Overview

This use case performs a certification campaign for a subset of users, referred to as the subjects of the campaign.

The users are selected by applying an LDAP search filter configured for the campaign. By default, all manual privilege assignments must be certified. By implementing a “Find Subject” user hook, customers can implement their own method of finding users for the campaign. The set of privileges to be certified (called the resources) can be reduced by configuring an LDAP filter or by implementing a “Limit Resources” user hook.

For each user, one or more approvers are automatically defined. The default implementation selects the user’s manager. A “Find Approvers” user hook can override this setting and select a custom set of approvers per user.

This use case performs a certification campaign for a subset of privileges, typically roles. In this case, the privileges are the certification subjects.

The privileges are selected by applying an LDAP search filter configured for the campaign. By default, all manual user-privilege assignments must be certified. By implementing a “Find Subject” user hook, customers can implement their own method of finding privileges for the campaign. The set of users to be certified (called the resources) can be reduced by configuring an LDAP filter or by implementing a “Limit Resources” user hook.

For each privilege, one or more approvers are automatically defined. The default implementation selects the privilege’s owner. A “Find Approvers” user hook can override this setting and select a custom set of approvers per privilege.

In addition to certification campaigns above, customers can create certification campaigns for subjects with a high risk. If the Risk Governance feature is enabled, the customer can extend the LDAP search filter for adding users based on risk values; for example a user certification campaign for the finance department, for users with a high risk, or a privilege certification campaign for the role finance administrator only for users with a medium risk or above.

This use case works with DirX Identity’s built-in re-approval feature. In this scenario, the approval for selected and critical privileges is repeated at the specified time. You can either run the same workflow that was run to approve the privilege or a specific workflow for re-approval. If the approvers reject the assignment, the privilege is removed from the user. This method works individually per assignment.

You can combine the re-approval of selected privileges with timing conditions. If you run the InitializeReapproval and the StartReapproval workflows on a daily basis, these workflows check the timing conditions and then start re-approval workflows as necessary.

This use case works with the built-in re-approval feature. In this scenario, the approval of all critical privileges is scheduled for a specific time. You can either run the same workflow that was run to approve the privilege or a specific workflow for re-approval. If the approvers reject the assignment, the privilege is removed from the user. This method works individually per assignment. The difference from the previous use case is that the parameters are set to run all re-approvals at the same time. Flag the critical privileges for re-approval and then set the re-approval date at the domain.

In this case, it makes sense to run the InitializeReapproval and the StartReapproval workflows only once at the correct time to start all re-approval workflows in parallel.

A certification campaign has the following DirX Identity configuration pre-requisites:

A certification campaign administrator creates a campaign entry in state Campaign is in preparation (PREPARING) and then:

Next, the administrator must enable the notifications to be used and adapt their templates, especially subject and body.

From the campaign’s start until its end, the Certification Campaign Controller can send different mail notification for each campaign phase. When a campaign is created, the mail notification templates are copied from Certification Campaigns → _Default → Notifications container to the newly created campaign Notifications container. The administrator can enable or disable these notifications (General → Is Active), and adjust the notification content (for example, subject, body).

The following mail notification templates are available (listed here in alphabetical order):

When the start date of the campaign in state Campaign is in preparation (PREPARING) is reached, the Certification Campaign Controller workflow starts the campaign.

The following figure provides an overview of the campaign phases and notifications to be sent:

At start-time, the campaign controller validates the parameters of the campaign. Any warnings or errors are stored in the Logs field of the campaign entry.

For a user campaign, both a User Base and a User Filter must be set or a “Find Subjects” user hook must be specified.

For a privilege campaign, both a Privilege Base and a Privilege Filter must be set or a “Find Subjects” user hook must be specified.

If the validation fails, the controller sets the campaign state to Campaign failed to start (FAILED.PREPARED) and sends a notification “Prepare Error” to the campaign owner. The administrator - who should be the campaign owner - can then fix the problems, set the state to PREPARING and then start the Certification Campaign Controller workflow.

If the start settings are correct, the campaign controller searches the users (subjects of the campaign), collects their manual privilege assignments (the resources of the certification), potentially removes them according the privilege filter or the “Limit Resources” user hook and sets the approver(s) per user. For each user, it stores the result in a certification entry underneath the campaign entry in a child container User Certification. If a “Find Approvers” user hook provides more than one approver for the user, it creates a sub-tree of certification entries. For more details, see the section “Select Approvers with a “Find Approvers” User Hook”.

