlements, the campaign items table displays this as four separate records. In grouping by fields, the entitlements display as a sub-table under a record, reducing the redundancy of reviewing the same record's information. To group the items, click the Group By icon above the Filter icon. When end users select an object to group by, for example, `Account`, the view of the table changes splitting the screen in half. ### Customize table columns An end user can modify the columns presented in the line items table. For example, they may want to display additional user properties. To customize columns: 1. Click the view column icon ([icon: view_column, set=material, size=inline]). 2. Under Available Columns, click each section and select or deselect the columns to display. 3. Under Active Columns, rearrange the order of the columns by clicking the drag icon ([icon: drag_indicator, set=material, size=inline]) and dragging each column to the desired order. | | | | - | ---------------------------------------------------------------------------------------------- | | | To delete an Active Column, click the delete icon ([icon: delete, set=material, size=inline]). | 4. Click Apply. ### Add comment Certifiers can leave a comment in an access review. The comment could vary in nature due to a number of reasons: * A justification for the decision being made. * A comment about why the item is being [reassigned](#governance-user-items-cert-reassign). * A comment about why the item is being [forwarded](#governance-user-items-cert-forward). * A comment from another certifier if there are multiple certifier on the line item(s). | | | | - | ----------------------------------------------------------------------------- | | | An auto-generated comment is created when an item is forwarded or reassigned. | To add a comment: 1. To get to the comment box either: * Click the comment icon box. * Click [icon: more_horiz, set=material, size=inline] next the item to comment on and click the Add Comment. 2. Enter the comment. 3. Click Add Comment. | | | | - | ---------------------------------------------------------------------------- | | | After a comment has been made and added to a line item, it can't be removed. | ### Make a decision (certify) A decision is an action a certifier makes on a line item in an access review. ![User task cert choices](../_images/governance-user-tasks-certs-decision-choices.png) A certifier can do one of the following: * To *Certify* (keep) access, click the green checkmark icon. * To *Revoke* (deny) access, click the circle-backslash icon. After selecting this, a mandatory comment box displays to the certifier in which they must enter a reason for revoking the line item. When the campaign is signed off, if the Process remediation configuration option is enabled in the Additional Options section of the template, then the line item will be removed from the onboarded application. * The clock icon is disabled unless you explicitly enable exceptions by marking Allow Exceptions (under Additional Options) as allowed. You can also specify the duration for exceptions under Additional Options. Learn more in [additional options](../administration/template-identity-cert.html#governance-admin-create-cert-templates-identity-cert-additional-options). A certifier can only make a decision once per line item, no matter the number of certifiers. The decision made by the last certifier on a line item is the decision that prevails. After an access review (campaign) is signed off, a decision can't be modified. #### Decisions change based on how you grant access Depending on the certification type and how an end user is given access to a resource, the decisions a certifier can take on a line item changes: | How you grant access | Cert type | Notes | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | To an application or entitlement using a role. | Identity | Identity Governance can't certify or revoke the line item if you assign an end user to an application or entitlement using a role.To remove the user from the application or entitlement, remove them from the role. Identity Governance displays that the access is role-based by the assignment\_ind Role-based flag being present in the Flags column. | | In the [What to Certify](../administration/template-identity-cert.html#governance-admin-create-cert-templates-identity-cert-what-to-certify) section of the template, you select to certify `Roles` and an end user is assigned to a role through a condition being met. | Identity | Identity Governance can't certify or revoke an end user being a member of a role through a condition.To remove the end user from the role, update them to no longer meet the condition. | | To an entitlement using a role. | Entitlement | Identity Governance can't certify or revoke the line item if you assign an end user to an entitlement using a role.To remove an end user from an entitlement, when they're granted access through a role, remove them from the role. | | Through a role with a condition. | Role membership | Identity Governance can't certify or revoke an end user being a member of a role through a condition.To remove the end user from the role, update them to no longer meet the condition. | For each situation, the following UI elements change: * The Revoke and Allow an Exception decisions are disabled. * The Certify text changes to Acknowledge. * The line item can't be used with [bulk certify](#governance-user-items-cert-bulk-certify). ### View other certifiers For each line item in the access review, certifiers have the ability to view the other certifiers. To view the certifiers, click [icon: more_horiz, set=material, size=inline] next to the item and click View Reviewers. From here an end user has the ability to: * [Reassign the item to another certifier](#reassign_from_view_reviewers_screen) * [Edit certifier privileges](#edit_certifier_permissions) #### Edit certifier privileges To edit the permissions of a certifier on a line item: 1. Click [icon: more_horiz, set=material, size=inline] next to the line item and click View Reviewers. 