Looking to see if it is possible to do a Delta Manager Certification

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

I have been approached by leadership to setup a Manager Certification in IIQ to only include new entitlements/access since the last manager cert. Having troubles finding out if this is possible. Any advise you could provide would be greatly appreciated.


I believe you can use this attribute.

Hi @langn,
A similar post was present in the sailpoint community portal. See if this helps


This article is nearly 10 years old and not all the links are valid anymore. Is this the only option available in IIQ to accomplish this type of a cert?

We do have the changes detected option showing up in our certifications. Just not sure how to take that information and apply it to a new certificaiton.

Hi @langn ,

You have to use Identity Certification History(found under history tab of identity) in your code. Change detected is calculated based upon this Certification History. For your reference, I am attaching a document.

If you want to do delta manager certification, then put this script in your certification’s “Active Period Enter Rule”.

You have to include logic to remove items from the certification (commented out in code).

  import sailpoint.object.CertificationEntity;
  import sailpoint.object.IdentityHistoryItem;
  import sailpoint.object.Certification;
  import sailpoint.object.Identity;

  List entities = null;
  Identity identityObject = null;
  List items = null;
  IdentityHistoryItem idh = null;

  entities = certification.getEntities();

  if(entities != null && entities.size()>0)
    for(CertificationEntity entity : entities)
      identityObject = context.getObjectByName(Identity.class,entity.getIdentity());
      items = entity.getItems();
      if(items != null && items.size()>0)
        for(CertificationItem item: items)
          idh = new IdentityHistoryItem(identityObject,IdentityHistoryItem.Type.Decision,item);

          if(idh != null)
            //exclude from certificate

Hi Abhinav,

I want to thank you for your post back to me. I have been looking at this now for few days and have a question.

I would like to know why we are creating a new IdentityHistoryItem in the code, instead of grabbing an old one to look at (i.e. so we can determine if the item should be removed from the cert).

Currently when we use this code and it is excluding everything as we don’t currently have any nulls.

I thank you for your help on this.

I don’t think just doing the delta for the Manager certification or any certification is correct from the governance .

Are you saying that want the person access was reviewed by manager / any in last cycle is still valid ? I don’t think this is correct better their would be a option or column or something which can give idea to a reviewer that this was reviewed by you last time and this was your decision.

I haven’t explored much but i think recommendation engine could help with this type of requirement . if you don’t want to use the ootb engine pretty much you can make your own .

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.