Entitlement Owner from Targeted Certification

Which IIQ version are you inquiring about?

8.5

Please share any images or screenshots, if relevant.

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

Can we do entitlement owner certification from Targeted Certification. Instead of using the OOTB certifier as Entitlement Owner, can we use a rule to specify entitlement owner to be the certifier? Looks like pre delegation rule does not work for Targeted cert, so how can we handle the self certification items?

you can use the certifer rule to assign the owner in target certification. below is for your reference
https://developer.sailpoint.com/discuss/uploads/short-url/casC7Tu7zgMLT6kyhUzNuWZkDI3.xml

Can you please explain details for requirement want to implement in targeted certification

Hello @SurjanK

Yes, You can override the OOTB certifier, In a CertificationDefinition or a Targeted Cert, the certifierRule attribute lets you plug in a custom rule that returns the certifier name (or list of names) instead of using the built-in “Entitlement Owner” logic.

Hi @SurjanK

In Targeted Certifications, the certifiable entity is Identity and the certifiable entity in Entitlement owner certification is Entitlement. So even though you use Certifier rule in Targeted Certification, you can just set the certifier to the entire Identity, i.e. Irrespective of entitlements/roles every access item is routed to certifier derived from Certifier rule.

Coming to problem of self certification items, you can get a configuration available in UI to route them to specific Identity/Workgroup

Self Certification Violation Owner is responsible for certifying the self certification items

@SurjanK If i recall it correctly in self certification in Target Certs had an issue.. it doesn’t work when owner is a workgroup. It only evaluates if an individual is set as owner, then it’ll avoid self certifications. I have definitely seen this in 8.1 and may be in 8.4p1 as well. Please test this out in your IIQ versions and move accordingly. I

Looks like targeted cert does not support pre delegation rule. So we won’t be able to assign self cert items(whole entity assignment might be possible though). But entity assignment can be done from certifier rule as well.

HI @SurjanK,

If you set a Self-Certification Violation owner, then all the self-certified items are automatically assigned to the Self-Certification Violation Owner

So one identity or a workgroup has to take care of all the self items for all the certifications generated. I am looking to assign the self items to the manager of the identity for each self certification item

This is the configuration for self cert

However the self cert is not assigned to the self cert violation owner

In certifier rule, the certification object does not have certification entities and certification items. This is the log
2026-06-08T20:51:02,679 ERROR Thread-644 rap.mover.rulelib.certifierAssignmentRule:166 - user of item is: sailpoint.object.Identity@328a5666[id=0a04809897401b4e819740ce4bc208a9,name=THK144]

2026-06-08T20:51:02,682 ERROR Thread-644 rap.mover.rulelib.certifierAssignmentRule:166 - certEntities: []
2026-06-08T20:51:02,692 ERROR Thread-644 rap.mover.rulelib.certifierAssignmentRule:166 - certification xml: <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Certification PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Certification certificationDefinitionId="0a0483879ea917b0819ea9dc0fa30143" created="1780966257329" creator="COF Certification Admin Workgroup" entitlementGranularity="Value" excludeInactive="true" id="0a04836c9ea91887819ea9dc72b104c8" name="Targeted EO Certification for Dariusz Szpunar [6/8/26, 8:50:57 PM EDT]" shortName="Targeted EO Certification for Dariusz Szpunar [6/8/26, 8:50:57 PM EDT]" type="Focused">
  <Attributes>
    <Map>
      <entry key="autoSignOffWhenNothingToCertify" value="true"/>
      <entry key="automateSignOffOnReassignment" value="true"/>
      <entry key="certificationDelegationReview" value="false"/>
      <entry key="notifyRemediation" value="true"/>
      <entry key="requireReassignmentCompletion" value="false"/>
      <entry key="suppressEmailWhenNothingToCertify" value="true"/>
    </Map>
  </Attributes>
  <CertificationGroups>
    <Reference class="sailpoint.object.CertificationGroup" id="0a04836c9ea91887819ea9dc729004c7" name="Targeted Certification EO [6/8/26, 8:50:57 PM EDT]"/>
  </CertificationGroups>
  <Certifiers>
    <String>XXO743</String>
  </Certifiers>
  <PhaseConfig>
    <CertificationPhaseConfig enabled="true" phase="Staged"/>
    <CertificationPhaseConfig enabled="true" phase="Active">
      <Duration>
        <TimeDuration amount="27" scale="Day"/>
      </Duration>
    </CertificationPhaseConfig>
    <CertificationPhaseConfig enabled="true" phase="Remediation">
      <Duration>
        <TimeDuration amount="3" scale="Day"/>
      </Duration>
    </CertificationPhaseConfig>
  </PhaseConfig>
  <Tags>
    <Reference class="sailpoint.object.Tag" id="0a04825d9e891cf4819e89cbe2ad003a" name="2026_TargetedCert_POC"/>
  </Tags>
</Certification>

So, can not write logic to assign owner for each entitlement(item) and also can not write logic for self cert items. However, entity.getIdentity() works.

