Certification : The process of automating the periodic review and approval of Identity, Role and Application etc.,
(OR)
Identities accesses are reviewed and managed by designated reviewers.
Overview :
- What are Access review (Definition and Overview)
- Types of Certifications
- Certification Lifecycle
- Certification Configuration
- Making Certification Decisions
- Certification Completion
# Overall Process
- IdentityIQ collects data, formats the information into an
interactive access review and routes it to the appropriate reviewers.
- Each access review is annotated with descriptive business language
- highlighting changes, flagging anomalies and calling out violations
where they appear.
- These access reviews enable reviewers to approve access
certifications for identities, role and / or account groups and take
corrective actions i.e., such as revoking entitlements that violate policy.
- Reviewers can also forward, reassign or delegate all or part of a certification to another reviewer
|
Certification
Type |
Purpose |
Certification
Entity Type |
|
Targeted |
Certifies
account, role and entitlement of identity (rule / filter / population) by a
selected certifier |
Identity |
|
Manager |
Manager verifies
if direct reports have correct access |
Identity |
|
Application Owner |
Application owner checks the identities accessing an application have proper access to the application |
Identity |
|
Entitlement Owner |
Entitlement owner checks the identities accessing entitlements are
correct |
DataOwner |
|
Role membership |
Role owner certifies members of the role (i.e., lists of identities connected to specific role) |
Identity |
|
Role Composition |
The Role owner certifies the different entitlements which make up a
role. (i.e., shows entitlemnts encapsulated within roles) |
Business Role |
|
Account Group
Permission |
Group owner certifies actual entitlements / permissions granted to a
group (AD group has memeberOf) |
AccountGroup |
|
Account Group
Membership |
Group owner certifies members of a group (AD group has members) |
AccountGroup |
Certification Lifecycle :
1. Generation Phase:
- This phase includes configuring certification parameters on the Basic, Lifecycle, Notifications, Behaviour and Advanced page from the UI.
- The combination of these parameter values decides which phases would the certification go through.
- It is in this phase that parameters like Certification owner, certification frequency, notification scenarios and other similar parameters are defined.
2. Active Phase:
- It is during the Active phase that the certifiers are required to take their decisions(approve\revoke).
- Delegations and reassignments, if any, needs to be completed during this phase.
- Users may challenge revoke decisions (Configurable)
- The Active period duration is mentioned on the Lifecycle page
- Remainders and Escalations in Active phase
- By default, the remainders go to the certifiers.
- If you want to add some more recipients or include your own logic to send reminders emails.
3. Challenge Phase (Optional) :
- The Challenge Phase starts when the Active Period Duration is over.
- Challenge phase is a phase in which a user whose access is being affected by a reviewers decision can challenge the decision.
- It is enabled only if the “Enable Challenge Period” option was selected from the Lifecycle page.
4. Sign-Off Phase :
- The Sign Off phase starts at the end of Challenge phase.
- Once the Sign Off button is clicked , no further changes to Access Reviews can be made by reviewers.
- Depending upon the parameters selected in the generation phase, next phase can be either Revocation phase or end phase.
5. Remediation / Revocation Phase (Optional) :
- In this phase remediation action(e.g. revocation of access rights) is performed on the source application using the provisioning mechanism(manually or automatically)
- Remediation generally consists of sending email messages, creating work items for resource owners to take action.
- When a Revocation Period is enabled, IdentityIQ monitors the status of remediation requests; when it is not enabled, remediation requests are submitted for processing but are not tracked.
6. End Phase :
- The Access Review reaches its End Phase when all Phases configured for it have passed their end date or when all actions required for the process (as configured) are complete.
- If a Certification does not have a Challenge or Revocation Periods enabled, clicking Sign Off initiates the End Phase.
- If a Revocation Period enabled, End Phase will start only once all remediation requests have been completed or when the Revocation Period’s end date passes.
No comments:
Post a Comment