PingOne Advanced Identity Cloud

Certification event

The Advanced Identity Cloud admin UI provides simple steps to set up a certification event using the campaign template format.

The following table lists the sections that you must follow to set up a certification event template.

Section Description

Create a new certification event

Create a new certification event.

Event trigger

Type of event trigger.

Event action

Type of action to take when the trigger occurs.

Event details

General event details of the template.

Event campaign details

Certification campaign details.

What to certify

Items to be certified.

Duration

Duration of the certification event.

Who will Certify

Users who will certify the event.

Notifications

Optional. Email notifications options.

Additional options

Optional. Various configurations to allow during the certification.

Summary

Summary of your selected sections.

Create a new certification event

  1. On the Advanced Identity Cloud admin UI, click Governance > Events.

  2. On the Governance Events page, click New Event. The New Event modal appears.

Event trigger

This section sets the type of event trigger for your workflow.

  1. On the New Event modal, select an event trigger:

    • User created. Trigger an action when a user is created.

    • User updated. Trigger an action when a user is updated.

  2. Click Next.

Event action

This section sets the type of action for your certification when the event is triggered.

  1. On the New Event modal, review the event actions, and click Certification:

    • Certification. Trigger a certification campaign when an event occurs.

    • Workflow. Trigger a workflow when an event occurs.

  2. Click Next.

Event details

  • On the Event Details modal, complete the following fields, and click Next.

    Field Description

    Event Name

    Display name for the event.

    Event Description

    Optional. Enter a general description for the event. Your company should follow a descriptive convention to describe each of your events.

    Event Owners

    Enter the owner(s) of the event. Only owners can fully control their events, including event decisions, event assignment changes, sign off, and more.

    Trigger for

    Determine the users for which to apply the trigger. Options are:

    • All users. Trigger for all users in your system.

    • A subset of users. Trigger for a subset of users in your system. This option opens a filter to set up your users.

      Event filter

      governance event filter

      • 1 Trigger if All or Any conditions are met.

      • 2 Previous value of

        • Previous value of (appears for User created triggers)

        • Current value of (appears for User created triggers)

        • Before (appears for User updated triggers)

        • After (appears for User updated triggers)

      • 3 Type to search: Select an attribute from the list.

      • 4 Conditions:

        • Contains

        • Does not contain

        • Is

        • Is not

        • Is present

        • Is not present

        • Starts with

        • Does not start with

        • GTE

        • GT

        • LTE

        • LT

      • 5 Enter a value for your filtered condition.

      • 6 Click to add the condition.

      • 7 Click Advanced Editor.

Event campaign details

This section sets the campaign details for your certification when the event is triggered.

  • On the New Certification Event modal, complete the following fields, and click Next.

    Field Description

    Name

    Display name for the campaign.

    Description

    Optional. Enter a general description for the certification campaign. Your company should follow a descriptive convention to describe each of your events.

    Campaign Owner

    Enter the owner(s) of the certification campaign event. Only certification owners can fully control their certifications, including certification decisions, certifier assignment changes, sign off, and more.

What to certify

This section defines what to certify as part of this campaign.

  1. On the New Certification Event modal, select any or all of the following:

    • Accounts — The user accounts in the external applications.

    • Entitlements — The authorization (privileges) the user has in the external applications.

    • Roles — The Advanced Identity Cloud roles a user is a member of.

      Depending on your selection, the estimated total of applications, accounts, and entitlements subject to this certification are displayed at the bottom of the page:

      • If you selected Accounts: Applications and accounts totals are displayed.

      • If you selected Entitlements: Applications and entitlements totals are displayed.

      • If you selected Roles: Roles totals are displayed.

  2. Complete the following fields, and click Next.

    Field Description

    Applications

    Certify one of the following:

    • All applications

    • Specific applications — If you select this, an additional box displays to select which Applications to certify.

    • Applications matching a specific filter — Create a filter to certify specific applications.

    Accounts

    Displays if you select Accounts in step 1. Select one of the following:

    • All accounts in selected applications.

    • Accounts matching a filter - Create a filter for accounts that match the filter.

    Entitlements

    Displays if you select Entitlements in step 1.

    Certify one of the following:

    • All entitlements

    • Entitlements matching a filter — Create a filter to match specific entitlements.

      If you create a governance glossary attribute and populate the attribute you create on the onboarded entitlement(s), you can filter on the attribute(s) you create. For more information, refer to Create an entitlement glossary attribute.

    Roles

    Displays if you select Roles in step 1.

    Certify one of the following:

    • All roles

    • Roles matching a filter — Create a filter to certify specific roles.

      If you create a governance glossary attribute and populate the attribute you create on roles, you can filter on the attribute(s) you create. For more information, refer to Create a role glossary attribute.

    Exclude access granted only from a role

    Displays if you select Accounts or Entitlements in step 1. Excludes account and entitlement line items that are granted only through a role. Enabled by default.

    Identity Governance cannot certify or revoke an application or entitlement from an end user when they are granted access through a role; therefore, excluding these line items can help reduce unnecessary information in the certification.

    For more information, refer to Decisions change based on how you grant access.

    Filter by last certification decision

    Set a filter when one of the following conditions are met. The decision properties are:

    • Campaign ID

    • Completion date[.label]

    • Status

    • Decision

    Click to add the rule to your filter.

