Creating certification campaigns

Edit online

Detailed procedure to create and run Account Certification and Access Certification feature for IBM Verify Identity Governance - Container.

Creating certification campaign

Perform the following steps to create a new certification campaign.

  1. From the menu, go to Manage Certifications.
    The page shows the number of campaigns that are running, scheduled, paused, and closed. The summary tables display the following categories for each running or pending campaign.
    • Name
    • Progress
    • Type
    • Service
    • End date
    • Time left
    Now, we will proceed to create a new certification campaign through a series of steps. Note that you can cancel the campaign creation at any step by clicking Cancel setup.
  2. Select Create Campaign.
    General setup
    Provide the following information.
    • Name: The name for the campaign.
    • Description : Optionally, provide the reason or purpose of the campaign.
    • Campaign type: Select whether the campaign is for user entitlement or account.
    • Priority: Specify the importance of the campaign, either high, medium, or low.
    Click Next.
    App scope
    Set the app scope for the campaign.
    1. For the Account campaign: From the Choose services drop-down list, select one or more of the services for the campaign.
      Note: If you are creating a certification campaign as a Service Owner, ensure to select only those services that are assigned to you.
    2. Click Add.
    1. For the user entitlement campaigns: Select to scope the campaign upon all entitlements of a service. This step is optional if you intend to scope the campaign only upon granular set of entitlements. From the Choose services drop-down list, select one or more of the services for the campaign.
    2. Click Add.
    Note: You can create user entitlement campaigns based on organization role. If you want to create a campaign based on organization role, then do not select any service and click Next to proceed to Entitlement scope.
    Click Next.
    Entitlement scope
    Specify the entitlement scope for the campaign.
    Note: If you are creating a certification campaign as a Service Owner, ensure to select only those entitlements that belong to services assigned to you.
    1. You can use the Filters to select the entitlements based on access types, such as Role, Application (service), Email group, and so on.
    2. Table displays the entitlements available for selection based on the filter criteria. It displays details such as the entitlement name, description, application name, access type, and so on. Note that the Application column is empty for organization role-based accesses. Select one or more entitlements.
    Click Next.
    Business unit scope
    In this step, you can specify the business units to be included in the campaign or to be excluded from the campaign. By default, all the business units are included in the campaign. Use the "Include Only" or "Except for" options to search for and select the relevant business units.
    User scope
    Now, specify the user scope for the campaign.

    By default, all the users of the service(s) you had selected in the App scope are selected. These are indicated by a green tick mark against their name in the Enabled column.

    You can limit the campaign scope to a subset of the users. You have the option to select the users either from a fixed set or you can use condition-based filters.
    • Fixed set: This is the default option. Here, you can specify the users that you want to include in the campaign under Include only. All other users are automatically excluded. If you want to exclude certain members from the campaign, you can list them under Except for.
    • Condition set: Here, you can construct a condition-based filter by using one or more attribute-operator-value sets.
      For example: 
      IF 
Employee type is equal to Contractor 
AND Title is equal to Programmer
OR 
Employee type is equal to Remote
AND Business category is equal to Support
    Click Next.
    Reviewer settings
    Specify the reviewer settings.
    Select who is going to review the campaign.
    Note: If you are creating a certification campaign as a Service Owner, then the search results will display only those users for which you are the manager.
    User Manager
    Accounts are reviewed by the specified reviewer.
    If an account has a known user, the default setting is to have the certification reviewed by the user's manager. Accounts for a user without a manager are reviewed by the service owner.
    Self
    The users who are accessing the entitlements perform the review themselves.
    Specific
    If you select this option, then in search field, type the name of a person to review all the accounts in the campaign.
    Note that you need to be a member of manager’s group to use this option. Also, if you are logged in as a manager, then you can specify only those users who are in your hierarchy.
    Service Owner
    The service owner reviews entitlements that are relevant to their service.
    If no user is associated with the account or no manager is listed for the user, the review is done by the Service owners. Also, if service owner is not associated with service, the review is done by Administrator who created campaign.

