We have recently encountered a requirement to implement a two-tier user certification process for an application.
The initial certification must be conducted by the manager, followed by an additional certification from the manager’s supervisor. Please provide recommendations for the most effective method to execute this requirement.
HI @ag2024
The manager can make decisions regarding certification. Instead of signing off , the manager can reassign the certification to supervisor, who can then review it(supervisor will be able to see decisions taken by manager) and sign-off.
Hi @gourab ,
Thanks for your response. It’s really a good idea to implement multi-level approver in access certification. However, I have two inquiries regarding this process,
a. Is there a feature available in the user interface that allows for the reassignment of certification to a second-level approver with a single click? Currently, it appears that we must manually select all identities before assigning them to the second-level approver.
b. The certification assignment process appears to be driven by business user after implementing this change. Approvers must first provide their approval and subsequently reassign the task to their manager. This could pose challenges in managing the process, especially when the number of approvers increases, as seen in manager certifications.
Thanks,
Amit Ghosh
Hi @ag2024 ,
you are right , you have to select all identities before reassignment , another approach could be from Admin > Certifications > Campaigns (need to be tested).
I also agree with you on, the reassignment process could be challenging as incase approver increases.
As a note, or just an observation, from years of converting manual review/cert processes to an automated platform - the use of a ‘dual approval’ was typically implemented to help with elimination of human error in an exceedingly manual process. Typically, in most controls or from regulatory bodies there is no specification for a ‘dual’ approval. It was inserted as a ‘pain avoidance’ measure.
What we have found is that a single level approval via an automated process is more than sufficient to review access. And when being inspected by Internal Audit, Compliance, external auditors, or the Risk team - the review process adequately meets the stated controls.
The argument typically carries more weight once you have 50-100 systems doing semi-annual reviews (i.e. 100-200 campaigns a year) for at least one complete audit cycle - without any Observations or Findings from Risk and Audit teams. Meaning the reviews pass inspection.
The other argument is that with a one level review process, there is less to inspect from Audit/Risk/Compliance (i.e. less to miss or more chances to find something) - and it helps create a standard of presentation/consistency experience for Audit and Risk when they inspect all of the different access reviews.
And for the team, it is less to maintain.
Just a different opinion. 
Thanks,
Jack
Hey @ag2024,
The right way would be in the following process based on current ISC capabilities, to have a scheduled campaign on a feed file based source first iteration with Manager’s review. Based on the decisions the value within the feedfile will be updated with the metadata mentioning the manager’s decision and have the second campaign kicked-off to the supervisor. This way you can have the two level campaign with actual proper audit trail and no need to implement or explain the complex integration of re-assignment and other processes.
But again if you have a direct connector integration and want this kind of control. The above workarounds suggested can be leveraged but it open floodgates of question from audit teams both internal and external unless they have have it well documented.
Thanks,
Aman