What problem are you observing?

When invoking individual certification an admin can open and take decisions if they get the certification link via the E-mail template (name: Certification)

Example:
Source: Delimited

My Certifications section shows no Active Certification assigned to me:

Actual Certifier: Shanmukh

What we did to report this? The reviewer forwarded the e-mail of the assigned certification to me

Can I access the certification even though I am not the actual configured reviewer? Yes

What is the correct behavior?

Only the reviewer should be able to see the active certification and the link embedded within the template should also be accessible by the configured reviewer. And only they can take a decision unless it has been re-assigned again by the actual configured reviewer.

What product feature is this related to?

Certifications

What are the steps to reproduce the issue?

1. Configure a certification and set an individual reviewer.
2. Copy the certification link which is embedded in the e-mail template of Certification
3. Open this link as an admin
4. Take decisions even though the certification is not re-assigned by the actual reviewer.

Do you have any other information about your environment that may help?

Identity Security Cloud

Thanks,
Aman

@Shanmukh provided support in recreating this bug that we observed in a client’s tenant.

Good find @amansingh @Shanmukh.
Need someone from SailPoint to look into this and fix this bug ASAP as this is not the expected behavior.

Hey @colin_mckibben,

Could you please take a look and confirm if this a bug or is there a change in the expected behavior?

Thanks,
Shanmukh

What user level is the configured reviewer, and what user level is the user who received the forwarded email?

Currently, I have posted it from the perspective of both the individual reviewer and my persona being a tenant admin.

I am also checking if I can replicate the same for invited end users.

Can you also provide step-by-step instructions to recreate the scenario? A list of steps that I can follow to reach the same outcome would help myself, and others, reproduce the issue, which would make a stronger case for engineering.

I was not able to replicate it for the only below combination:
Reviewer not having any user level setup.

Now I do agree that we have API functionalities which allows a user with ORG_ADMIN or CERT_ADMIN
having the ability to manage campaigns.

My concern is for the following scenario which I again know is a really corner case but if an admin can route the e-mail to their inbox it will be pretty easy for them to then proceed with revoking or approving review items within a configured campaign without it being officially re-assigned to the review item.

As for how I was able to replicate it, below are the steps:

i. Configure an individual certification campaign and select an end-user persona as a reviewer.
ii. Generate the campaign and which should trigger the relevant e-mail template for Certification kick-off.
iii. Route the e-mail to an identity who has ORG_ADMIN and they can now use the embedded link within the generate campaign to easily navigate through he UI and proceed with taking the decisions instead of an actual reviewer.
iv. Post the campaign completion the Campaign still shows up within the initial reviewer’s completed certification tab but when opening the said campaign a small indicator shows that someone else has taken the decision.

Thanks,
Aman

Please find the screenshots below:

I have just over riden and taken decisions as an admin my routing the e-mail to my admin account:

As you can see I have provided sing-off but the completed tab stays as is which is empty.

Now the original reviewer’s tab looks something like this:

Even the decisions don’t show who took the action:

Unless I download the reports it shows the admin taking the decision to revoke the access.

And please find the attachment showcasing the cmapaign status which shows reassigment as null
certification_campaign_response_possible_bug.txt (992 Bytes)

Hope this helps @colin_mckibben