Duration

The Duration section lets the administrator specify when to kick off the review process (campaign) and what to do in the event the campaign expires.

  • Complete the following fields, and click Next.

    Field Description

    Duration

    Specify the amount of time each access review (campaign) has before expiration. You can specify the duration in days, weeks, months, or years.

    When Campaign Expires

    Select a behavior to handle the open access review (campaign) line items when the campaign expires:

    • Close <selection> open items - Complete the items using the given information after the campaign expires. The administrator can select what decision to add to the item (certify, revoke, and allow exception to) and when that decision takes effect. The decision can take effect immediately or after a duration (in days).

    • Reassign to - Select a given user or role that the access review (campaign) is reassigned to after the expiration date. The campaign will not be closed.

    • Do Nothing - No action will be taken, and the line items will remain in progress.

Who will Certify

This section allows you to specify the users that review and make decisions about the items you defined in the What to Certify section.

  • Complete the following fields, and click Next.

    Field Description

    Certifier Type

    Specify who can review and certify user access by selecting one of the following:

    • User — Select a single user to review and make a decision on every record. When you select this, a Select user box displays. Select the user who will certify the campaign.

    • Role — Select a role that allows any of its members to review every record. When you select this, a Select a role box displays. Select a role from the list of the created roles in Advanced Identity Cloud.

    • Manager — The user’s manager becomes the certifier of their data (also known as a line item).

    Enable default certifiers

    Select a certifier to assign in case an access review (campaign) line item is not assigned a certifier. For example, if the manager is the certifier and the user has no manager defined, then the default certifier will be assigned the access review for this user.

Notifications

This optional section allows you to send email notifications when one or more campaign events are triggered. For example, when a campaign is about to expire or when a certifier is reassigned.

  1. Define an email template for each selected notification. Each notification requires an associated email template.

    1. From the left navigation pane in the Advanced Identity Cloud admin UI, go to Email > Templates. For more information, refer to Email templates.

      There are preset email templates created for certification templates. Use these as a base, copy the email template, and customize them to suit your needs.
  2. Select any of the notification types, and then click Next.

    Field Description

    Send initial notification

    Send a notification any time a certifier is assigned to a line item.

    Send reassign notification

    Send to a new certifier when a line item in an access review (campaign) is reassigned or forwarded to them.

    Send expiration notification

    Send a reminder notification to the certifiers before a campaign expires. Select the number of days, before the campaign expires, to send the reminder.

    Send reminders

    Send a notification to remind certifiers to take action on access review (campaign) line items. Select the number of days, weeks, months, or years to send the reminder.

    Enable escalation

    Send an escalation notification to specific recipients that certifiers have not completed their actions on a campaign. When selected, an additional Escalation Owner box displays. Select the number of days, weeks, months, or years and the user to send the escalation to.

Additional options

This optional section allows you to configure other options for a campaign, such as performing bulk certifications or reassigning tasks to another user or group.

  1. Complete the following optional fields, and then click Next.

    Field Description

    Allow self-certification

    Allows select individuals to certify their own data.

    The options to choose from are:

    • All certifiers - Users who are certifying the access review (campaign) can certify their own access.

    • Owners and administrators - Users who are campaign owners or tenant administrators can certify their own access.

    Enable line item reassignment and delegation

    Allow the certifier to reassign or forward a line item to another user.

    When you select this box, you can choose the following options:

    • Forward - Allow certifiers to forward their access review (campaign) to another certifier. When forwarding an access review, other certifiers are removed from the access review in its entirety. For more information, refer to forward line items.

    • Reassign - Select the privileges the current certifier can assign to the new certifier:

      • Add Comment

      • Make Decision

      • Reassign/Forward

      • Sign off

        For context on how you use this as a certifier, refer to reassign line items.

    Allow exceptions

    Allow certifiers to continue to certify line items assigned to them after the campaign expires. Select a duration in days, months, weeks, or years.

    Allow bulk-decisions

    Allow certifiers to make line item decisions in bulk.

    This includes:

    • Making a decision (certify, revoke, exception).

    • If Enable line item reassignment and delegation is enabled, then you can bulk Reassign and/or Forward line items.

    As an administrator, most access reviews require an in-depth look on each line item. This is to ensure accuracy of each item. Bulk-decisions allow for a certifier to make a decision on many items at once, which could lead to inaccurate data. Use caution when selecting this option.

    Allow partial sign-off

    Allow a certifier to sign-off on an access review before their assigned line items have a decision made on them.

    Process remediation

    Revokes the end user’s access in the target application when a certifier revokes (denies) the line item. Select a workflow to run either immediately after revocation of access or after a duration.

    To ensure end-user access is removed when revoking a line item, you must enable this property.

Summary

The Summary section is the final section in creating a template. It gives a breakdown of each section in the template, allowing for a review.

Summary steps:

  1. Review each section.

  2. Click Save to complete the template. Your event appears on the Events page.

    Under the What to Certify review section, ensure that the Total Decision Items is greater than 0. If you identify that this is 0, this means that the template did not identify items to be certified. Therefore, if you create the campaign off of the template, the system will immediately cancel the campaign. If you identify this to be 0, go back to the What to Certify section and adjust your settings.