During manager certification campaign generation certifications are assigned to the manager.
If the managers had a “work reassignment” configured to one of their direct reports, the certifications are assigned to the delegates. But the manager certifications are bound to have the access items of the delegate, who is directly reporting to the manager. Since IDN prevents self-certification the certification items with access of the delegate is reassigned to campaign owner or a random admin. How to automatically/manually reassign this certification item back to the manager?
Manually reassigning as per documentation: (Reassigning Certifications - SailPoint Identity Services) throws error (Self certification reassignment error) and fails. I think this is because when manually reassigning to the manager, the certification-task is getting reassigned automatically again to delegate due to “work reassignment” resulting in self-certification error.
Manual reassignment successful when the manager deleted/disabled “work reassignment” though. Is there a better way?
In IdentityIQ we have FallbackWorkItemForward rule which runs while certification generation, as well as any time an existing certification work item is forwarded to a different user through automated forwarding to avoid self-certification.
I am facing the same scenario in IIQ but in my experience, FallBackWorkItemForward rule reassigns all the certifications back to manager and not only the self-certification cases. Please let me know if I am using the rule wrong.
Other possible way I could think of is to reassign to someone (identity) who does not have manager or any of the admin.
I think you are right about the self-certification error, work assignment is assigning to the direct report(delegate) but to avoid self-certification SailPoint ISC is reassigning back to the manager and then back to the direct report due to work reassignment and that is how it becomes endless loop.
Hi @mehuljogi, thank you for the response. Reassignment to anyone else is not a problem. From a compliance perspective the certification should be certified by a manager. Which is not happening as “work reassignment” overrides manual forwarding. The only solution I could think of is to automate escalation in a workflow that checks if the manager has “work reassignment”, then assign to manager’s manager.
You are absolutely right on the behavior of forwarding rule, the entire certificationEntity is forwarded. In IIQ I wouldn’t recommend any rule in this regards as the rule would run for every certification for almost nothing and utilize a lot of resources from a architecture perspective. A solution could be to create a “certification event” and trigger a workflow to reassign the certificationItems applicable.
