IBM Security Verify

 View Only

Configuring certification campaigns in IBM Security Identity Governance and Intelligence (IGI)

By Pier Luigi Rotondo posted Wed October 16, 2019 12:51 PM


Certification campaigns are a formal process that automates the periodic review of a relationship and enable critical access decisions by nontechnical line-of-business managers.


IBM Identity Governance and Intelligence, or simply IGI, supports five different certification campaign types: User Assignment, Organization Unit Assignment, Risk Violation Mitigation, Entitlement, and Account certification.


User Assignment certification campaigns review individual user entitlements. Organization Unit Assignment certification campaigns assess where entitlements are visible. Risk Violation Mitigation certification campaigns review unmitigated risk violations. Entitlement certification campaigns examine the contents of each entitlement. Finally, Account certification campaigns review account access for target applications under management.



Certification campaigns are created and configured by the IGI Administrator in Access Governance Core, and then run by reviewers, using the Service Center. Reviewers are responsible for approving or revoking the items under review in the campaign. For example, in a User Assignments campaign, it is typical for the user managers or department managers to review the entitlements held by users in their organizations.

The campaign supervisor manages the overall campaign progress and makes sure that the campaign reviewers remain on track.


The basic layout of all certification campaigns is the same two-step process. First, you define a certification dataset, which is the subset of data in the realm that is of interest. Then you create a certification campaign on this dataset. Only at the end of the second step, you launch the certification campaign.


In the certification dataset, you define the users and entitlements being examined while in the certification campaign you define the scope dataset, reviewers, supervisors, schedule and timing of the campaign itself. Depending on the type of campaign, a certification dataset can include or exclude data based upon the organizational unit, user identity, application, entitlement, risk definition, account, or some other specific advanced settings. Note that you can use the same dataset in multiple certification campaigns.


For further details, watch the video tutorial at

You can also experiment certification campaigns in IGI, by using the online lab available at