Skip to main content

Peer groups, consistency calculations and automatic actions

Reviewer fatigue can be a problem in cases where reviewers must review many users and entitlements in a campaign; the danger is that reviewers may start to pay less attention and certify items that should be revoked. To alleviate this problem, you can configure entitlement certification campaigns to:

  • Display consistency among peers.

  • Automatically certify entitlements, or identify entitlements that are candidates for revocation, based on risk.

Consistency among peers

You can configure entitlement certification campaigns so that reviewers see recommendations of items to pay particular attention to, based on consistency among peers.

A peer group is a group of users with some attribute in common; for example, users working at the same location or department, or having the same manager.

When configured for a round, a Consistency column is displayed in the certification campaign review page. Consistency is visually represented by a color bar with a number stating the percentage of peers having the same entitlement. This can help the reviewer to decide whether to retain or revoke a user’s entitlement.

The consistency color bar is:

  1. Red, where an entitlement is inconsistent, or out-of-pattern ; that is, most of a user’s peers do not have this entitlement.

    This is indicated where the number of users with the entitlement is between 0% and a lower threshold.

  2. Yellow, where an entitlement is possibly out-of-pattern: that is, some of the user’s peers have the entitlement, and some don’t.

    This is indicated where the number of users with the entitlement is between a lower threshold and an upper threshold.

  3. Green, where an entitlement is consistent, or in-pattern ; that is, most of a user’s peers have the entitlement.

    This is indicated where the number of users with the entitlement is between an upper threshold and 100%.

    The lower and upper thresholds can be set globally and when submitting a campaign.

The entitlement consistency calculation is done every time the reviewer opens the certification app to review.

If you disable the global CERT CONSISTENCY CALCULATION setting, consistency calculations are turned off for active campaigns. When CERT CONSISTENCY CALCULATION is enabled, you can configure consistency calculations at the global level or at the campaign level.

The setup and usage of consistency calculations are demonstrated in Use case: Entitlement consistency recommendations .

Automatic action based on risk

If entitlement consistency calculations are enabled for a certification round, entitlements can also be automatically certified or revoked based on a resource attribute comparison. This can reduce the number of items that reviewers must act on, although they can still override the calculated action if they prefer.

The resource attribute to compare may be a boolean, string, integer, or date that indicates that an entitlement is a low risk, and so can be automatically certified, or high risk, and so should be revoked.

As an example, if 85% of a support analyst group has an account on a target system that is a low security risk, it will be marked in the certification app as automatically certified.

The setup and usage of automatic actions are demonstrated in Use case: Automatic actions .

In this section: