Revocation Phase and WorkItem Generation on Scheduled Certifications

  • 7011179
  • 23-Aug-2011
  • 02-Nov-2012


NetIQ Access Governance Suite


This article explains the relationship btwn scheduled certifications' revocation phase and work item creation.


Scheduled certifications w/o a revocation phase cfg-ed will NOT generate workitems until the cert sign-off occurs. This also assumes a disabled value (default) on "Process Revokes Immediately" flag.

By default, the cert's "active" phase transitions to the "end" phase without generating workitems.  The revocation related workitems (aka remediations) appear only after the sign-off occurs (and after "Perform Maintenance" task finishes the certification).

(While the "end" phase does generate workitems from revocations on continuous certification, yet this article covers only scheduled certs.)

Entering the (cfg-ed) revocation phase generates remediation workitems from all pre-existing revoked items along with any (newly) revoked items during the revocation phase.  Once outside the revocation phase (ala, "End" phase), then revoked items do not generate remediation workitems (only the "Sign-Off" event does).

The revocation phase defines a convenient timeframe to expect remediations to occur.Access Governance Suite holds any earlier workitems until this phase starts. Once out of the phase, then Access Governance Suite waits for signoff before generating any others.

Once generated, then each workitem contains state and action settings (notifications,reminders,escalations).  The "Check Expired Work Items" task handles workitems when their settings trigger a response.

The UI's cert wizard separates the revocation lifecycle from the revocation notification settings. Specifically, the revocation phase is NOT a requirement to cfg revocation reminders/escalations.