Create an entitlement certification campaign
To create a new certification campaign, click Manage certification process > Start entitlement certification campaign.
The certification setup menu for new campaigns includes a series of tabbed pages to guide you through the process of creating a certification campaign. The first page in the series allows you to select the entitlements or configurations that will be part of the campaign. You can proceed through the required steps by clicking Next: <tab> or clicking any tab on the certification menu to:
Select users to review for entitlement certification campaigns
Select attributes to display during entitlement certification campaign
Select resource attributes to display during entitlement certification campaign
Select pre-defined requests for remediation in entitlement certification campaigns
Select attributes to review for entitlement certification campaigns
Caution
Unsaved changes are lost if you navigate away from the certification menu.
Click below to view a demonstration of initiating and completing an entitlement-centric certification campaign asking group owners to review membership of their groups.
Click below to view a demonstration of initiating and completing an OrgChart-centric certification campaign asking managers to review their subordinates’ profile information and accounts.
Entitlements are resources that have been assigned to users. For certification, they can include:
Target systems
Roles
Managed groups
Segregation of duties rules
Profiles
Profile attributes
Note
When entitlements are assigned to a user via a role, they can only be certified through that role. Reviewers cannot view or certify the member entitlements individually.
Empty managed groups will not be shown in the group selection list.
To select an entitlement on which to certify users:
Navigate to the configuration page for a new or saved campaign.
Select the Items to review tab, then select the entitlements you want to certify.
If you select All , a question mark is displayed next to the entitlement to indicate that late binding is in effect.
Bravura Security Fabric displays a warning if the number of selected entitlements exceeds the threshold defined by CERT SIZE WARNING THRESHOLD (Manage the system > Modules > Manage certification process (CERT) ).
When you select an individual entitlement, the Selected column is updated when you click one of the icons in the Entitlement type column, Next , or another certification tab.
Click Next: Users or another certification tab to proceed.
Next:
Select users to review for entitlement certification campaigns.
By default, all users associated with selected entitlements are reviewed during a certification campaign. To view the total number of users for each entitlement, select the Users tab on the configuration page for a new or saved round:
To limit a certification campaign to selected individual users:
Navigate to the configuration page for a new or saved campaign.
Click the Users tab, then a sub-tab to specify
Selected users
Search for, or browse to select individual users, then click Select.
Membership in user class
Select existing user classes: Enable the checkboxes for the user classes you want to add, then click Select.
Create new user classes: Click Create a new user class .
Edit existing user classes: Click the edit
icon to modify existing user classes.
Select and create user classes until you have defined the user segments you want reviewed.
Next:
Select attributes to display during entitlement certification campaign to determine the user information you want to be available to reviewers.
You can make user information, defined by profile and request attributes, available to reviewers to assist them in their reviews. Reviewers can choose which attributes to include in their review list.
Reviewers must have appropriate permissions to view the attributes.
To select attributes to be available for display:
Navigate to the configuration page for a new or saved campaign.
Click the Attributes to display tab.
To add attributes, click Select… , choose the applicable attributes and click Select.
Drag and drop one of the double direction arrows in the ID field to change the attributes’ order in the list.
Click Update to apply changes.
Click Next: Remediation or another certification tab to proceed.
The shipped default selection is EMAIL and PROFILE_PIC, which is determined by membership of the CERT_ATTR_TO_DISPLAY attribute group.
Next:
Select resource attributes to display during certification campaign to determine the resource information you want to be available to reviewers.
You can make resource information, defined by resource attributes, available to reviewers to assist them in their reviews. Reviewers can choose which resource attributes to include in their review list.
Reviewers must have appropriate permissions to view these resource attributes.
To select resource attributes to be available for display:
Navigate to the configuration page for a new or saved campaign.
Click the Resource attributes to display tab.
To add resource attributes, click Select… , choose the applicable resource attributes and click Select.
Drag and drop one of the double direction arrows in the ID field to change the attributes’ order in the list.
Click Update to apply changes.
Click Next: Remediation or another certification tab to proceed.
Next:
You can specify the remediation – that is, what happens to an entitlement after it is revoked in the entitlement certification campaign – by selecting a pre-defined request . In most cases, the request will be submitted after the reviewer has signed off the entitlement certification campaign.
You can specify more than one pre-defined request for a remediation type. In this case, users choose which request to submit when they revoke the entitlement.
Some special requests are submitted immediately and may not be triggered by a reviewer revoking an entitlement. These requests include:
Add profile
Transfer a user
Resolve segregation of duties rules
Profile attributes must be included in the certification campaign to allow reviewers to create a new user from the certification app.
To select pre-defined requests for remediation:
Navigate to the configuration page for a new or saved campaign.
Click the Remediation tab:
Each selected remediation type, except for Add profile, is already loaded with built-in pre-defined requests for certification. For the Add profile remediation type, you must define a pre-defined request if you want users to be able to create new users from the certification app review page.
To select another pre-defined request, click on the field next to the remediation type.
Bravura Security Fabric displays a list of pre-defined requests available for that remediation type:
Pre-defined requests must be configured to be Accessible from certification , with the appropriate Remediation type selected.
Click on the request you want to add.
Click Update.
Click Next: Attributes to review or another certification tab to proceed.
Next:
If you included profile attributes in items to review, select attributes to review to determine the user information you want to be reviewed; otherwise, select the reviewers .
You can make user information, defined by profile and request attributes, available to be reviewed. The Attributes to review tab becomes available if you included profile attributes in the Items to review tab. This is different from the page as attributes selected here can be edited by the reviewer.
Reviewers must have appropriate permissions to view and edit the attributes.
To select attributes to be editable in a review:
Navigate to the configuration page for a new or saved campaign.
If the Attributes to review tab is not available, click the Items to review tab and click Yes to include review of profile attributes.
Click the Attributes to review tab to set the pre-defined request that will define which attributes to display for the certification campaign:
The pre-defined request used to update profile attributes, listed in the upper table, defines the attributes listed in the lower table and their order. To be selectable here, the pre-defined request may only have one attribute group.
The order of the attributes is defined by the attribute group.
Click on the drop-down list to select another pre-defined request. Only one may be selected for each certification campaign.
Click Update to apply changes.
Click Next: Reviewers or another certification tab to proceed.
The default pre-defined request for attributes to review contains the attributes FIRST_NAME, LAST_NAME, OTHER_NAME, and PROFILE_PIC.
Next:
Product administrators with the "Manage certification process" administrative privilege can initiate certification campaigns with multiple reviewers. Product administrators with the "Initiate entitlement certification campaigns" administrative privilege can only initiate certification campaigns with a single reviewer.
To determine who will certify users and privileges:
Navigate to the configuration page for a new or saved campaign.
Click the Reviewers tab, then select a sub-tab to select:
Use the single reviewer method when one person is easily able to review the access rights of your entire user population, or all the configurations included in the campaign.
Search or browse the list to select the reviewer.
Next:
Select peer groups for consistency calculations.
When you use the segment method, you configure reviewers for segments of the user population based on user classes. This allows you to divide the work among multiple reviewers. You can also select a reviewer to review users who do not belong to any of the selected classes.
It is possible for reviewers to be asked to certify “empty” segments. Reviewers can, in effect, be asked to certify that there are no users in a particular user class, or not included in a user class.
To define segments and assign reviewers:
Add user classes as segments:
Select existing user classes: Click Select… and enable the checkboxes for the user classes you want to add, then click Select.
Create new user classes: Click Create a new user class.
Edit existing user classes: Click the edit
icon to modify existing user classes .
Select and create user classes until you have defined segments.
Select a segment row to select the reviewer for the segment. This includes the segment defined by users not in any of the user classes.
Search or browse the list to select the reviewer.
Click Next: Submit or another certification tab to proceed.
Next:
Select peer groups for consistency calculations.
When you use the entitlement authorizers method, you configure reviewers for segments of the user population based on selected entitlements. This allows you to divide the work among multiple reviewers.
You can manually assign entitlement authorizers, enable random assignment from the authorizers attached to the entitlement or use a plugin to identify the primary and delegate reviewers.
To manually assign entitlement authorizers:
Select an entitlement row to select the reviewer for the entitlement.
Search or browse the list to select the reviewer.
For managed groups, the group authorizer is the reviewer by default.
Click Next: Submit or another certification tab to proceed.
Next:
Select peer groups for consistency calculations.
Bravura Security Fabric can randomly assign an authorizer from a set of authorizers attached to the entitlement to be the reviewer of the segment if you:
Define a string-type resource attribute in the CERT ATTRIBUTE CERTIFIER Manage certification process (CERT) module setting. The random selection option is enabled when the attribute value is ’RANDOM’.
Leave the reviewer field for the resource empty when configuring the campaign. During the creation of the campaign, the reviewer will be chosen dynamically.
For example, to enable random resource reviewer assignment for a managed group:
Define a resource attribute:
Click Manage the system > Resources > Resource attributes > Add new...
Enter the ID; for example RANDOM-CERTIFIER.
Enter the description.
Select Type: String.
Click Add.
Enter the Actual value: RANDOM
Enter the Displayed value: for example ’Select reviewer from amongst the resource authorizers’.
Click Update.
Set the Default values for the attribute: (None) .
Define a resource attribute group:
Click Manage the system > Resources > Resource attribute groups > Add new...
Enter the ID; for example RANDOM-CERTIFIER-GROUP.
Enter the Description.
Select Type: Managed groups .
Click Add.
Click the Members tab.
Click Select then select the resource attribute you created previously; for example RANDOM-CERTIFIER.
Configure the option in the Manage certification process (CERT) module:
Click Manage the system > Modules > Manage certification process (CERT) .
Type RANDOM-CERTIFIER in the CERT ATTRIBUTE CERTIFIER field.
Type a user ID in the CERT DEFAULT CERTIFIER field to specify the default reviewer in case the resource does not have any authorizer.
Turn on the random reviewer option for a managed group.
Click Manage the system > Resources > Groups.
Select the target system.
Select a managed group.
Click Manage.
Set the RANDOM-CERTIFIER drop-down to RANDOM.
Click Update.
Now, if you initiate a certification campaign for the managed group by selecting the entitlement authorizers method, Bravura Security Fabric chooses the reviewer for the managed group randomly from the group’s set of authorizers. If the group has no authorizers, Bravura Security Fabric chooses the user defined by CERT DEFAULT CERTIFIER.
If random selection is enabled, you can still manually define an entitlement’s reviewer.
Next:
Select peer groups for consistency calculations.
Bravura Security Fabric can use a plugin to assign a reviewer and delegates to the segment if you:
Define a string-type resource attribute in the CERT ATTRIBUTE CERTIFIER Manage certification process (CERT) module setting. The via plugin selection option is enabled when the attribute value is ’VIAPLUGIN’.
Write a plugin to supply the reviewer and delegates to the certification segment.
Leave the reviewer field for the entitlement empty when configuring the campaign. During the creation of the campaign, the reviewer and the delegates will be supplied by the plugin dynamically.
For example, to use a plugin to specify a reviewer and delegates for a managed group:
Define a resource attribute:
Click Manage the system > Resources > Resource attributes > Add new...
Enter the ID: for example CERTIFIER-VIA-PLUG-IN.
Enter the description.
Select Type: String.
Click Add.
Enter the Actual value: VIAPLUGIN
Enter the Displayed value: for example ’Select reviewer and delegates from plugin’.
Click Update.
Set the Default values for the attribute: (None) .
Define a resource attribute group:
Click Manage the system > Resources > Resource attribute groups > Add new...
Enter the ID: for example CERTIFIER-VIA-PLUG-IN-GROUP.
Enter the Description.
Select Type: Managed groups .
Click Add.
Click the Members tab.
Click Select then select the resource attribute you created previously; for example CERTIFIER-VIA-PLUG-IN.
Write a plugin to supply the reviewer and delegates to the certification segment. Save the plugin file in the plugin directory.
Configure the option in the Manage certification process (CERT) module:
Click Manage the system > Modules > Manage certification process (Cert).
Type CERTIFIER-VIA-PLUGIN in the CERT ATTRIBUTE CERTIFIER field.
Type a user ID in the CERT DEFAULT CERTIFIER field to specify the default reviewer in case the resource does not have any authorizer.
Type plugin file name in the CERT DELEGATION PLUGIN field to specify the plugin
Turn on the via plugin option for a managed group.
Click Manage the system > Resources > Groups.
Select the target system.
Select a managed group.
Click Manage.
Set the CERTIFIER-VIA-PLUG-IN drop-down to VIAPLUGIN.
Click Update.
Now, if you initiate a certification campaign for the managed group by selecting the entitlement authorizers method, Bravura Security Fabric gets the reviewer and the delegates for the managed group from the plugin. If the plugin does not supply a valid reviewer, Bravura Security Fabric chooses the user defined by CERT DEFAULT CERTIFIER.
If via plugin is enabled, you can still manually define an entitlement’s reviewer.
Next:
Select peer groups for consistency calculations.
When you use the certification by defined relationship method, Bravura Security Fabric can generate certification segments and assign the appropriate reviewer to the segments based on the relationship between the reviewer and the users.
It works on the same principle as the OrgChart managers method where Bravura Security Fabric creates segments and assigns the appropriate manager to each segment (manager-subordinate relationship).
The certification by defined relationship method offers flexibility by allowing you to define the relationship between the reviewer and the user by a two-participant user class.
In this example, all the users whose first name start with ”user” will be certified by a user having membership in group X.
Manage Group1, ensure that Group1 has this members: gr1_member1.
Ensure that these users exist in Bravura Security Fabric : user1, user2, user3.
Add a two-participant user class, UC, as follows:
Participant P1 has group membership matching Group1
Participant P2 has profile attribute matching: FIRST_NAME starts with ”user”
Create a new certification campaign:
Entitlements
Select an Active Directory target system
Users
All selected entitlements
Reviewers
Certification defined by relationship:
Select the user class UC defined in step 3.
Map participant P1 to CERTIFIER.
