Creating a Certification Campaign

A certification campaign is represented by a campaign entry in the Provisioning domain. To set up a new user certification campaign, you need to create a new entry: In the sub-view Certification Campaigns of the view group Provisioning, right click an appropriate parent container and select NewCertificationCampaign and then supply values for the following mandatory fields:

  • Name – the name of the campaign to be displayed to approvers and stated in emails.

  • Type – the campaign type. Set it to User Certification or Privilege Certification.

  • Owner – a user in the domain who is to be considered the owner of the campaign.

  • Reminder Notifications – the period before the campaign due date at which reminders are to be sent to approvers about their certification tasks and the interval at which these reminders are to be sent.

  • Apply Changes – whether rejected assignments are ignored, revoked or need additional approval at the end of the campaign. The options are:

    • Do not revoke any rejected privileges – no assignments are removed.

    • Revoke all manually rejected privileges that are rejected or left uncertified – both assignments that are explicitly rejected, and assignments that have been ignored by the approver are removed.

    • Revoke only rejected Privileges that were manually assigned – only the assignments that are explicitly rejected by the approver are removed. The ignored ones are left untouched.

    • Review the revocation of all manually assigned privileges that are rejected or left uncertified – starts an approval workflow for all of the manual assignments that the approver did not explicitly accept and where the concerned privilege needs approval during assignment. Assignments which the approver did not explicitly accept are removed.

  • Status – the certification campaign status. This field must be set to Campaign is in preparation (PREPARING).

  • Start Date – the date at which the campaign should start. If you want to start the campaign immediately, set this date somewhere in the past.

  • Approval Period – the duration of the approval period. This value will be used to calculate the Due Date and should provide sufficient time for the approvers to certify all assignments.

  • Due Date – the date at which the campaign should end. This date is calculated at the start of campaign from Start Date plus Approval Period. The administrator can change this value later on during the campaign.

  • Status Expiration Date – the time at which certification LDAP entries should be physically deleted (optional). When this field is blank at the end of the campaign, the campaign workflow will set a default expiration date of the current date plus 30 days.

  • User Base and User Filter – the subjects of the certification.

    It is possible to create a Certification Campaign for users with a specific risk, if the Risk Governance feature is enabled in the Domain Configuration tab. User Filter may contain an additional search parameter for the LDAP attribute: dxrRskLevel (0 – normal risk, 1 – low risk, 2 – medium risk, 3 – high risk), for example

    (&(objectClass=dxrUser)(|(ou=Finances))(dxrRskLevel>=2))

    The query above retriever all users for a Cerification Campaign from the organization unit Finance withthe risk level medium risk.

  • Privilege Filter Base and Filter – the privileges to be certified.Leave these fields blank when you want all manual assignments of the subjects to be certified.Specify values for these fields when you want to restrict the privileges to be certified: the privileges to be certified must match this filter.

These fields are mandatory to start a certification campaign.