Account based certification


We have created a not logged 90 days in identity attribute, and based on that, we create a certification filter. However, the requirement is to do the account-based certification, not the entitlement-based certification.

Is it possible to do account-based certification in IDN?


Hi @pkumar22 , In IDN the certification can be performed on identities only.
could you please elaborate your query ? .

Hello @sidharth_tarlapally,

ISC / IDN is design mainly for access based certifications (roles, access profiles, entitlements).

A work around for certifiy accounts can be for example : in your campaign you can add only one entitlement of each source and then the certifiers will certifiy only those entitlements(one per source).

Or by using source owner campaign (filtered based campaign) :

1 Like

Can you please explain what you want to achieve with account-based certification.


We have already proposed the solution you mentioned, but the client insists on proceeding with an account-based approach.


We have successfully onboarded the AD source, and the client aims to conduct certification for users who have not logged in within the last 90 days.

In IIQ, there is an option for account-based certification. Similarly, they are looking in IDN once the certification is initiated, IDN should display the account name. The certifier can then decide to approve or revoke the account.

@pkumar22 effectively for IIQ but IDN/ISC does not support this right now.

There are an options for uncorelated accounts certifications but this certify access items :

You can submit an idea for this feature here : and if many people vote it Sailpoint can integrate this in the product roadmap.

1 Like

We are planning to implement an account-based certification like the one below.

Is this work?

  1. Creating a new memberOf in the last 90 days is not logging and auto-assigns users who haven’t logged in for the past 90 days.

  2. Create a workflow and filter this memberOf. Then, create a certification campaign, and once the manager or source owner is revoked, this memberOf.

  3. Provision the AD and deactivate the user account.

Yes @pkumar22, I think this can work.

You need to create an identity attribute called lastLogonDaysMoreThan90Days for example. This attribute will be associated with a transform that retrieve the last logon from Active Directory and compares it with the current date. If the last logon is more than 90 days ago, you can set this attribute to True or False, Yes or No, etc., and include this memberOf in access.

Afterward, you can create a periodic certification campaign based on this attribute. If a manager revokes this memberOf, ISC will automatically revoke it. You can use a workflow to trigger this memberOf revocation by initiating a disabling operation on the Active Directory account.

The only problem here is the role criteria: it will always re-provision this memberOf if the user is included in the role criteria. To prevent this, you can create an intermediate lifecycle state that can be combined with lastLogonDaysMoreThan90Days in the role criteria.

Best regards,

Hi @pkumar22

Yes, the only solution i would think is to create identity attribute so that you can perform search in ISC and thus trigger the certifications.

But you may also need to ensure that all the accounts are properly correlated in ISC. So before launching the certification, you will have to add the step to ensure that all the accounts are properly correlated, otherwise some of the accounts might get missed.

Good luck with the implementation.


Thanks for your reply.

I have already created the lastLogonDaysMoreThan90Days identity attribute, and I will start the remaining steps and let you know the result.

1 Like