Adding a certificate
This document would elaborate on how you can add a certificate in IDHub so that you can conduct an access review of the items in the certificate.
How to add a new Certificate
- Go to ‘
Certifications' in the Admin Module of IDHub using the credentials of a user that has the role of '
System Administrator' with them. To learn more about IDHub roles, click here
- Upon reaching the certifications page, Click on the
Selecting the Certification Type
IDHub allows you to create two types of certificates and they are as follows:
User Access Certification
- Certifying user access to various enterprise resources. Typically, completed by the user’s manager.
Resource Assignment certification
- Certifying users continued access to a resource is Typically, completed by a resource owner.
Understanding the Basic Info Needed in the Certificate Definition
This section requires basic information about the certificate like,
Certificate Definition name
- User Access
- Resource Assignment
- Here you can enter some keywords, which would help you refine and search for the certificate that you have created.
Certification Request Approval
- When a certification campaign is ready to be released a certification request is generated.
- Here you need to provide the user name or role who approves the certification request details regarding the distribution impact of the certification request.
- IDHub provides you to select the same from a list of predefined templates for certification workflow.
- IDHub provides a default or out-of-the-box workflow for the certificate definition. You can go ahead and select that workflow or you can create your custom workflow and select that from the list. Click here to learn more about workflows
Select Users for the Certificate Definition
There are two ways in which you can select the users in the certificate definition. Let’s go into each way in detail.
- In this case, you can add the users to be part of the user access certification.
- In this option, you can create a query condition per guidelines to develop a list of users for certification. Selection of “only include users with high-risk roles and applications” will filter your list further.
- For instance (see screenshot below), if you want to select all active users then you create a query condition “Status = Active”. This will select all active users for the certificate definition.
Select Resources for the Certificate Definition
Just like users, there are two ways in which you can select the resources for the certificate definition. Let’s go into each way in detail.
- In this option, you can add the resources manually to be part of the user access certification. (See screenshot below)
- Clicking on the plus button would select the resource
- If you can have the option to see only your selected resource, you have the toggle button for the same.
- You can also search for the resources that you want to select by clicking on the search icon
- If you want to include on the high risk roles and applications, then you can select the checkbox at the top.
- You can also filter the list of resources by type, tags
- In this option, you can create a query condition per guidelines to develop a list of resources for certification. Selection of "only include resources with high-risk roles and applications" will filter your list further.
- For instance (see screenshot below), if you want to select all resources which are active for the users then you create a query condition “Disabled = False”.
Select a user or a role as a certifier
Certifier is the person who is going to review the certification tasks and would be actually doing the access review in terms of approving or revoking access to the resources for the selected users.
IDHub provides you with the following options to select the certifier.
Select a User
- Lets you select an individual user who would be the certifier
- This means that the manager of the beneficiary would be the certifier.
- This option means that the owner of the resource would have the ability to complete the certification task.
The scheduler of the Certificate
IDHub helps you to schedule a one-time or recurring certification request (campaign) release. (See screenshot above). This might be useful in scenarios, where you have to frequently access reviews for certain high-risk resources to adhere to certain compliance standards.
Understanding the Configuration for the Certificate Definition
The configuration section of the certification definition creation allows you to apply settings specific to your certification definition.
Let’s go into some more detail about some of the configuration options that are available for you.
Require comments on all certified operation
- This option means that the certifier has to provide some comments whenever he approves the resource in the certification task.
Require comments on all revoked operation
- This option means that the certifier has to provide some comments whenever he revokes the resource in the certification task.
- Selecting this option would allow you to re-assign the task to someone else.
- If you select this option, then this means you can’t be the certifier of your resources
Escalate to the manager on the upcoming due date
- Upon selecting this option, IDHub would automatically escalate the certification task on the upcoming due date.
Certification close reminder email
- If you select this option, IDHub would send a reminder email before the certificate expiry date. The certificate expiry date would be determined by the duration of the certificate.
If the original certifier is not available to carry out the certification tasks then IDHub allows you to select the alternate certifier here, who can perform the certification task in the absence of the original certifier.
Following are the options for the alternate certifier.
- This is the default option and here the manager of the certifier becomes the alternate certifier.
- Here you can select any other individual user as the alternate certifier.
- You can also select any role as the alternate certifier. This means any user who is part of this role would be the alternative certifier for the certification tasks.
IDHub allows you to set a predefined trigger for the certification to be set. This trigger rule will listen for events to release a certification request. You can pick from a list of predefined rules to select a frequently used rule.
Certification duration specifies the total time for certifiers to complete certification. You can select the duration of the certificate as days/months/years from the drop-down and then enter the number in the text field. After the duration of the certificate is completed, the certificate would be expired.
As the last step of creating the certificate, IDHub displays the summary page. The summary page shows you the complete details of the certificate that you have created from the previous steps. The edit link is there for every section, you can click on the edit link to go back to that section directly and then modify the same. After clicking on the
submit button, a certificate would be created and it would be shown as an Active Certificate in the Certificate menu of the IDHub admin module.