Hints and Limitations

A certification campaign requires certification only on manually-assigned privileges. Rejecting an automatically-assigned privilege does not make sense, because it will be assigned again as soon as the Provisioning rules for the user are evaluated or the access rights of the user are resolved for any reason. Consequently, rule-based assignments and assignments inherited from business objects cannot be certified.

However, an approver might be interested in seeing all assignments, including these automatically assigned ones, during the certification. As a result, these assignments are presented in Web Center or Business User Interface. An approver cannot really revoke them, but he can indicate that they should be revoked and give a reason. This information is stored with the certification task and can then be evaluated by the certification administrator and included into reports. It is their responsibility to bring this information to the attention of the relevant people in order to effect any improvements of automatic rules.

You can increase the log level to obtain more details about campaign execution. Use the Admin Web application to add the following Java packages in Java Server → Logging → Set log levels:

When a certification campaign is started and finished, a lot of tasks are performed:

At the start: creating a certification task for each certification subject along with finding approvers for them and sending start notifications.

At the end: checking all certification tasks, finding revoked assignments and resolving the new access rights of the affected users along with sending notifications.

These tasks will generate a high load on the affected IdS-J Server and may affect parallel provisioning or approval processes. As a result, consider allocating enough CPU and memory to the affected servers and reduce other processes in those periods.