One of the advanced features of IDhub includes 'Access Review' or commonly known as 'Certifications'
What is Certifications?
In case, reviewing of existing access for any or all employees in the organisation is needed, this function is helpful to perform custom tasks for 'Certifiers' (or Access Reviewers) to make sure that 'Right Person has Right Access to Right systems' which is the soul of IDHub product.
Who can perform Certifications?
Currently all users with role 'System Administrator' will be able to Create and Manage Certifications definitions (Definitions are individual Certification details)
What are the things asked for in a Certification definition process?
System asks for the following information:
- Certification Workflow (A customised workflow can be created to approve/ reject/ fulfill certification tasks)
- Select Users to be included in Certification
- Select Resources to be included in Certification (Application or Roles or Entitlements) - This can be done via a condition as well
- Selecting your certifiers (Can be managers of the beneficiaries or a role or user or otherwise)
- Scheduling your certification (If any)
- Custom Certification Configurations
- Alternate Certifiers (if any)
- Trigger settings (Any method by which the certification is triggered - if any)
How can I create a Certification definition?
Click on 'Certification' from Left menu to enter the Certification List View page (See below)
To create a new definition click on 'Create Certification' on header
Certifications can be 'User' based or 'Resource' based. Choose as desired and choose an Approval Workflow (See above image)
Next is selecting your user base (either by manually selecting each name or entering a query which fetches all user name accordingly to that rule query
Once the user selection is completed, the next step is to choose a Resource
Similar to user selection, resource selection can be done manually one at a time or via a rule query (see image above)
Once that is completed, Certifiers needs to be chosen who will certify whether the beneficiary of any application or entitlement or role really requires that or not.
You need to specify a scheduled job time for running this definition if it is a recurring occurrence. This scheduler is not mandatory to add.
Next up is advanced configurations for every certification that you need to enter if applicable.
You can also include a 'Trigger' functionality based out of which, in case of any change the certification definition can be triggered.
You can also add Alternate Certifiers in case it is needed.
This completes all the information that is required to be creating a new definition. A summary view will show how does your certification looks (See below)
Click on 'Create' to create the new certification definition.
How does the certification process works?
Once a certification definition is created, then the system waits for the trigger or scheduler or manual ask for the certification to be run.
Certification is run by:
- Trigger functionality - while creating the certification definition
- Scheduler functionality - while creating the certification definition
- Manual Run - from Certification List page
Any of these events, runs the certification approval process and the task is moved through the workflow to complete the approval of triggering tasks for 'Certifiers'
Upon completion of approval process the certification tasks are provided to each certifiers based on the logic added while creating the certification
User Access Certification Tasks
For User based Certifications, tasks are different that the other type
As you can see, user specific task is creating in which every Certifier will require to Certify/ Reject the existing list of accesses that the user has
Resource Assignment Certification Tasks
This is resource specific tasks
Here certifier needs to choose which users will retain accesses to the particular catalog type (Application or Entitlement or Role)
Once completed, certifier needs to Click on 'Complete' for system to make changes based out of the actions made by the Certifier.