Identity-Type Certification Decisions Tab

  • 7011130
  • 07-Jul-2010
  • 02-Nov-2012


NetIQ Access Governance Suite


Identity-Type Certification Decisions Tab


Note: Account group and role certifications appear and behave significantly different than other certification types.

Note: The Certification Decisions tab displays slightly different information for Manager, Advanced, Identity, and Role Composition certifications than for Application Owner certifications.

Use the Certification Decisions tab to view details on the roles and entitlements granted to the selected identity and any policy violations caused by those entitlements. From this page you can take action on the identity's roles, entitlements and policy violations.

Note: For Application Owner certifications, the Certification Report Decisions tab only contains information that pertains to the application being certified for the selected identity.


Policies are defined for your enterprise and are used to monitor for users that are in violation of those policies. For example, a separation of duties policy might disallow one person from requesting and approving purchase orders, or an activity policy might disallow a user with the Human Resource role from updating the payroll application. If the policy with which a violation is associated is removed before the violation is acted on in the certification, some policy information might not be available.

Policy Violations

The Policy Violations table lists any violations of policy for this identity. You must take action on these violations before the certification is complete. If the policy with which a violation is associated is removed before the violation is acted on in the certification, some policy information might not be available.

Policy violations might also be viewed and acted upon from the Policy Violations page. Decisions made on a violation from that page are displayed below the summary information within the certification.


Roles are made up of roles and profiles and defined when Access Governance Suite is configured. Profiles are collections of entitlements on one specific application in the business model. An Entitlement is either a specific value for an account attribute, such as group membership, or a permission.

Changes made to identity information since the last certification was performed are marked with a red [new]. To view details about the changes, click the Recent Changes tab.

See Also: Certification Decisions Tab - Roles Table


To undo a decision, edit the decision information, view the decision history, add comments to certification item, view details of a decision, or view a work item associated with a decision, click the icon on the left side of the decision buttons. Comments and history are displayed below the summary information for each item. When you are finished reviewing the history and comments, click the close icon at top right corner of that panel. Detail and work item information display in separate dialogs or pages.

The summary section of the certification decision panel is updated with informational messages and warnings about the certification item as well. For example, any item for which a revocation request was generated in a previous certification, but has not been removed from the identity cube displays the following warning, "Item was revoked but has not been removed." Or, for an item on which an exception was allowed, "Exception allowed until 11/20/2007."

Identities can have multiple Policy Violations, Roles, and Additional Entitlements.

Previous and Next

Use the Previous Identity and Next Identity buttons to move through the list of identities included in this certification.

Paging Controls

If your environment was configured to use paging to limit the display size of the Certification Decision tab sections, you might see the paging controls on the top, right side of each section. Paging controls limit the number of items that display in each section.

Approve and Revoke All

Use the Approve All, Revoke All, and Revoke All Accounts buttons to make bulk decisions on the displayed identity. The decisions are not confirmed until you click Save or move to a different identity within the certification. This enables you to create exceptions to the bulk decision. For example, for an identity with five roles and thirty additional entitlements you might want to approve all but two of the additional entitlements. Rather than making an individual decision on each of the thirty-five items in the identity, click Approve All and then change the decision for those two additional entitlements before saving the decisions.


Use Delegate Identity to delegate the entire identity to a different Access Governance Suite user with certification capability.

Create Role

Use the action buttons at the bottom of the tab to Save or Cancel your changes or to suggest the creation of a new role from the additional entitlements on an identity.

Use the create new role feature to suggest new roles based on trends found during certifications. For example, if there are five entitlements that appear in the Additional Entitlements list for every identity in a certification, the combination of those entitlements might define a function of that population. Use the Create Role button to define a role around that job function and submit it for approval. Then, in the future, you can certify that single role instead of the five additional entitlements.

Additional Entitlements

Additional Entitlements are any entitlements to which the identity has access but that do not comprise a complete role. For example, if a role is comprised of entitlements A, B, and C, but the identity only has access to entitlements A and B, A and B are included in the list of Additional Entitlements. Also, if the user is assigned entitlements A, B, C, and D, and A, B, and C are grouped as the role, D is added to the Additional Entitlements list.

The Additional Entitlements table groups entitlements by the application to which they are associated. To request changes to individual entitlements you must open a delegation or revocation request for the application owner.