Hints and Limitations
This chapter provides additional information on certification campaigns.
Manual and Automatic Assignments
Certification campaigns require certification only for manually assigned privileges.
Rejecting an automatically assigned privilege does not make sense because it will be reassigned as soon as:
-
Provisioning rules for the user are evaluated, or
-
The user’s access rights are recalculated for any reason.
Therefore:
-
Rule-based assignments and assignments inherited from business objects cannot be certified.
However, approvers may still want to view all assignments, including automatically assigned ones, during certification. For this reason:
-
These assignments are displayed in the Web Center or Business User Interface.
-
Approvers cannot revoke them directly, but they can flag them for revocation and provide a reason.
-
This feedback is stored with the certification task and can be:
-
Reviewed by the certification administrator.
-
Included in reports.
-
Used to inform relevant stakeholders for improving automatic rules.
Certification Campaign Logging
To obtain detailed information about campaign execution, increase the log level:
-
Open the Admin Web application.
-
Navigate to: Java Server → Logging → Set log levels.
-
Add the following Java packages and set their value to
ALLfor full debug information:-
com.siemens.idm.jobs.campaign -
com.dirxcloud.dxi.campaign
-
Java-based Server Workflow Load
Starting and finishing a certification campaign involves multiple tasks:
-
At the start:
-
Create a certification task for each subject.
-
Identify approvers.
-
Send start notifications.
-
-
At the end:
-
Check all certification tasks.
-
Identify revoked assignments.
-
Recalculate access rights for affected users.
-
Send notifications.
-
These operations generate high load on the IdS-J Server and may impact parallel provisioning or approval processes.
Recommendations:
-
Allocate sufficient CPU and memory to affected servers.
-
Reduce other processes during these periods.