Configure certification module options
You can control global options for the access certification process by configuring the Manage certification process (CERT) module. Users with appropriate permissions use the Manage certification process (CERT) module to view, configure, and start access certification campaigns.
Click Manage the system > Modules > Manage certification process (CERT) to configure options listed in Table 1, “Modules > Manage certification process (CERT) options” and Table 2, “Manage certification process (CERT) events that launch interface programs”:
Option | Description |
|---|---|
CERT ATTRIBUTE CERTIFIER | Type the ID of the resource attribute to control whether the resource reviewer should be selected randomly from the resource’s set of authorizers or supplied by a plugin program. |
CERT ATTRIBUTE GROUP CERT | Type the ID of the resource attribute to control whether managed groups can be certified even if the parent target system is not allowed in the certification process. This resource attribute should be set per target system. Alternatively, enable CERT OVERRIDE TARGET CERT ENABLED FOR GROUPS to allow managed account groups on all target systems to be selectable when starting a certification campaign. |
CERT CONFIG VALIDITY INTERVAL | The configurations being certified are valid for this many days after the certification has finished. The default is 30 days. If a new certification campaign is started within this time frame, the configurations certified in the previous campaign are identified as certified. Configurations that are identified as certified can be optionally re-certified to extend their validity. |
CERT CONSISTENCY ATTRIBUTE GROUP | The attribute group that collects users into peer groups. This can be modified for individual campaigns. |
CERT CONSISTENCY CALCULATION | Enable/Disable consistency calculations. If enabled, consistency calculations can be configured when a campaign is initiated. If disabled, the options do not appear when initiating a campaign, and consistency calculations are turned off for active campaigns. |
CERT CONSISTENCY MINIMUM | The minimum size of a user peer group. If a peer group has fewer members than this, their entitlement consistency will not be calculated. Instead, a help |
CERT CONSISTENCY USERS LOWER THRESHOLD | Entitlements are considered out-of-pattern if fewer than this percentage of users in a peer group share it. |
CERT CONSISTENCY USERS UPPER THRESHOLD | Entitlements are considered in-pattern if at least this percentage of users in a peer group share it. |
CERT DEFAULT CERTIFIER | Type the user ID to be the default resource reviewer when the resource has no authorizer. |
CERT DELEGATION PLUGIN | Type the name of the plugin that would supply the reviewer and delegates for a certification segment. |
CERT EMAIL CANCELLATION ESCALATES | Enable or disable this option to determine whether emails of campaign cancellation are sent to escalated reviewers. |
CERT EMAIL INTERVAL | The time, in days, between sending out emails to managers in each level of the OrgChart to invite them to certify their subordinates. |
CERT ENFORCE NO WARNINGS | The reviewer can not sign off a configuration certification segment until all the warnings are resolved (for example, the configuration is missing authorizers). Disable this option to remove this enforcement. |
CERT HIDE REQ ROLE MEMBERS | Hide required role members from reviewers, except when reviewing segregation of duties rules violations. |
CERT MAX DELEG ALLOWED | The maximum number of group owners to assign as delegates to review. The default is 50. |
CERT MAX ROUND CALCULATION TIME | The maximum calculation time, in seconds, of new certification campaigns. After this amount of time passes, product administrators can cancel an active certification campaign. This delay prevents issues caused by canceling a campaign while it is still calculating. The value must be between 60 and 86400 and defaults to 3600. |
CERT OVERRIDE TARGET CERT ENABLED FOR GROUPS | Enable this option to allow all managed groups to be selectable when starting a certification campaign, regardless of whether the parent target system is allowed in the certification process. Alternatively you can apply an override to individual target systems by configuring a resource attribute identified by CERT ATTRIBUTE GROUP CERT. |
CERT PROMPT PASSWORD | Enable or disable this option to determine whether reviewers must enter a password to sign off a certification review by default. Certification campaign initiators can override the default when initiating a campaign. |
CERT REQUIRES COMMENT TO CERTIFY | Enable this option to force reviewers to provide a reason when certifying an item. |
CERT REQUIRES COMMENT TO REVOKE | Enable this option to force reviewers to provide a reason when revoking an item. |
CERT REVOKE CASCADING | Enable or disable this option to control whether automatic cascading of revokes should occur. If the system variable is enabled, when a parent entitlement is revoked in certification, all the children entitlements are marked as revoked and appear in the sign off summary as being marked for revocation. If it is set to disabled, then the automatic cascading of revokes is disabled. |
CERT SINGLE USER CONFIGURATION | Type the ID of a saved certification setup to load default attributes to display, and the remediation pre-defined requests, when initiating a review of all entitlements for a user from their profile page. |
CERT SIZE WARNING THRESHOLD | Display a warning to the certification campaign initiator if the number of selected items exceeds the threshold. |
CERT VALIDITY INTERVAL | The information being certified is valid for this many days after the certification has finished, with the exception of self-certification, which is not counted. If a new certification campaign is started within this time frame, the users, login IDs, and group memberships certified in the previous campaign are identified as certified. The most recent certification of any type is used when determining if the data is current; for example, if group memberships were certified during a target certification, those memberships are identified as certified if a group certification is started within the validity interval. Items that are identified as certified can be optionally re-certified to extend their validity. |
ORGCHART MODS FREEZE CERT SEGMENTS | Enable this option if you want to ensure that OrgChart modifications, such as transfers and new subordinates, do not cause changes to an ongoing certification campaign process; for example, segments will not be reopened, and segments will not be added for new subordinate managers. When disabled, for example, segments for managers who are detached during a certification campaign will be closed, and deleting a sub-manager will cause escalations. This option is disabled by default. Do not enable or disable this option during an active certification campaign; it will cause the behavior to change. |