For a privilege campaign, the certification entries are stored in a child container Privilege Certification. Each certification entry represents a privilege to be certified and its assignments are the users of this privilege. The approver is responsible for certifying the privilege.

For each certification entry (that is, for each user or privilege to be certified), the campaign controller sends an Approval Start notification if available.

If a certification entry does not have at least one approver, its state is set to FAILED.PREPARE and the campaign controller sends a notification Prepare Error to the campaign owner. If a certification entry does not have any manual assignments, the state will be directly set to RUNNING and certification entry will be automatically closed at the end of the approval period. The campaign controller also sends a No Approver notification to the campaign owner.

When all certification entries have been created, the campaign controller sets the campaign state to Campaign is running (RUNNING) and then sends a Campaign Start notification to the campaign owner.

Approvers are notified by an Approval Start notification. When they open DirX Identity Web Center, they can see the certification campaigns in which they are involved in their start page and can immediately navigate to their certification tasks or they can use DirX Identity Business User Interface Certification Campaign feature to approve or reject certification tasks. For each entry to be certified (user or privilege), they can see all manual assignments and can decide whether to accept or reject each individual assignment. If an assignment has an end date or a role parameter (for example, the manager for a project), the approver can delete or modify the end date or the parameter. These changes are stored underneath the certification entry and are applied at the end of the campaign. Approvers can store their decisions at any time and then continue with the open tasks later on. When the approver saves the decisions for all assignments of a certification entry, DirX Identity Web Center or DirX Identity Business User Interface sets the state of the entry to APPROVAL.FINISHED.

The Certification Campaign Controller workflow should be scheduled to run regularly. In addition to starting campaigns, it also monitors running campaigns.

When it detects a finished certification entry, the campaign controller starts downstream approvals for that entry when available. When a certification task is approaching the due date, it sends reminder notifications (type Approval Timeout). When a certification task has reached the due date, the campaign controller sets its state to FAILED.EXPIRED. If a downstream approval exists, it is started.

The administrator can change the due date or state of single certification entries or the entire campaign at any time, as necessary. So they can react in a flexible way to any errors.

When the Due Date of the certification campaign is reached (manually set by the campaign administrator or automatically calculated at the start of the campaign), the campaign controller starts to apply the changes. The actions depend on the “revoke privileges” settings made in the campaign entry. Rejected, changed and ignored (uncertified) assignments can simply be left as they are, removed from the users or evaluated by an approval workflow (only when set accordingly per privilege). When an assignment is removed, the campaign controller sends an Assignment reject notification to the users.

If an error occurs during the apply change process, the campaign controller sets the state of the certification entry to FAILED.APPLIED.CHANGES. Otherwise, the controller sets the state to FINISHED and sets the End Date.

At the end, the campaign controller sets the campaign state to Campaign finished successfully (SUCCEEDED), sets the End Date, calculates the Status Expiration Date if required (the date at which the campaign will be moved to state DELETED), and sends a Campaign End notification.

When the Status Expiration Date is reached, the campaign controller sets the campaign state to Campaign is marked for deletion (DELETED). A subsequent “Cleanup Objects” workflow will physically delete the entire sub-tree for the campaign later on.

When values are set for Recurring Certification Campaign, the certification campaign will be restarted after the time period specified in Interval.This option applies only to campaigns that have finished with success.The campaign controller will check if the new start date is reached (Start Date from previous campaign plus Interval) and will move the current closed campaign to the _Archive container in a folder with the campaign name and start date (for example, Finance High Risk Users Certification 2016-07-01) and will start the new campaign.The Due Date for the new campaign is calculated based on Start Date and Approval Period from the initial campaign.Any eventual manual modification of the Due Date during the previous campaign will be ignored.

To stop a recurring certification campaign, the administrator must clear all values from Interval.

DirX Identity provides default reports on certification campaigns.You can generate a report on a campaign at any time, especially after the campaign has finished.

To generate a report, in DirX Identity Manager, right click a campaign entry, select Report and then select one of the available reports from the list provided.See their descriptions to get more information on their content.