Certification Types and Phases

  • 7011051
  • 07-Jul-2010
  • 02-Nov-2012

Environment

NetIQ Access Governance Suite

Situation

Types

Access Governance Suite provides the following certification types:

  • Manager Certifications - certify that your direct reports have the entitlements they need to do their jobs and only the entitlements they need to do their jobs.
  • Application Owner Certifications - certify that all identities accessing applications for which you are responsible have the proper entitlements.
  • Advanced Certifications - certify that all identities included in the population associated with that Advanced Certification have the correct entitlements and roles.
  • Account Group Certifications - certify that account groups for which you are responsible have the proper permissions and group memberships. Account groups that do not have owners assigned are certified by the owner of the application on which they reside.
  • Role Certification - certify that roles for which you are responsible are composed of the proper roles and entitlements and that these roles are assigned to the correct identities.
  • Identity Certification - certify the entitlement information for the identities selected from the Identity Risk Score, Identity Search Results, or Policy Violation pages, usually for at risk users.
  • Event-based Certification - certify the entitlement information for the identities selected based on events detected within Access Governance Suite.

Phases

Certifications progress through phases as they move through their life-cycles. The phases associated with each certification are determined when the certification is scheduled.

Note: Continuous certification items move through these phases based on when decisions are saved, not based on sign-off status.

  • Active - the active phase is the review period during which all decisions required within this certification should be made. During this phase changes can be made to decisions as frequently as required. 

    You can sign off on a periodic certification in the active stage only if no roles or entitlements were revoked or if the challenge period is not active. When you sign off on a periodic certification it enters either the end phase or the revocation phase. Continuous certification items enter the next phase when a decision is saved. To enter the revocation phase, the revocation period must be active and a revocation decision exist.
  • Challenge - the challenge phase is the period during which all revocation requests can be challenged by the user from which the role, entitlements, or account group access are being removed. When the challenge phase begins, a work item and email is sent to each user in the certification affected by a revocation decision. The notifications contain the details of the revocation request and any comments added by the requestor. The affected user has the duration of the challenge period to accept the loss of access or challenge that decision. 

    Email notifications sent to non-Access Governance Suite users contain a link to an end user portal which enables them to enter a revocation challenge as if they were logged into the product. 

    You can sign off on a periodic certification in the challenge phase only if all challenges have been completed and no open decision remains on the certification. When you sign off on a certification it enters either the end phase or the revocation phase. To enter the revocation phase, the revocation period must be active and a revocation decision exist.
  • Revocation - the revocation phase is the period during which all revocation work should be completed. When the revocation phase is entered, revocation is done automatically, if your provisioning provider is configured for automatic revocation, by generating a help ticket, if your implementation is configured to work with a help desk solution, or manually using a work request assigned to a Access Governance Suite user.  The revocation phase is entered when a periodic certification is signed off on, when a revocation request is saved in a continuous certification, or when the active and challenge phases have ended.

    Revocation activity is monitored to ensure that inappropriate access to roles and entitlements is revoked in a timely manner. Revocation completion status is updated at an interval specified during the deployment of Access Governance Suite. By default this is performed daily. Click Details to view detailed revocation information. Revocation requests that are not acted upon during the revocation phase can be escalated as required.