13.3.1.2 Creating a Role Certification Definition

To create a role certification definition:

  1. Log in to Oracle Identity Self Service.

  2. Click the Compliance tab.

  3. Click the Identity Certification box, and select Definition. The Certification Definitions page is displayed.

  4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.

  5. Enter values as follows:

    • Name: Enter a name for the certification.

    • Type: Select Role to create a role certification definition.

    • Description: Optionally enter a description for the new role certification definition.

  6. Click Next. The Base Selection page of the New Certification wizard is displayed.

  7. In the Base Selection section of the page, select a role selection strategy from the list, as shown:

    • All Roles in All Organizations: Selects all roles in all the organizations in Oracle Identity Manager.

    • Roles from Selected Organizations: Selects the roles from the organizations that you specify. Click Add to search and select an organization. To remove a selected organization, click Remove.


      Note:

      When completing a certification, a certifier cannot see the organization name or any other details about the organization unless that person is also the organization administrator. If the certifier is not the organization administrator, only the users in the organization are displayed.

    • All Roles: Selects all roles in Oracle Identity Manager.

    • Role criteria: Selects all of the roles that meet the given search condition. You can preview the results of this selection.


      Tip:

      You can save the search and use it for specifying role criteria while creating another role certification definition. The saved search is not mapped to a specific certification. To use the role criteria saved search for another role certification definition:

      1. During certification creation, after selecting the Role Criteria option and specifying the search condition, you must click Update and Preview Results. This associates the selected criteria with the definition.

      2. If you want to save this search criteria as a template, then click Save. You are prompted to enter a name for the template that you are saving. You can then save this template and reuse it.

      3. The saved template is not specific to a certification. While creating another certification, this template is displayed by default. If you create another new template, then that template is displayed. In other words, the latest template is displayed for all criteria screens associated with a type of certification.

      4. If you do not want to use the generated template, then change the value in the Saved Search list to something else that you want to use.

    • Selected roles: Allows you to manually select the roles.

  8. Select any one of the following options to specify constraints:

    • Roles with Any Level of Risk:

    • Only High Risk Roles:

  9. Click Next. The Content Selection page is displayed.

  10. Select Certify Policies to specify the certification of policies. Select Certify Members to specify the certification of role members.

  11. Click Next. The Configuration page is displayed.

  12. Select the configuration options, as described in Table 13-1, "Configuration Properties", and click Next. The Reviewers page is displayed.

    From the Reviewer list, select a primary reviewer. The primary reviewer can be entitlement certifier, role certifier, or any other user that you select.

  13. Click Next. The Incremental page is displayed.

  14. Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.

    When Incremental Certification is enabled, it takes the following parameters:

    • Incremental Date Range (required): This includes:

      • Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.

      • Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.

    • Show Previous Value (optional): This includes:

      • Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.

      • Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.

  15. Click Next. The Summary page is displayed with the details of the user certification.

  16. Click Create. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.

    Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.

    The new role certification definition is displayed in the Certification Definition page.