How to Approve Certifications

  • 7011110
  • 08-Jul-2010
  • 02-Nov-2012

Environment

NetIQ Access Governance Suite

Situation

You can approve items from the certification list views, including the worksheet, and from the Certification Decisions tab.

You cannot approve policy violations. Warning messages are display at the top of the page if you attempt to include policy violations when performing an approval.  

If provisioning is enabled from the certification pages and you approve a role that contains required roles to whom the identity does not have access, a dialog is displayed enabling you to request provisioning for those roles. If you perform bulk approval this function is overwritten and the roles are approved in their current state.

Note: Bulk certification is considered a risk by many auditors and is not available if it was disabled during configuration.

Certification Approval - Worksheet View

Perform approvals on individual items that make up the identity.

Required Authorization

You must be the owner or delegated approver of a certification to take action. You might be able to view another Access Governance Suite user's certifications, but they appear as read only.

You can assign an owner to a policy violation at the time you define the policy. The Dashboard displays only policy violations that you own; you can view the violation with View Violation on the Policy Violations page. The policy violation owner is one of the following:

  • A chosen identity.
  • The manager of the person who violated policy.
  • An identity created by a running a rule.

Procedure

  1. Access the worksheet from your Dashboard Inbox or Certifications page.
  2. Select the approval icon from the list of options for each item.
     - OR -  
    Use the check-boxes in the left-hand column, or the multi-select box at the top of the column, to select multiple items at one time and choose Approve from the Select Bulk Action drop-down list. If you perform bulk approval you will not be given the option to provision required roles if any are missing from the roles in the certification. The provisioning function is only available if you approve roles individually and provisioning is enabled for this certification.
    Right-click on any item to view its certification history, add comments, or display the Certification Decisions tab for the identity with which it is associated.
  3. If the provisioning dialog displays, review the missing information and make a provisioning deci- sion.
    If you choose to request that the missing roles be added, you must select a recipient for the request and click Provision Required Roles again. The recipient you specify is used only if automatic provisioning is not configured or there is no default remediator for the application.
    - OR - Click Do Not Provision and return to the certification page.
    If the provisioning dialog displays, review the missing information and make a provisioning decision. If you choose to request that the missing roles be added, you must select a recipient for the request and click Provision Required Roles again. The recipient you specify is used only if automatic provisioning is not configured or there is no default remediator for the application.- OR - Click Do Not Provision and return to the certification page.
  4. Click Save when you have finished. The Percentage Complete bar is updated to reflect the changes. For continuous certifications the state in the Due Date column is returned to green, or certified.

Certification Approval - List View

Performing approvals at the identity, account group, or role level enables you to quickly certify multiple entities without having to drill down and review each of the individual item contained within. To certify identities, roles, or groups, do the following:

Required Authorization

You must be the owner or delegated approver of a certification to take action. You might be able to view another Access Governance Suite user's certifications, but they appear as read only.

Procedure

Note: When you perform an approve at this level you are approving all of the items that comprise the identity, role, or account group. Certifications performed at this level are logged for auditing purposes.

  1. Select items for approval using the check-boxes in the left-hand column. Use the multi-select box at the top of the column to select multiple items at one time.
  2. Select Approve from the Select Bulk Action drop-down list and confirm the approval on the pop-up dialog.The Percentage Complete bar is updated to reflect the changes and the status column is changed to Complete. For continuous certifications the state in the Due Date column is returned to green, or certified.

Certification Approval - Certification Decisions Tab

Perform approvals on individual items that make up the identity, account group, or role.

Required Authorization

You must be the owner or delegated approver of a certification to take action. You might be able to view another Access Governance Suite user's certifications, but they appear as read only.

Procedure

  1. Click on an item on the worksheet or list to display the Certification Report detailed information sections.
    For identity-type certifications, these sections contain detailed information about the entitlements granted to the selected identity, the changes that have been made to the identity's information since the last certification, identity risk information, and a list of the identity attributes.
    For account group certifications, these sections contain detailed information about permissions contained within an account group, the members of that group, and the groups risk information.
    For role composition certifications, this section contains detailed information about roles and entitlements contained within the role and risk information about the role.
  2. Select the approval icon from the list of options for each item.
    - OR -
    Click Approve All at the top of the page to approve all non-violation items at once. If you perform bulk approval you will not be given the option to provision required roles if any are missing from the roles in the certification. The provisioning function is only available if you approve roles individually and provisioning is enabled for this certification.
    Click the icon on the left of the action icons to see its certification history or add a comment.
    Click on highlighted information, such as a role or application name to view details on that item.
  3. If the provisioning dialog displays, review the missing information and make a provisioning decision. If you choose to request that the missing roles be added, you must select a recipient for the request and click Provision Required Roles again. The recipient you specify is used only if automatic provisioning is not configured or there is no default remediator for the application. - OR - Click Do Not Provision and return to the certification page.
  4. Click Save when you have finished to return to the Certification Report list.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.