I am going to talk about one of the most important topics and their usage, but most of the time get confused and forgot. I will try to give some clarity on this. Please feel free to let me know if something needs to be updated or changed.
Before starting, I would like to tell you about one thing that these concepts are related to: taking ownership of a user in different ways, like approving a work item or reviewing access in a certification campaign, etc. So you should be aware of those topics to get a better understanding of these topics.
Delegation:
Delegation is a way to involve another person in the decision-making process for a certification while keeping full responsibility for the final decision with the original certifier. Delegation will apply only to certifications if you enable the option in the certification definition.
Delegated items remain part of the original certification, and the work item is sent to the delegated user, which allows them to make certification decisions on the items.
When the delegate has completed means decisions have been taken on the delegated items, then the decisions will come back to the original certifier. The original certifier must still sign off on the decision and has the ability to override the delegated decisions as well. The current delegate to whom an entity or item is delegated is recorded in certification.
Generally, this delegation option is used for allowing the certifier to transfer responsibility for certifying a single certification entity to another user/certifier. The certification can be accessed from the My Work β My Access Reviews or Work Items page.
While generating certification itself, there is one option called Enable Line Item Delegation. We have to check the checkbox, which means enabling the option so that we can have this delegation option while reviewing access reviews.
Certification item: identities, roles, entitlements, etc., are called certification items.
Certification entity: The combination of items that are represented as above is called a certification entity.
Work item: The combination of entities is called work items. It may be certification or policy violation, or form submission, etc.
Reassignment:
Reassignment is a way to involve another identity or user for the certification decision by changing the full ownership to that new identity or user. Reassignment will apply only to certifications if you enable the option in the certification definition.
While the original certifier is certifying the access of the users or identities, if the original certifier selects a few identities and reassigns them to some other user (treat it as a second certifier), that second certifier is the only one and final reviewer to take a decision and will do the signoff as well. The item will not come back to the original certifier of the certification.
Ex; X person got certification to review the identities, and among them, 3 items are reassigned to Y person. Then Y person will get an item for those 3 items, and he has the option to do signoff also. Those items canβt go back to X person for a final decision. Y is the person who will take complete responsibility to approve or reject.
Suppose X person got certification to review the identities, and among them, 3 items are reassigned to Y person. Then Y person will get an item for those 3 items. Suppose Y wants to reassign to X only; it is possible, but it will create a new work item in X, not in the same work item as the original previous one created.
One option is there in the Behavior page of the certification definition called Require Reassignment Completion. If you enable this option, whatever is reassigned has to be completed first, and then only will you get signoff to the original certifier. Otherwise, the red color signoff option will come, which means some items are reassigned but not certified yet. Please complete that.
To see this, open certification items, select items on the left upside, and you will see the reassign option.
My Work β Work item β Bulk Decision (We have to select the items only.)
Forwarding:
In this forwarding, we can forward a work item, which means passing all responsibility for the item from the original owner to the new owner. We can only forward the whole work items, not single entities or items within it, just like how we do in certification.
Forwarding applies to work items (certification, approval, policy violation, etc., not only for certification). In the forwarding, including certification, the whole access review is forwarded as a single unit.
Forwarded work item canβt be recalled. The original owner can no longer act on the work item in any way once it is forwarded. All forwarded actions are by default recorded in the audit log.
Where we can see the Forward option:
My Work β Work items β right-click on the item, and then you will get the forward option.
Right top Account β Preference β Forwarding user (log in with an identity)
Left top three lines. Manage identity β View identity β Forwarding
Global Settings β IdentityIQ Configuration β Work items β Work item rules β Self-certification work item forwarding rule.
Self-Certification Work Item Forwarding:
Here, you have to configure a rule for one thing. Like, for suppose, one manager called A has a certification campaign to review in which P, Q, R, and S are the subordinates. If certifier A is not available due to OOO, he will auto-forward all items to P (subordinate manager). So, now the certification campaign is having P also, and he himself should not review, which is not good practice. So for that we have to restrict it. For that we have to write a logic to avoid this for all types of work items.
Automatic Forwarding:
An identity or user is allowing another person to take action in his/her absence, like going on vacation, going on long leave, or going on maternity leave, etc. So that forwarded user will be taking care to take actions.
Preference β Select the identity
Open identity β Change Forwarding User and select user who you want make as forwarding user.
For better understanding and getting more confident on all these things, you just practice one or twice by reading this document.
For more information: https://community.sailpoint.com/t5/Technical-White-Papers/Delegation-Reassignment-and-Forwarding/ta-p/76738
I hope you learned something new and got a clear idea on these things. If you find something useful, please like it and send it to needed. Thank you!
