Certification Events example

  • 7011038
  • 14-Nov-2011
  • 01-Nov-2012

Environment

Access Governance

Resolution

The 5.2 release's UI page on certifications includes 3 tabs:  Certifications, Certification Schedules, (new) Certification Events.  The certification event tab manages objects to trigger a certification definition.Access Governance Suite's identity processing logic checks for matching triggers, generating a manager certification.

This feature meets a common business requirement to (re)certify an identity after a change.  While scheduled certs generate proper reviews,
a periodic certification (usually on a large population) might not meet the needs of special, event-driven scenarios.

As an example, consider the (artifical) scenario to certify an identity whenever an identity's email value changes.Also assume that identity's email value comes from an application account value.

In "std"Access Governance Suite 5.2 env, start by building a new trigger via "New Certification Event" link in "Certification Events" tab.  The initial screen cfgs the trigger. Name the trigger, set event type to "Attribute Change" (note other supported types), set "Attribute" to "Email", set "New Value Filter" to "Hello" (for purposes of this example), set a certifier manually ("spadmin"), and leave "Disabled" checkbox empty (ie, enable the trigger).  The other screens customize a "standard" (identity) certification.  Click "Save Event" to cfg trigger and certification.
The "Debug" page shows 2 new types of object ("IdentityTrigger", "CertificationDefinition") with the same event name.

The next (optional) step enables the audit actions associated with the certification events. The "Audit Configuration" tab under "System Setup" page lists the available actions.  Enable "Run Task", "Start Workflow Process", "Identity Event", and ("Identity Attribute Changes") "Email" actions.

Once done, then change the value thru aggregation/refresh tasks.  The aggregation task pulls new values from application accounts.  This step also stores a "triggerSnapshots" element in the identity object (to hold prior values).  The refresh task updates identity attributes from these values.  The refresh task also offers a "Process events" option to scan/to process identities with "triggerSnapshots" elements.  When run with the option, then new cert appears and an audit search shows Access Governance Suite actions ("run","identityLifeCycleEvent").  When "Email" links back to an account attribute in a schema set as "entitlement", then the manager cert displays the value.