Please share any images or screenshots, if relevant.
Please share any other relevant files that may be required (for example, logs).
[Please insert files here, otherwise delete this section]
Share all details about your problem, including any error messages you may have received.
Can we do entitlement owner certification from Targeted Certification. Instead of using the OOTB certifier as Entitlement Owner, can we use a rule to specify entitlement owner to be the certifier? Looks like pre delegation rule does not work for Targeted cert, so how can we handle the self certification items?
Yes, You can override the OOTB certifier, In a CertificationDefinition or a Targeted Cert, the certifierRule attribute lets you plug in a custom rule that returns the certifier name (or list of names) instead of using the built-in “Entitlement Owner” logic.
In Targeted Certifications, the certifiable entity is Identity and the certifiable entity in Entitlement owner certification is Entitlement. So even though you use Certifier rule in Targeted Certification, you can just set the certifier to the entire Identity, i.e. Irrespective of entitlements/roles every access item is routed to certifier derived from Certifier rule.
Coming to problem of self certification items, you can get a configuration available in UI to route them to specific Identity/Workgroup
@SurjanK If i recall it correctly in self certification in Target Certs had an issue.. it doesn’t work when owner is a workgroup. It only evaluates if an individual is set as owner, then it’ll avoid self certifications. I have definitely seen this in 8.1 and may be in 8.4p1 as well. Please test this out in your IIQ versions and move accordingly. I
Looks like targeted cert does not support pre delegation rule. So we won’t be able to assign self cert items(whole entity assignment might be possible though). But entity assignment can be done from certifier rule as well.
If you set a Self-Certification Violation owner, then all the self-certified items are automatically assigned to the Self-Certification Violation Owner
So one identity or a workgroup has to take care of all the self items for all the certifications generated. I am looking to assign the self items to the manager of the identity for each self certification item
In certifier rule, the certification object does not have certification entities and certification items. This is the log
2026-06-08T20:51:02,679 ERROR Thread-644 rap.mover.rulelib.certifierAssignmentRule:166 - user of item is: sailpoint.object.Identity@328a5666[id=0a04809897401b4e819740ce4bc208a9,name=THK144]
So, can not write logic to assign owner for each entitlement(item) and also can not write logic for self cert items. However, entity.getIdentity() works.
@SurjanK - You can use a Rule for Primary Certifier. You can also define a Pre-Delegation rule under Additional Settings >> Advanced Options >> Pre-Delegation Rule.
Pre-delegation rules do not support reassignments in the Targeted Certification. You will need to use the Primary Certification field in a Certifier type rule for reassignment.
@SurjanK Seems you are set as System Administrator. If you see the first dropdown, it allows self cert for system or cert admin. Please try it on any other user to see if Self Cert work or not.