    Only log Reviewers Decision

    If you select the check box, the reviewer action is not provisioned to the related target.

    Determine when reviewers decisions take effect.
    When the campaign ends
    The decision takes effect at the end of the campaign. Decisions can be changed by selecting the Completed tab and expanding the menu next to the decision.
    Immediately
    The decision takes effect immediately and cannot be changed.
    Let the reviewer decide
    When the reviewer makes the decision, the review can choose whether the decision takes effect immediately or at the end of the campaign. If immediately is selected, the decision cannot be changed.
    Click Next.
    Campaign supervisor settings
    Specify whether to enable redirection to campaign supervisors.
    Campaign supervisors can help the campaign creator manage the progress of the campaign.
    Note:
    • Only the members of Certification Supervisor groups are listed here.
    • If you are creating a certification campaign as a Service Owner, then the search results will display only those users for which you are the manager.
    • Select the Allow redirection to campaign supervisors check box. Enabling this options allows the reviewer to redirect reviews to Campaign Supervisor.
    • Use the Search field to select one or more supervisors to help with the campaign.
    Click Next.
    Schedule
    Set the schedule for the campaign.
    • Select Run immediately. Set Duration to the number of days that you want the campaign to run.
    • Select Select a start date. Set the start date and time. Set the Frequency to how often you want it to run. Set Duration to the number of days that you want the campaign to run.
      Note: Duration refers to the time available for the reviewer to approve or reject the entitlements.
    Click Next.
    Reminder and campaign end
    Set reminders for the campaign and specify what actions to take when the campaign ends.
    Send reminders to reviewers

    Select the Send reminders to reviewers check box. Specify when to start sending daily reminders to the reviewers before the campaign ends.

    All the certification notifications can be customized from Configure System > Workflow Notification Properties menu.

    The following certification notifications are available:
    • CertificationRedirectNotification
    • CertificationReminderNotification
    • CertificationReviewerNotification
    • CertificationStatusChangeNotification
    • CertificationSupervisorNotification
    • CertificationEscalationNotification
    Action on unreviewed entries
    Select what action to take on unreviewed certification entries at the end of the campaign.
    Take no action
    This selection is set as the default action. The entitlement status remains unchanged. If the entitlement was previously approved for the user, it is still approved. If it was rejected, it remains rejected.
    Approve all
    This selection grants the entitlement to any unreviewed users.
    Reject all
    This selection denies the entitlements to any unreviewed users.
  3. Select Schedule campaign. The campaign is added to the Certification campaigns page.

Viewing certification campaigns

Perform the following steps to view the existing certification campaigns.

  1. From the menu, go to Manage Certifications.
    The page shows the number of campaigns that are running, scheduled, paused, and closed. The summary tables display the following categories for each running or pending campaign.
    • Name
    • Progress
    • Type
    • Service
    • End date
    • Time left
    Note: Scroll down to the Other campaigns section to view information about scheduled, paused, and closed campaigns. The summary table displays the following categories for each campaign.
    • Name
    • Type
    • Service
    • Start date
  2. Select the campaign that you want to view.
    The page displays the following information:
    • General settings
    • Scope
    • Reviewer settings
    • Campaign supervisor setting
    • Schedule
    • Campaign end
    It also displays the Campaign results and its creation and modification details.
  3. [Optional]: You can view campaign results either by either reviewer or by entitlement. The results by reviewer show the number of requests that were approved , rejected, not yet reviewed, and the completion rate. The results by entitlement show the assignee, the service, permission, reviewer, and decision.
  4. [Optional]: You can perform the operations by selecting the links.
    • Edit settings: You can edit the description and priority of the campaign.
    • Pause campaign: You can pause a currently-running campaign.
    • Resume campaign: You can resume a paused campaign.
    • Cancel campaign: You can cancel a currently-running campaign.

Next steps

For detailed information about editing or closing a certification campaign, see Managing certification campaigns.