27.5 Managing Certification Policy Violations

Identity Governance provides the ability for you to define certification policies so that the system can look for violations to the policies. You can view a summary of these violations and last and next calculation dates on the Overview page. You can view a detailed list of these violations on the Certification page by selecting the number of violations and if you have access to the catalog, on the Catalog > Identities > Name > Certification tab.

27.5.1 Understanding Violation Types

Identity Governance groups certification policy violations based on the cause of violation. All violations are calculated based on the review definitions included in a certification policy and the certification period. Certification period is based on the validity period you specify in the certification policy settings. Types of violations include:

  • No decision: Review items that were included in a review during the certification period, but had no decisions made on them when the review ended

  • Expired: Review items in a review whose certification period had expired

  • Expired with no decision: Review items that had no decisions made on them during review runs and whose certification period has expired

  • Not reviewed: Review items that should have been reviewed based on the specified review definitions, but were never part of any running review because the related review was not run or because there were changes to catalog, risk level, or review definition

  • Review in progress: Review items that were in violation, but are now included in a review run that is in progress. You cannot set remediation for these review items.

27.5.2 Searching for Specific Violations

Identity Governance provides expression builders that enable you to select catalog attributes and custom values as search criteria and save them as filters. You can use these filters to search for certification policies on the Certification page. For more information, see Section 4.0, Using Advanced Filters for Searches.

For each certification policy that has violations, you can review details by selecting the number of violations. Selecting the number of violations opens a searchable and sortable panel of violations where the tabs are based on the review item selection criteria in the review definition. In each tab of the violations panel, you can search for the related entity and also search violations for a selected entity by user, account, permission, application, role, or business role. You can also sort your search results by selecting a column heading. For example, if you want to search No decision violations for a user who has been assigned to a specific account, specify the user name in the top level search in the User tab, select the user name to expand the search results and to specify account at the second level search, and then click on Violations column heading to sort the results by violation type.

Administrators can also view the last certification date of an identity and violation details if any by selecting the total number in Catalog > Identities > Name > Certification tab.

27.5.3 Remediating Certification Policy Violations

Certification policy violations can be addressed and resolved by:

  • Sending an email notification

  • Reviewing items in violation or in other words creating a micro certification or focused reviews

  • Creating change request

Once a micro certification is complete or once a change request has been fulfilled, Identity Governance recalculates the number of violations automatically. For more information about micro certification and fulfillment, see Section 23.3, Understanding Micro Certification and Section 15.0, Instructions for Fulfillers.

If after the initial remediation type selection, administrators would like to change the remediation type for future violations then they can select the link under Remediation column on the Certification page and edit the remediation setup.

To remediate certification policy violations:

  1. Log in as a Customer, Global, Data, or Review Administrator.

  2. Under Policy, select Certification.

  3. Select Set Remediation.

  4. Select Remediation Type.

    1. If you selected Email Notification, select Email source and enter or search and select user or group as recipient of the email.

    2. If you selected Change Request, select violation types, and provide instructions for fulfilling the change requests generated for selected violation types.

    3. If you selected Micro Certification, configure the following settings:

      • Review Definition: Identity Governance selects the first review definition of the certification policy. Leave the default review definition as is or select a review definition from the drop down list if the policy has more than one review definition.

      • Review Name: Specify a name for the micro certification.

      • Violation Type: Select violation types based on which violations you want to review.

      • Start Message: Provide message that will be displayed in the header area of reviews describing why the review was started.

      • Review Period: Leave this blank if you want to use the duration specified in the review definition. Otherwise specify a duration.

  5. Select Run Remediation on new violations when calculated check box to automatically run remediation after saving your remediation setup.

  6. Click Save.

  7. To run remediation on demand, select Actions > Run Remediation.