2. End users locate the certifier they would like to modify and click [icon: more_horiz, set=material, size=inline] > Edit. 3. Select/deselect the privileges on the certifier. 4. Click Save. ### Reassign an item End users reassign a line item by adding another certifier to review the item. When a certifier adds another certifier, they specify the privileges of the certifier. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To reassign an item, you must enable the configuration setting Enable line item reassignment > Reassign in the Additional Options section of the template. Learn more in [additional options](../administration/template-identity-cert.html#governance-admin-create-cert-templates-identity-cert-additional-options). | There are two ways to reassign an item: * [View reviewers screen](#reassign_from_view_reviewers_screen) * [Bulk reassign](#reassign_from_bulk_reassign) #### Reassign from view reviewers screen 1. On the item, click [icon: more_horiz, set=material, size=inline] > View Reviewers. 2. Click [icon: add, set=material, size=inline] Add a Reviewer. 3. Select to add either Add a user or Add a role to the line item. 4. Search for the individual or role and select it. 5. Select the privileges that the new end user or role will have on the line item. The privileges you can add are: 1. View: Allows another end user to view the line item. 2. Comment: Allows another end user to leave a [comment](#governance-user-items-cert-add-comments) on the line item. 3. Decide: Allows another end user to make a [decision](#governance-user-items-cert-make-decision) on the line item. 4. Assign/Forward: Allows another end user to [reassign](#governance-user-items-cert-reassign) or [forward](#governance-user-items-cert-forward) the line item. 5. Sign off: Allows another end user to [sign-off](#governance-user-items-cert-reassign) on the line item. 6. Click Reassign. #### Reassign from bulk reassign | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The option for bulk certify and reassign must first be enabled in the Additional Options section of the template before bulk reassign can be utilized. Learn more in [Bulk certify items](#governance-user-items-cert-bulk-certify). | 1. After selecting more than one item, click the Actions drop-down that shows and select Reassign. 2. In the modal, choose to reassign to Another user or to Users with assigned role to the line item. 3. Search for the individual or role and select it. 4. Select the privileges that the user or role will have on the line item. The privileges you can add are: 1. View: Allows a user to view the line item. 2. Comment: Allows a user to leave a [comment](#governance-user-items-cert-add-comments) on the line item. 3. Decide: Allows a user to make a [decision](#governance-user-items-cert-make-decision) on the line item. 4. Forward: Allows a user to [reassign](#governance-user-items-cert-reassign) or [forward](#governance-user-items-cert-forward) the line item. 5. Sign off: Allows a user to [sign-off](#governance-user-items-cert-reassign) on the line item. 5. Click Reassign. ### Forward an item When end users forward a line item in an access review, the end user **removes prior certifiers** and assigns the line item to another end user or role. The new certifier(s) have full permissions on the line item. There are two ways to forward an item: * [Individual forwarding](#individual_forwarding) * [Bulk forwarding](#bulk_forwarding) #### Individual forwarding 1. On the line item, click [icon: more_horiz, set=material, size=inline] > Forward. 2. In the modal, choose to forward the line item to Another user or to Users with assigned role. 3. Search for the individual or role. 4. End users leave a comment as to why they're forwarding the line item. 5. Click Forward Item. #### Bulk forwarding 1. Select more than one item using the checkbox next to the items in the left of the certification items table or check the Select All box. 2. Click the Actions list that's displayed. 3. Select Forward. 4. A modal window is displayed. 5. Select if the line items should be forwarded to Another user or Users with assigned role. 6. Search for the individual or role. 7. End users leave a comment as to why they're forwarding the line items. 8. Click Forward Item. ### Bulk certify items The bulk certification of line items allow for many items to undergo the certification process at once instead of one-by-one. This configuration setting isn't enabled by default and should be used with caution. Most access reviews require an in-depth look into the accuracy of data and bulk certification circumvents this. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To bulk certify line items, you must enable the configuration setting Allow Bulk Decisions in the Additional Options section of the template. Learn more in [additional options](../administration/template-identity-cert.html#governance-admin-create-cert-templates-identity-cert-additional-options). | When end users select one or more items using the checkboxes, or they select All items (in the drop-down button of Select), an additional Actions drop-down button displays. End users click this button to view actions they can make in a bulk fashion. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------- | | | Under the Select drop-down button, end users can choose to select All items that under review, All on this page, or Deselect all items. | The items that display under the Actions button vary depending on if the configuration settings that your administrator enables in the template, but can include: * Certify * Revoke * Allow an exception * Reassign * Forward *** [1](#_footnoteref_1). Not configured by default, you must enable this in the template configurations.