@SurjanK Does the certification has any assignment for Surjan? Can you open the cert and share the xml?

<?xml version='1.0' encoding='UTF-8'?>
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Certification PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Certification activated="1781015880932" automaticClosingDate="1783607880932" certificationDefinitionId="0a0483879eac1812819eacd00d58002a" created="1781015802574" creator="COF Certification Admin Workgroup" entitlementGranularity="Value" excludeInactive="true" expiration="1783348680932" id="0a04836c9eac18ed819eacd072ce0361" modified="1781015881051" name="Targeted EO Certification for Surjan Kshetri [6/9/26, 10:36:42 AM EDT]" nextPhaseTransition="1783348680992" phase="Active" shortName="Targeted EO Certification for Surjan Kshetri [6/9/26, 10:36:42 AM EDT]" significantModified="1781015881051" totalEntities="1" totalItems="1" type="Focused">
  <Attributes>
    <Map>
      <entry key="autoSignOffWhenNothingToCertify" value="true"/>
      <entry key="automateSignOffOnReassignment" value="true"/>
      <entry key="certificationDelegationReview" value="false"/>
      <entry key="notifyRemediation" value="true"/>
      <entry key="requireReassignmentCompletion" value="false"/>
      <entry key="suppressEmailWhenNothingToCertify" value="true"/>
    </Map>
  </Attributes>
  <CertificationGroups>
    <Reference class="sailpoint.object.CertificationGroup" id="0a04836c9eac18ed819eacd05cee0359" name="Targeted Certification EO [6/9/26, 10:36:36 AM EDT]"/>
  </CertificationGroups>
  <Certifiers>
    <String>THK144</String>
  </Certifiers>
  <PhaseConfig>
    <CertificationPhaseConfig enabled="true" phase="Staged"/>
    <CertificationPhaseConfig enabled="true" phase="Active">
      <Duration>
        <TimeDuration amount="27" scale="Day"/>
      </Duration>
    </CertificationPhaseConfig>
    <CertificationPhaseConfig enabled="true" phase="Remediation">
      <Duration>
        <TimeDuration amount="3" scale="Day"/>
      </Duration>
    </CertificationPhaseConfig>
  </PhaseConfig>
  <CertificationStatistics totalEntities="1" totalExceptions="1" totalItems="1"/>
  <Tags>
    <Reference class="sailpoint.object.Tag" id="0a04825d9e891cf4819e89cbe2ad003a" name="2026_TargetedCert_POC"/>
  </Tags>
  <WorkItemRefs>
    <Reference class="sailpoint.object.WorkItem" id="0a04836c9eac18ed819eacd1a4fd03b1" name="0001199869"/>
  </WorkItemRefs>
  <CertificationEntity compositeScore="750" created="1781015803223" firstname="Surjan" id="0a04836c9eac18ed819eacd07557037a" identity="THK144" lastname="Kshetri" newUser="true" summaryStatus="Open" targetDisplayName="Surjan Kshetri" targetId="0a04809897401b4e819740ce4bc208a9" targetName="THK144" type="Identity">
    <CertificationItem created="1781015803218" exceptionApplication="Active Directory" exceptionAttributeName="memberOf" exceptionAttributeValue="CN=GR GG COF SD Adobe Acrobat Reader DC,OU=Software Distribution,OU=Groups,DC=cofqa,DC=dsqa,DC=capitalone,DC=com" id="0a04836c9eac18ed819eacd075520379" modified="1781015803226" significantModified="1781015803226" summaryStatus="Open" type="Exception">
      <ApplicationNames>
        <String>Active Directory</String>
      </ApplicationNames>
      <Attributes>
        <Map>
          <entry key="cofAcctSystem" value="false"/>
        </Map>
      </Attributes>
      <ExceptionEntitlements>
        <EntitlementSnapshot application="Active Directory" displayName="COFQA\THK144" nativeIdentity="CN=THK144,OU=Service Accounts,DC=cofqa,DC=dsqa,DC=capitalone,DC=com">
          <Attributes>
            <Map>
              <entry key="memberOf" value="CN=GR GG COF SD Adobe Acrobat Reader DC,OU=Software Distribution,OU=Groups,DC=cofqa,DC=dsqa,DC=capitalone,DC=com"/>
            </Map>
          </Attributes>
        </EntitlementSnapshot>
      </ExceptionEntitlements>
    </CertificationItem>
  </CertificationEntity>
</Certification>

@SurjanK - You can use a Rule for Primary Certifier. You can also define a Pre-Delegation rule under Additional Settings >> Advanced Options >> Pre-Delegation Rule.

Pre-delegation rules do not support reassignments in the Targeted Certification. You will need to use the Primary Certification field in a Certifier type rule for reassignment.

Please refer to the following link for details-

@SurjanK Seems you are set as System Administrator. If you see the first dropdown, it allows self cert for system or cert admin. Please try it on any other user to see if Self Cert work or not.

It is because I am System Admin. Thanks. Get it working with another user

@SurjanK Good to hear it is working with other user. Whenever you get some time, please resolve your post by marking appropriate comment as solution.