Dataservices attributes for recertification

IBM Verify Identity Governance provides optional attributes in the erAccountItem object class to represent different values for recertification.

Overview

The dataservices attributes for recertification are relevant only if recertification is enabled for specific accounts or accesses.

The following optional attributes are provided:
  • erLastCertifiedDate
  • erRecertificationLastAction
  • erAccessLastCertifiedDate
  • erAccessRecertificationLastAction

erLastCertifiedDate

The erLastCertifiedDate attribute is updated by the account recertification process only, but not for accesses. An optional attribute for the timestamp of the last time the account was marked as recertified. This attribute is updated on approved recertifications regardless of recertification policy schedule type, whether rolling or calendar style.

This attribute is updated for both approvals during normal recertification cycle and through the recertificationOverride option outside of the normal recertification policy run. The absence of a value means that recertification was never approved for this account. The Account data services object from the com.ibm.itim.dataservices.model.domain package defines the setLastCertifiedDate() and getLastCertifiedDate() methods for accessing this attribute. When an account is certified, this attribute must be updated along with reRecertificationLastAction.

erRecertificationLastAction

The erRecertificationLastAction attribute is updated by the account recertification process only, but not for accesses. This attribute requires a getter and setter method defined on the Account data services object class com.ibm.itim.dataservices.model.domain package: 
public void setRecertificationLastAction(String recertificationAction) 
public String getRecertficiationLastAction()
This optional attribute describes the action taken the last time recertification was run. The following values are valid:
  • com.ibm.itim.dataservices.model.domain.Account.CERTIFIED = ‘CERTIFIED’
  • com.ibm.itim.dataservices.model.domain.Account.CERTIFIED_ADMIN = ‘CERTIFIED_ADMIN’
  • com.ibm.itim.dataservices.model.domain.Account.REJECTED_MARK = ‘REJECTED_MARK’
  • com.ibm.itim.dataservices.model.domain.Account.REJECTED_SUSPEND = ‘REJECTED_SUSPEND’

erAccessLastCertifiedDate

The erAccessLastCertifiedDate attribute is specific to accesses that are defined on an account. This multivalued attribute holds the access group definition distinguished name and timestamp that shows when that access was last certified as a delimited string.

Example

eraccesslastcertifieddate:  erntlocalname=users,
erglobalid=7281584268561021074,ou=services,
erglobalid=00000000000000000000,ou=hawk,o=ibm,
c=us;;200711202115Z

This example shows the last recertification date for the access that is associated with the access defined for the group specified by the distinguished name. Only one value for this attribute per access is defined for the account.

erAccessRecertificationLastAction

The erAccessRecertificationLastAction attribute is specific to recertification state of accesses that are defined on an account. This multivalued attribute holds the access group definition distinguished name and recertification last action taken as a delimited string. It serves the same purpose for accesses as erRecertificationLastAction does for accounts.

Example

eraccessrecertificationlastaction:  erntlocalname=users,
erglobalid=7281584268561021074,
ou=services,erglobalid=00000000000000000000,
ou=hawk,o=ibm,c=us;;CERTIFIED

This example shows the last recertification action for the access that is associated with the group definition distinguished name. The values for the action are the same as described for the erRecertificationLastAction attribute. Only one value for this attribute per access is defined for the account.