Skip to main content

Acting on user entitlements

In each table of items to review, in the Action column, click:

3613.png to certify an item

3616.png to revoke an item

5587.png to delegate the review of an item to another user

3611.png to edit profile attributes or resolve segregation of duties (SoD) rule violations.

note-icon to add a reason on your action

You can also use keyboard shortcuts to act on highlighted items. Press:

  • c to certify items

  • r to revoke items

  • d to delegate items

  • n to go to the next selection

  • p to go to the previous selection

    If you select multiple items in one table, bulk action icons are shown in top-right corner of the review page. You can certify, revoke, delegate or input notes for the selected items.

Certification of own entitlements are disabled

If the review was initiated review of own entitlements disabled, your own entitlements are marked in the actions column. You can only delegate these items to another reviewer.

cert-own-disabled

Certify entitlements

A red edit icon req-edit-icon is displayed when a comment is required (when CERT REQUIRES COMMENT TO CERTIFY is enabled) to certify an item. Comments you type in the reason field are saved in reports, and displayed to other authorizers or future reviewers.

You can act on multiple items in the same table by holding Shift or Ctrl and selecting the items. The action options appear in the filter bar at the top of the page.

review-entitlements-advanced

Profile attributes that you have edited during the current review are highlighted. Hover the mouse over the highlighted value to view the initial value of the attribute.

profile-attr-highlight

Items marked with an orange certify icon already-icon have a valid certification from a previous review. You do not need to certify them again; however you can choose to recertify them to renew the certification expiry date.

The history icon history-icon is displayed for entitlements that have been certified before.

re-review-advanced

Click the history icon history-icon to view the history page, which lists reviewer ID, reviewer time, expiry time, notes and other information.

certify-history

Blocked actions

Some items may have actions blocked:

  • If the item is revoked, and you can’t undo the revoke or certify it, the item is dependent on something else that has been revoked.

    For example, if an account was revoked, all of its group memberships are considered its dependents and will also be revoked. The group memberships can be unrevoked by unrevoking the account.

  • If SoD rule violations are also in the review, all of the user’s entitlements (with the exception of the profile) will be blocked. This is indicated by a warning icon. The violation will have to be certified or resolved before you can certify the user’s remaining entitlements.

  • If there’s no warning sign, the item is a required role member. When an entitlement is assigned to a user as a requirement of a role, it cannot be reviewed independently of the role. This applies even when the role is not part of the review. Entitlements that are optional can be reviewed separately from a role.

    Depending on the CERT HIDE REQ ROLE MEMBERS setting (Manage the system >Modules >Manage certification process (CERT) module) required role members may not be displayed at all.

  • If an entitlement was deleted or removed from a user after being listed in an active certification campaign, it is represented by the removal of all buttons, crossed-out text, and a note stating that the item has been deleted.

Revoke entitlements

When you click to revoke an entitlement in a certification campaign, the icon changes to a notification icon remediation-icon when you need to take further remediation steps. For example, when you click the remediation icon remediation-icon for accounts, the request wizard opens to allow you to submit a request to disable the account, or take some other action depending on configuration.

’Order and display tab. Otherwise the request is submitted automatically.

remediation-account

You must choose an option if there are multiple remediation pre-defined requests configured for an action.

A red edit icon req-edit-icon is displayed when a comment is required (when CERT REQUIRES COMMENT TO REVOKE is enabled) to revoke an item.

Resolve segregation of duties rules violations

To resolve SoD violations in certification campaigns:

  1. Click the resolve icon 3611.png next to a user’s name or rule to open the request wizard.

    The default pre-defined request is "Default resolution for segregation of duties rules".

    3612.png

  2. Click the request exception icon 3613.png to submit a request to allow the user to keep the conflicting entitlements.

    3615.png

    Type a reason for the exception and click Apply.

  3. Alternatively, click the revoke icon 3616.png to remove one of the conflicting entitlements.

    3617.png

  4. Click Save.

    The request is now saved and will be submitted upon sign off. The relevant authorizers will be notified.

    Caution

    Once an SoD is saved in a review, it cannot be modified.

Add a new user in a certification campaign

Certification campaigns can be configured so that you can create a new user by clicking the New user button at the bottom of the certification app page.

The campaign must be configured to include profile attributes, and a remediation pre-defined request for adding profiles.

review-entitlements-advanced-newuser

The default request wizard allows you to choose accounts and edit basic profile information.

remediation-newuser

See Creating a New User for more information on creating a new user.

Undoing certification actions

To undo a certification action, click the icon again, or click another option.

Saving work in a certification campaign

Work in a certification campaign is saved automatically. No changes are made until you complete certifying the information under your control and sign off.

In this section: