Setting different certifier for each application account

rexsteffen · July 31, 2025, 5:24pm

IIQ 8.4

I have a certification spec to set a certifier workgroup depending on an account ID prefix. The issue I’m having is that an identity may have more than one account ID and they have different prefixes.

For example, an identity may have two accounts in an application, one prefixed with AA (AA2948) and another prefixed with BB (BB7543). The AA account with its corresponding entitlements should be certified by App ZZZ Certifier Group AA and the BB account entitlements certified by App ZZZ Certifier Group BB.

The certifier rule is like follows:

String applicationName = "App_ZZZ";
Identity identity = entity.getIdentity(context);
if(identity == null) { 
  return null;
}
Application app = context.getObjectByName(Application.class, applicationName);
Identity certifierWorkgroup = null;
IdentityService service = new IdentityService(context);
List links = service.getLinks(identity, app);
String appZZZuserID = "";
if(links != null && links.size() > 0){
  Link appZZZlink = links.get(0);
  String appZZZuserID = appZZZlink.getAttribute("USER_ID");
  if(Util.isNotNullOrEmpty(appZZZuserID) && appZZZuserID.length() > 1) {
    String orgID = appZZZuserID.substring(0, 2);
    String certifierWorkgroupName = "App ZZZ Certifier Group " + orgID;
    return certifierWorkgroupName;
    }
  else {
    return null;
  }
}
return null;

This results in both accounts - the one prefixed with AA and the one prefixed with BB - getting added to one or the other certification workgroup. For example, both account AA and account BB get added to the App ZZZ Certifier Group BB certification. The accounts do not get split into separate certifications.

Is there a way I can get the accounts separated and assigned to the corresponding certification workgroup?

Arpitha1 · August 1, 2025, 4:03am

Hi @rexsteffen As per my understanding, certifier rule will execute per certification/access review, not on entity level. In you case, it runs per group/workgroup and I don’t think you can split owner for same access review. I would suggest you to create 2 separate access review and use exclusion rule to exclude accesses

tharshith · August 1, 2025, 6:40am

Hi @rexsteffen

In your case, you cannot return certifiers by abstracting some of the items. The ideal way to achieve this is by creating 2 separate certificationdefinitions (of type Targetted certification) and filter the identities for each application. The setup would be something like -

Certification 1 →

Application - App ZZZ
Identities to Certify - Write a rule to consider the identities only having App ZZZ account and accountID starts with AA
Assign the certifier (static assignment of workgroup or through certfier rule)

Certification 2 →

Application - App ZZZ
Identities to Certify - Write a rule to consider the identities only having App ZZZ account and accountID starts with BB
Assign the certifier (static assignment of workgroup or through certfier rule)

harsh_gupta4 · August 4, 2025, 8:36am

Hi @rexsteffen ,

Probably you can try to create separate certification as per your requirement .

Topic		Replies	Views
Targeted Certification Custom Certifier rule IIQ Discussion and Questions identityiq , certifications	4	433	April 26, 2024
Targeted Certification - IIQ Discussion and Questions identityiq , certifications	3	44	April 28, 2025
Reassignment in Targeted Certification using certifier rule IIQ Discussion and Questions identityiq	11	84	July 21, 2025
Multi level Access Reviews IdentityIQ (IIQ)	0	1652	October 18, 2021
Configure backup certifier for Manager Certification IIQ Discussion and Questions rules , identityiq , certifications	2	77	August 9, 2024

Setting different certifier for each application account

Related topics