Map participant P2 from to USER_UNDER_REVIEW.
Click Update
Set a Default reviewer by clicking Select… and choosing a user.
Once you submit this campaign, Bravura Security Fabric will create two certification segments:
First segment would include all the users whose first name starts with ”user” (user1, user2, user3). The reviewer of this segment is gr1_member1 (if Group1 has multiple members, the first member on the list is picked to be the reviewer).
Second segment would include all the users whose first name does not start with ”user”. The reviewer of this segment is the default reviewer.
Next:
Select peer groups for consistency calculations.
When you use the OrgChart method, the reviewers are determined by your organizational tree. Each user is certified by his or her direct manager, from the bottom up. You only need to determine the highest level manager for the certification campaign; for example, if you select Al Reese in the OrgChart below, then Dilber Smith certifies Dan Singh, and Al Reese certifies Dilber Smith and Bob Adams.
To select the manager at the top of the certification campaign:
Search or browse the list, then select
the manager.Click Next:Submit or another certification tab to proceed.
Notes on OrgChart campaigns:
If a manager has one or more managers in their realm of responsibility, their certification is not considered complete and cannot be signed off until all managers beneath them have completed their own certification.
The lowest-level managers are asked to certify their subordinates first. After some delay the next level of managers is asked to certify their own subordinates. This continues until all managers have been notified.
By staggering the invitations, Bravura Security Fabric gives lower-level managers a chance to complete their certifications before it prompts their supervisors to certify them. You determine the notification schedule when you start the campaign.
If you select users individually to be included in an OrgChart campaign, and none of the selected users is in a given manager’s OrgChart, then that manager does not have to sign off an empty segment.
If a manager has been deleted while an OrgChart campaign is still in progress, then the deleted manager’s segment will be escalated to the manager above them.
Next:
Select peer groups for consistency calculations.
For entitlement certification campaigns, items for review can be marked with a consistency score, so that reviewers see recommendations of items to pay particular attention to. The consistency calculation is based on the percentage of a peer group who share an item.
A peer group is a group of users with some attribute in common; for example, users working at the same location or department, or having the same manager.
Items can be automatically certified or identified as candidates for revocation based on a resource attribute comparison.
When the global CERT CONSISTENCY CALCULATION setting is enabled (default), consistency calculations are turned on for all campaigns. If disabled, click the Enable calculating entitlement consistency across peers checkbox to view more settings.
Modify settings to suit your campaign:
Click the magnifying glass icon to select an Attribute group that collects users into peer groups.
The default value is set by the CERT CONSISTENCY ATTRIBUTE GROUP system variable.
Edit the value for Minimum size of a user peer group.
If a peer group has fewer members than this, their entitlement consistency will not be calculated. Instead, a help
icon will be displayed in the consistency column for these users in the review.The default value is set by the CERT CONSISTENCY MINIMUM system variable.
To determine how in-pattern entitlements will be highlighted, edit the value for Mark items as consistent if at least this percent of peers the item.
By default, if consistency calculations are enabled and at least 80% of user share an entitlement, is will be highlighted in the review. The default is set by the CERT CONSISTENCY USERS UPPER THRESHOLD system variable.
To determine how out-of-pattern entitlements will be highlighted, edit the value for Mark items as inconsistent if fewer than this percent of peers share the item.
By default, if consistency calculations are enabled and fewer than 20% of users share an entitlement, it will be highlighted in the review. The default is set by the CERT CONSISTENCY USERS LOWER THRESHOLD system variable.
If you want to automatically certify consistent items:
Click the Automate certification by resource attribute checkbox.
Click the magnifying glass icon to select the Resource attribute to compare.
Set the Comparison method.
The methods available are determined by the resource attribute type.
For date, string or integer type attributes, set the Resource attribute value.
Edit the value for Automatically certify items if at least this percent of peers share the item and the auto-certify attribute expression is met.
This value must be equal to or greater than the value for Mark items as consistent if at least this percent of peers share the item.
Edit the value for Include this note for automatically certified entitlements to suit your needs.
Use the question mark icon to view available variables.
If you want to automatically identify inconsistent items as candidates for revocation:
Click the Identify revocation candidates by resource attribute checkbox.
Click the magnifying glass icon to select the Resource attribute to compare.
Set the Comparison method.
The methods available are determined by the resource attribute type.
For date, string or integer type attributes, set the Resource attribute value.
Edit the value for Identify candidates for revocation if fewer than this percent of peers share the item and auto-revoke attribute expression is met.
This value must be equal to or less than the value for Mark items as inconsistent if fewer than this percent of peers share the item.
Edit the value for Include this note for revocation candidates to suit your needs.
Use the question mark icon to view available variables.
Depending on the items selected, select the pre-defined request to automatically revoke the item, if the option is available.
Next: