13.3.1.1 Creating a User Certification Definition

To create a user certification definition:

  1. Log in to Oracle Identity Self Service.

  2. Click the Compliance tab.

  3. Click the Identity Certification box, and select Definition. The Certification Definitions page is displayed.

  4. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The General Details page of the New Certification wizard is displayed.

  5. Enter values as follows:

    • Certification Name: Enter a name for the certification.

    • Type: Select User to create a user certification.

    • Description: Optionally enter a description for the new user certification.

  6. Click Next. The Base Selection page of the New Certification wizard is displayed.

  7. Select a user-selection strategy in the Base Selection section, as follows:

    • Users from All Organizations: Selects users from all organizations in Oracle Identity Manager.

    • Only Users from Selected Organizations: Allows you to manually select specific organizations. You can select the organizations by clicking Add. To remove a selected organization, click Remove.


      Note:

      When completing a certification, a certifier cannot see the organization name or any other details about the organization unless that person is also the organization administrator for that organization. If the certifier is not the organization administrator, only the users in the organization are displayed.

    • All users: Selects all the users in Oracle Identity Manager.

    • Users criteria: Selects all the users that meet the given search condition.

    • Selected users: Allows you to select specific users from a list of users in the system. To select users, click Add. To remove selected users, click Remove.

  8. Select any one of the following options to specify constraints to the base selection:

    • Users with Any Level of Risk

    • Only Users with High Risk Summaries

    • Only Users with High Risk Roles

    • Only Users with High Risk Application Instances

    • Only User with High Risk Entitlements

  9. Click Next. The Content Selection page is displayed.

  10. Select the following:

    • Include users with no accounts: This option includes the users who have no access within the certification.

    • Limit the role-assignments to certify for each user: The list of roles per user can be restricted to the selected option. For example, if you select selected roles and add one role, then that role only will show up in the certification if it is marked as certifiable in the catalog even if the user has other roles.

    • Include accounts with no certification attributes: This includes the accounts in the selected application instances even if there are no certifiable entitlements (access) within the target system. If you deselect this option, then accounts in the target system that do not have any entitlements do not appear in the certification.

    • Limit the application-instance-assignments to certify each user: Similar to roles, you can restrict the application instances you want to see within the certification.

    • Limit the entitlement-assignments to certify for each user: You can limit the entitlements that you can see within the certification.

  11. Click Next. The Configuration page is displayed.

  12. Select the options, as described in Table 13-1, "Configuration Properties", and click Next. The Reviewers page is displayed.

    If you want to enable multi-phased review with advanced delegation, then select the Allow advanced delegation and Allow multi-phased review options.

    If you want to enable certification oversight in the certification workflow, then click the search icon, search for the available composites, select the CertificationOverseerProcess composite, and click Add.

  13. From the Reviewer list, select a primary reviewer. The primary reviewer can be user manager, organization certifier, or any other user that you select.

    For multi-phased review, perform the following:

    1. In the Phase 1 section, select any one of the following to select the Phase 1 reviewer:

      • User Manager: Selects the user's manager as the Phase 1 reviewer.

      • Organization Certifier: Selects the organization certifier as the Phase 1 reviewer.

      • Search for a User: Selects any user as the Phase 1 reviewer that you search and specify by clicking the lookup icon.

    2. In the Phase 2 (Optional) section, select the Enable Phase 2 review process option to specify that the privilege certifier will be the primary Phase 2 reviewer for each user privilege, such as role, account, and entitlement assignments.

    3. In the Final Review (Optional) section, select the Enable Final Review process option to enable a final review process by the Phase 1 reviewer for final validation and sign off.

  14. Click Next. The Incremental page is displayed.

  15. Select Enabled for Generate Incremental Data. This setting enables certifiers to certify or revoke only changes or inclusions made to a certification. It eliminates the need to review the access of users who have been certified.

    When Incremental Certification is enabled, it takes the following parameters:

    • Incremental Date Range (required): This includes:

      • Since Last Base (default): When this option is selected, current access of the user is compared against the last certification of the same type, which was created without enabling incremental and all the incremental certifications since then, to the current date when the certification is created.

      • Since Date: When this option is selected, current access of the user is compared against all the certifications of the same type since the given date and when the certification is created.

    • Show Previous Value (optional): This includes:

      • Disabled (default): When this is deselected, then the values that have already appeared in the previous certifications based on the Incremental Date Range parameter are not included in the certification.

      • Enabled: When this is selected, all the current values that existed in previous certifications are displayed with the last decisions taken for those access.

  16. Click Next. The Summary page is displayed with the details of the user certification.

  17. Click Create to create the user certification. A message is displayed asking if you want to create a certification job based on the definition and run it now. You can edit the job name, and click Yes to run the certification job.

    Alternatively, click No to create a certification definition without creating and running the scheduled job. With this option, you must manually create a certification job later.

    The new user certification definition is displayed in the Certification Definition page.


Note:

For multi-phased review with advanced delegation:

  • The certification is not 100% complete till the Phase 2 reviewers or technical reviewers have completed all the reviews. The certification status displays the phase and percentage completion in each phase the certification is in during the two phased review. To view this status, click the In Progress certification in the Inbox or Dashboard.

  • The certification goes to the Phase 1 primary reviewer for final review. In Page 2, the Phase 1 primary reviewer can review the actions made by the users in the first and second phases (greyed out) as well as the system-generated default actions, which the Phase 1 primary reviewer can override.