MidPoint provides the possibility to periodically review various settings, e.g. assignment of roles to users. This feature is called Access certification. It is implemented in the form of certification campaigns.
A certification campaign is a review process that consists of identifying a set of certification cases, selecting reviewers for them, gathering decisions of these reviewers, and executing remediation process, if needed. Reviewer selection and decision gathering can be done multiple times, in case of multi-stage campaigns. Remediation process can be automated or manual. It is assumed that certification campaigns will be run regularly, e.g. yearly, twice a year, monthly, and so on.
In the following we'll see how a campaign looks like. Then we'll go through a very quick tutorial. And after that we'll have a look at various possibilities connected to defining certification campaigns.
Information on this page is related to midPoint 3.4. In version 3.3, access certification feature is present at the level of a technology preview. It is not suitable for production environments, mainly because of performance issues. Also, not all features mentioned here are implemented in 3.3. |
Certification campaigns are created using templates that are called certification campaign definitions, or certification definitions for short. Each definition contains the following elements:
An example of a campaign definition (taken from samples/certification/def-all-user-assignments.xml file):
<accessCertificationDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <name>All user assignments</name> <description>Certifies all users' assignments. Everything is certified by the administrator.</description> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/certification/handlers-3#direct-assignment</handlerUri> <stageDefinition> <number>1</number> <name>Administrator's review</name> <description>In this stage, the administrator has to review all the assignments of all users.</description> <duration>P14D</duration> <!-- 14 days --> <notifyBeforeDeadline>PT48H</notifyBeforeDeadline> <!-- 48 hours --> <notifyBeforeDeadline>PT12H</notifyBeforeDeadline> <notifyOnlyWhenNoDecision>true</notifyOnlyWhenNoDecision> <!-- this is the default --> <reviewerSpecification> <defaultReviewerRef oid="00000000-0000-0000-0000-000000000002" type="UserType" /> <!-- administrator --> </reviewerSpecification> </stageDefinition> <remediationDefinition> <style>automated</style> </remediationDefinition> </accessCertificationDefinition> |
In this case, scope definition is missing. It means that default values are used: all assignments of all users are taken into account.
There is one stage. Stage definition consists of the following:
It is advisable to go through a very quick tutorial at this point in order to see how certification works.
Scope definition and reviewer definition are powerful mechanisms allowing to customize certification campaign a lot. Let us have look at the details.
Scope definition controls the set of certification cases that are created when the certification campaign is started. You can configure the following:
An example of more advanced scope definition:
<scopeDefinition xsi:type="AccessCertificationAssignmentReviewScopeType"> <objectType>UserType</objectType> <searchFilter> <q:org> <q:path>parentOrgRef</q:path> <q:orgRef oid="00000000-8888-6666-0000-100000000001"> <!-- Governor Office --> <q:scope>SUBTREE</q:scope> </q:orgRef> </q:org> </searchFilter> <itemSelectionExpression> <script> <code> role = midpoint.resolveReferenceIfExists(assignment.targetRef) return role != null && role.riskLevel == 'critical' </code> </script> </itemSelectionExpression> <includeRoles>true</includeRoles> <includeOrgs>false</includeOrgs> <includeResources>false</includeResources> </scopeDefinition> |
This selects user-role assignments for users that belong under GovernorOffice and for roles with riskLevel = "critical".
This is described in a separate document.
Campaigns can be automatically started by using tasks. So, for example, to auto-start campaigns in samples/certification directory, please import the start-*.xml files.
The task looks like this:
<task ...> <name>Start campaign: Role Inducements</name> <ownerRef oid="00000000-0000-0000-0000-000000000002"/> <executionStatus>runnable</executionStatus> <category>AccessCertification</category> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/certification/task/campaign-creation/handler-3</handlerUri> <objectRef type="AccessCertificationDefinitionType"> <filter> <q:equal> <q:path>name</q:path> <q:value>Role Inducements</q:value> </q:equal> </filter> </objectRef> <recurrence>recurring</recurrence> <binding>loose</binding> <schedule> <cronLikePattern>0 0 0 * * ?</cronLikePattern> <!-- each day at midnight (for testing) --> </schedule> </task> |
After importing the task(s), campaigns are automatically scheduled at given times.
Current status of a campaign can be seen when clicking on "Campaigns scheduling" under "Certifications" menu. All certification-related tasks are shown. (Besides tasks for starting campaigns there are also remediation tasks, but that will be eventually fixed.)
Unneeded choice buttons might be hidden at the level of the system configuration. The configuration is done by listing available buttons, like this:
<accessCertification> <availableResponse>accept</availableResponse> <availableResponse>revoke</availableResponse> <availableResponse>noResponse</availableResponse> </accessCertification> |
If there are no available responses listed, all 6 can be used (accept, revoke, reduce, notDecided, delegate, noResponse).
If there is a pre-existing response that is currently not among specified items, it is displayed as red button "Illegal Response" just to distinguish it from "no response" state. It can be changed to any of the available responses. Seems like this:
As for statistics, we currently list all 6 of responses. (Might be changed in the future.)
There are four types of reports available: certification definitions, campaigns, campaign cases and campaign decisions. They are described on Access Certification Reports page.
Certification module provides notifications for certification campaign owner as well as for individual reviewers. More information can be found on Access Certification Notifications page.
Individual operations are authorized in a specific way. For detailed information, please see Access Certification Security page.