Separation of duties conflicting items-only certification


This ETS integration will create a certification for those identities in violation of a particular separation of duties policy but only for the conflicting entitlements, access profiles or roles. By default, a policy allows you to create a certification for those identities in violation but you must manually select the permissions to include from all of them. With this you don’t need more manual intervention than creating a scheduled search from the SOD query and set this up.

Pre requisites

Pipedream account and an IdentityNow tenant.


As of this writing, policy subscriptions won’t trigger ETS, hence the need to take the query from the policy and turn it into a scheduled search. I’m thinking of creating the campaign directly from active policies on an external schedule but suggestions and ideas are welcome.


  1. Deploy this workflow on your Pipedream account (choose default type of trigger). Take note of the webhook url to set up your ETS subscription.

  2. Open the workflow and change the default settings to something like this. Take into account this can be sometimes slow because we need to allow some time for the certification to create before we active it:

  3. Configure the following variables using your tenant information and personal access token:

  4. In IdentityNow, configure your new Schedule search subscription similar to this, using the integration URL from step 1 instead. Use whatever header you want your SOD searches to have:

  5. You should be good to go. Now schedule the search as frequent as you want your campaigns to happen. You should seen new campaigns appear on that schedule, or when you test your schedule.