Certifications is basically a process of reviewing user entitlements and access-privileges within an enterprise to ensure that users have not acquired entitlements that they are not authorized to have. It also involves either approving (certifying) or rejecting (revoking) each access-privilege.
There are four types of Certification types:-
|S No.||Certification Type||Description||Paradigm|
|1||User Certification||Allows line-of-business managers to certify employee access to roles, accounts, and entitlements.||User-centric / Business-oriented|
|2||Role Certification||Allows role owners to certify role content and/or role members. Also certifies Access-policies associated with each role.||Privilege-centric / Technical|
|3||Application Instance Certification||Allows the person who is responsible for a particular system or application to review|
the set of users who have accounts on that system or application.
|Privilege-centric / Technical|
|4||Entitlement Certification||Allows entitlement owners to certify user accounts that have a particular privilege.||Privilege-centric / Technical|
There are mainly two Global Admin roles :-
Certification Administrator: Grants the assignee super-user privileges for the certification feature. Grants access to the certification configuration, scheduler and full access to certification where you can view or take action on any certifications.
Certification Viewer: A read-only role, allowing a compliance administrator to view new, in progress, and completed certifications.
a) Default Certification Options can be chosen on Certification Configuration screen. The process is tightly controlled. Businesses can prevent self-certification, can determine whether to allow delegation of the certification process, enable collaborative certification with multi-phased review, enable closed-loop remediation etc.
Note: Allow multi phased review is only applicable to user certification. It allows to combine within a single certification the perspectives of business-oriented and technical reviewers. It allows a certifier to retain overall responsibility while delegating decisions to others. Phases are optional.
As a part of the certification configuration, we can select a certification composite that defines the certification oversight workflow. A certification composite is a SOA workflow that the certification server launches for each primary reviewer, or delegated reviewer, during a phase of certification.
b) In Certification Definition screen, different definitions for User, Role, Application Instances & Entitlement entity can be created. Lets create user cert defn to see different options available.
Page 1 “Base selection” result: User list to review.
Page2 “Content” result: For each user, review all assignments.
Note: Include accounts with no certifiable attributes: This helps in check-ing on orphan accounts etc.
General Configuration which can over-ride the settings in Certification Configuration page.Delegation and reassignment. Choose Reviewer
Enable incremental certification.
Incremental certification is a setting that allows managers to certify only those changes that are new since the last certification was created. This option is available if the certifier and certification type have not changed since the last certification.
Enabling Show Previous Values option allows all the current values that existed in previous certifications are displayed with the last decisions taken for those access.
Scheduled job can also be created for the same.
c) Event Listeners. They detects modifications of OIM users(individually or bulk) and stores the event details for certification as Certification Event Triggers.
>Certification Event Trigger Task should be executed to process Certification Event Triggers which, generates user certifications or application instance certifications.
>Contains a Ruleset and a certification definition.
o Ruleset contains one or more rules.
o Rules tests one or more conditions and specifies an action to take if its conditions are met.
d) Risk Configurations screen can be used to define risks.
Run Risk Aggregation Job (scheduled job) which processes item-risk levels and risk-factor levels, and calculates Risk Summaries for each higher-order object that supports identity certification. When the Risk Aggregation job is run, it calculates the risk of all the users in Oracle Identity Manager that have been updated.
Other things that are relevant to Identity Certifications are :-
a) Oversee Certification: Certification oversight is the activity of reviewing, and possibly overriding, the decisions of the primary reviewer within the scope of a particular primary-review task. A person (must be an oim user) who has the opportunity to override the certification decisions of a primary reviewer or any previous overseer within the scope of a particular primary-review task is called an overseer.
b) Offline Certifications: Certifications can also be done in OFFLINE mode.(applicable ONLY for User Certifications)
a) Interactive Excel option in Certification Configuration page should be enabled.
b) User must have Microsoft Excel 2007 or 2010.
c) Use Download to Editable Excel option available in the Actions menu in the certification detail and Open with Microsoft Office Excel.
d) Make your decisions and Save to Server