uses certification to enable designated reviewers to verify that the relationships, or links, between users, roles, and resources are up-to-date and correct. Certification ensures that granted privileges comply with business and regulatory needs, and that they are not over-allocated. The Audit Card facility supports this process by enabling the reviewer to view out-of-pattern and non-compliant information. An Audit Card contains a list of all suspicious records and the type of suspicion involved.
Identity Governanceuses certification to enable designated reviewers to verify that the relationships, or links, between users, roles, and resources are up-to-date and correct. Certification ensures that granted privileges comply with business and regulatory needs, and that they are not over-allocated. The Audit Card facility supports this process by enabling the reviewer to view out-of-pattern and non-compliant information. An Audit Card contains a list of all suspicious records and the type of suspicion involved.
Certification is the process of verifying that links between users, roles, and resources are true and correct. Certification enables you to review role hierarchy, user privileges, and business rules that you define in
Identity Governance. When you initiate a certification,
Identity Governanceautomatically invites managers to review and certify the access privileges of the users or resources they administer.
Identity Governanceprovides tools to customize, track, and manage the certification process, and to implement changes indicated by reviewers.
Certifications support the following business cases:
- Confirm data security compliance—Where there is a legal requirement to demonstrate data security measures, certifications document periodic review of employee access to data.
- Refine Role Based Access Control—Review of the resources and child roles included in each role confirms that the role hierarchy suits actual patterns of usage, and that role definitions are useful.
During a certification, a business manager can perform the following actions:
- Review and certify any links directly assigned to them
- Reassign certification items
- Add a comment, file, or link to certification items
- View CA User Activity Reporting information when reviewing certification items
A compliance officer can perform the following actions:
- Monitor certification progress
- Send escalation emails to participating reviewers
- Initiate the approval and implementation phase of the certification
An administrator can perform the following actions:
- Create certification templates
- Save certification decisions to an Audit Card
Certifications support various business needs. This section details the different types of certifications you can run.
You can review and certify links between user, role, resource, and account entities in a configuration. You can perform the following entity certifications:
- User Certifications: Certify the roles and resources linked to each user. These links define the privileges assigned to each user. Typically, managers review the privileges of their workers.Use this type of certification to document compliance with data security measures.
- Role Certifications: Certify the resources, parent or child roles, and users linked to each role. InIdentity Governanceroles are defined as common sets of links. Typically, the owner of each role reviews the links that define their role, and the users who were assigned to the role.Use this type of certification to maintain the role hierarchy.
- Resource Certifications: Certify the users and roles that link to each resource. Typically, the administrator of each resource reviews the roles and users that have access to the resource.Use this type of certification to monitor access to resources.
- Account Certifications: Certify users linked to each account. Typically, a compliance officer reviews users assigned to accounts. You can also use account certification to certify privileged user accounts from CA ControlMinder (PUPM).
- Self-attestation Certifications: A user certification in which each user under review certifies their own privileges.
- PAM User Certification: Certify the PAM resources (like Device, Device Group, User Group, PAM Role, and Target Accounts) linked to the User. These links define the privileges assigned to each user. Typically, managers review the privileges of their workers.
- PAM Device Certification: Certify the Users linked to each Device. Typically, the administrator of each resource (device) reviews the users that have access to the resource.Ensure that you select PAM endpoint in the universe drop down to view the PAM certification templates.
Similar to entity certification, comparative certifications are based on an existing certification. These certifications allow you to create new certification items, and show past decisions on certification items. You can perform the following comparative certifications:
- Recertification—creates a set of certification tasks that are based on a previous certification. Use this type of certification when you require multiple reviews before changes are implemented. For example, you can recertify a self-attestation certification, with managers instead of workers. The managers can see the results of user self-certification as they perform their review.
- Differential Certification—certifies new links added to the configuration that were not included in a previous certification.
You can define a series of simple certifications that repeat at regular intervals. Each certification in the series is based on its predecessor.
Note:Every certification must have a unique name and description. When you create a series of recurring certifications, use system variables to give each certification in the series a unique name and description. Typically these fields are based on the certification template.
Identity Governancereplaces system variables with actual text and date values when it creates each certification.
Use the following system variables to create string values for the Name and Description fields:
- $sourceCampaignNameInserts the text string in the Name field of the certification in the series.
- $reoccurringInserts a number that indicates what iteration the named certification is in the series.
- $dateInserts the date when the certification in the series is created.
- $sourceCampaignDescriptionInserts the text string in the Description field of the certification in the series.
Example: Recurring Certification Names
When you create a recurring certification, the Name field of the Basic Information screen is automatically populated with the following formula:
$sourceCampaignName Recurring # $reoccurring @ $date
If the source certification is named UserCert and the series repeats daily, the first three certifications in the series are named as follows:
UserCert Recurring # 1 @ 12Nov2010 UserCert Recurring # 2 @ 13Nov2010 UserCert Recurring # 3 @ 14Nov2010
Use Case Certify User Privileges Following an Acquisition
New users and resources are added to the model configuration following an acquisition. Administrators run a certification to verify that the privileges assigned to these new users are appropriate.
The stages of the certification are as follows:
- The role engineer creates a certification that certifies user entitlements. The role engineer defines user attribute filters that limit the scope of the certification to the new employees. A member list maps managers to the new users and resources.
- Each manager reviews the privileges assigned to their workers. For example, Bob Smith reviews the privileges given to Hector Torres, and suggests access to a database that Hector needs in his new position.
- Identity Governancesends an email to Deepak Chamarti, the owner of the database. Deepak approves the change, andIdentity Governanceupdates the configuration file. Hector Torres now can access the database.
Use Case Certifying Privileged Accounts
You can certify privileged accounts using information that is imported from the CA ControlMinder vault. This certification allows you to govern the access of your users and make sure that they do not have more access than they need.
Follow these steps:
- Configure the CA ControlMinder connector as follows:
The CA ControlMinder connector must be the only connector in the universe.
- In the Portal, go to Administration, Universes, and select a universe.
- Click the Connectivity tab and click Add Connector.
- Select the CA ControlMinder (Shared Accounts) connector and click Next.
- Enter the CA ControlMinder Report Database credentials.
- Run the connector to import the privileged account data.If the CA ControlMinder Server is unavailable, or to import privileged account information from another source, you can manually create the CSV files using the PUPM.ktr PDI transformation. Then select the CA ControlMinder (Shared Accounts, via CSV) connector and supply the paths to the CSV files you created.
- Once the user-account information is imported into the product, run an Account Certification as follows:
- In the Portal, go to Compliance Management, New Certification.
- Under Template, select Account Certification.
- Continue with the certification wizard, selecting the appropriate options.
- Start the account certification.