User Certifications in Symantec Identity Governance

Article By: Adarian Dunmeyer

Certification is the process of verifying that links between users, roles, and resources are true and correct. CA Identity Governance enables you to use certification campaigns to:

  • Enable managers across the enterprise to review access privileges, and verify that the roles assigned to those workers are appropriate
  • Enable resource owners to review the users and roles that link to their resource.
  • In some jurisdictions, certifications are required by law. CA Identity Governance implements certifications using a workflow. When combined with CA Identity Manager, an organization can institute “closed-loop remediation”, that is the automatic removal of inappropriate or unauthorized access privileges without user intervention.

When you initiate a certification, Identity Governance automatically invites managers to review and certify the access privileges of the users or resources they administer. Certification ensures that granted privileges comply with business and regulatory needs, and that they are not over-allocated.  User Certifications certify the roles and resources linked to each user. These links define the privileges assigned to each user. Typically, managers review the privileges of their workers. Use this type of certification to document compliance with data security measures.

Managers have a quarterly audit, and must review their employee’s access, and ensure that their users have the least privileged access, or that users have been offboarded and their account statuses reflect.


  • The Identity Governance Solution must have a Universe configured.
  • The configured universe must have a CAIM connector configured in it.

Needs to Know

  • If the Universe and connector are configured, but the connector does not have an endpoint defined in it, any resources expected will not appear in the campaign. 
  • There must be at least one import that has successfully been completed on the connector.


Task 1 – Run an Import

  1. Login into the Identity Governance web application
  2. Navigate to Administration > Universes > Connected universe > Then click the “Conectivity” Tab
  3. Ensure that the “import” radio button selected Click the square box next to the connector name.

  4. Click “Import now” then click ok. 
    1. We run an import before every campaign to make sure we have the most up to date information from IAM in Governance

  5. Navigate to Administration > Workflows
    1. Click on the “filter” button to include “All” workflows with a start and end date 7 days after today’s date then click “ok”
    2. Refresh until it is complete. May take an extended amount of time.

Task 2 – Configure the Campaign

  1. Login into the Identity Governance web application.
  2. Navigate to “Compliance Management” > New Certification. Here you will select which type of campaign you want to run, the name/description, when you want the campaign to start/expire and who to contact or default to if a manager/owner cannot be found. Here we will select “User privileges” which means the user’s manager will review their access. Click Next once all the properties have been filled.
  3. Here we will define our “scope” of the Users, Roles and Resources we want to review in this campaign.  Users refers to the users in the user directory connected via IDM. Roles refer to the Provisioning Roles and Account Templates in the provisioning directory. Resources refer to the endpoint resources that IDM and Governance can manage, such as groups in Active Directory. We will default to “All roles and all users” for testing purposes. You can define your scope based on any attribute in the system. Once your scope has been defined, Click next.
    1. You can run a campaign on all users whose ManagerID=A12345, or where RoleName does not equal to “SystemEngineer”.
  4. Here we can determine whether you want to send reminder emails automatically or manually. Set this to “Manage emails Manually” for now. Click Finish.
  5. To monitor the campaign after it has started, Navigate to Compliance Management > Certification Management and select the campaign.
  6. If you have an outstanding campaign, navigate to the home menu and click on the highlighted line in the Notifications window where it says “You have x certifications in Campaign.
  7. You can Approve, Reject, or Reassign the user to someone else by clicking the check box next to their name.
      1. You can also reassign multiple users by clicking select all under the campaign title.
      2. You can also approve, reject, or reassign entitlements on the user by clicking checkboxes next to their entitlements.
  8. If you want to reassign another manager’s user(s), click on Progress By Reviewers, then select the manager whose users you want to reassign to someone else.
  9. Find the user(s) that you want to reassign and click the Open button next to their name.
  10. Click on the Checkbox next to reassign then click the highlighted name next to the arrow.
  11. Enter the search criteria for the user you want to reassign to, then click search. Click the radio button next to their name then click Apply.
  12. Click Save and Submit after the user has been changed.

Summary of User Certifications in Symantec Identity Governance 

Creating user certifications in Symantec Identity Governance allows organizations the ability to have their managers attest to user privileges and resources and keep an up to date reviewal process.

Looking for additional help with Symantec identity governance? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including CA Identity Suite and more. Take your interoperability to the next level, and contact an ISX consultant today.

ISXUser Certifications in Symantec Identity Governance

Leave a Reply

Your email address will not be published. Required fields are marked *