Login
Download
Skills Development Saviynt Access Recertification

Saviynt Access Recertification

v20260317
performing-access-recertification-with-saviynt
Guide for configuring and running Saviynt Enterprise Identity Cloud certification campaigns to audit user entitlements, collect reviewer decisions, trigger automated revocations/remediation, and stay compliant with SOX, SOC2, HIPAA.
Saviynt Access Recertification Identity Governance Compliance Certification Campaign IGA SOX SOC2
Get Skill
160 downloads
Overview

Performing Access Recertification with Saviynt

Overview

Access recertification (also called access certification or access review) is a periodic process where designated reviewers validate that users have appropriate access to systems and data. Saviynt Enterprise Identity Cloud (EIC) automates this process through certification campaigns that present reviewers with current access assignments and collect approve/revoke/conditionally-certify decisions. Campaigns can be triggered on schedule (quarterly, semi-annually), event-driven (department transfer, role change), or on-demand. Saviynt provides intelligence features including risk scoring, usage analytics, and peer-group analysis to help reviewers make informed decisions.

Prerequisites

  • Saviynt Enterprise Identity Cloud (EIC) tenant with admin access
  • Identity data synchronized from authoritative sources (HR, AD, cloud)
  • Entitlement data imported from target applications
  • Certifier roles assigned (managers, application owners, data owners)
  • Campaign templates defined for each certification type

Core Concepts

Campaign Types

Type Scope Trigger Certifier
User Manager All access for users under a manager Scheduled (quarterly) Direct manager
Entitlement Owner All users with a specific entitlement Scheduled (semi-annually) Entitlement/app owner
Application All access to a specific application Scheduled Application owner
Role-Based All users assigned to a specific role Scheduled Role owner
Event-Based Users whose attributes changed Attribute change trigger New manager
Micro-Certification Single user, single entitlement On-demand Manager or owner

Certification Decisions

Decision Effect Use Case
Certify (Approve) Access maintained Access is still required
Revoke Access removal ticket created Access no longer needed
Conditionally Certify Access maintained with conditions Access needed temporarily, review again
Delegate Reassign to another certifier Certifier lacks knowledge to decide
Abstain No decision recorded Conflict of interest

Campaign Lifecycle

CONFIGURATION → PREVIEW → ACTIVE → IN PROGRESS → COMPLETED → REMEDIATION
       │            │         │          │             │            │
       │            │         │          │             │            └── Revoke tickets
       │            │         │          │             │                executed
       │            │         │          │             │
       │            │         │          │             └── All decisions
       │            │         │          │                 collected
       │            │         │          │
       │            │         │          └── Certifiers reviewing
       │            │         │              and making decisions
       │            │         │
       │            │         └── Campaign launched,
       │            │             notifications sent
       │            │
       │            └── Read-only preview for validation
       │
       └── Campaign parameters defined

Implementation Steps

Step 1: Configure Campaign Template

In Saviynt Admin Console:

  1. Navigate to Certifications > Campaign > Create New Campaign
  2. Define campaign parameters:
Parameter Value
Campaign Name Q1 2025 Manager Access Review
Campaign Type User Manager
Description Quarterly review of all user access
Certifier Type Manager (dynamic - user's direct manager)
Secondary Certifier Application Owner (fallback if manager unavailable)
Due Date 14 days from launch
Reminder Schedule Day 7, Day 10, Day 13
Escalation Auto-revoke on Day 15 if no decision

  1. Configure scope filters:

    • Include: All active users
    • Exclude: Service accounts, break-glass accounts
    • Application filter: All connected applications

  2. Configure intelligence features:

    • Enable risk scoring (high-risk entitlements highlighted)
    • Enable usage data (last access date shown)
    • Enable peer analysis (compare access to peer group)
    • Enable SoD violation flagging

Step 2: Configure Certifier Experience

Customize what certifiers see during the review:

Columns Displayed:

  • User name and title
  • Application name
  • Entitlement/role name
  • Risk score (1-10)
  • Last access date
  • Peer group comparison (% of peers with same access)
  • SoD violation flag

Decision Options:

  • Certify with justification (free text)
  • Revoke with reason (dropdown: no longer needed, SoD conflict, role change)
  • Conditionally certify with expiry date

Bulk Actions:

  • Certify all low-risk items
  • Revoke all items not accessed in 90+ days
  • Filter by application, risk level, or SoD status

Step 3: Launch Campaign via API

import requests

SAVIYNT_URL = "https://tenant.saviyntcloud.com"
SAVIYNT_TOKEN = "your-api-token"

def create_certification_campaign(campaign_config):
    """Create and launch a Saviynt certification campaign."""
    headers = {
        "Authorization": f"Bearer {SAVIYNT_TOKEN}",
        "Content-Type": "application/json"
    }

    # Create campaign
    response = requests.post(
        f"{SAVIYNT_URL}/ECM/api/v5/createCampaign",
        headers=headers,
        json={
            "campaignname": campaign_config["name"],
            "campaigntype": campaign_config["type"],
            "description": campaign_config["description"],
            "certifier": campaign_config["certifier_type"],
            "duedate": campaign_config["due_date"],
            "reminderdays": campaign_config["reminder_days"],
            "autorevoke": campaign_config.get("auto_revoke", True),
            "autorevokedays": campaign_config.get("auto_revoke_days", 15),
            "scope": campaign_config.get("scope", {}),
        }
    )
    response.raise_for_status()
    campaign_id = response.json().get("campaignId")

    # Launch campaign
    launch_response = requests.post(
        f"{SAVIYNT_URL}/ECM/api/v5/launchCampaign",
        headers=headers,
        json={"campaignId": campaign_id}
    )
    launch_response.raise_for_status()

    return {
        "campaign_id": campaign_id,
        "status": "launched",
        "certifications_created": launch_response.json().get("certificationCount", 0)
    }

def get_campaign_status(campaign_id):
    """Get current status and progress of a campaign."""
    headers = {"Authorization": f"Bearer {SAVIYNT_TOKEN}"}
    response = requests.get(
        f"{SAVIYNT_URL}/ECM/api/v5/getCampaignDetails",
        headers=headers,
        params={"campaignId": campaign_id}
    )
    response.raise_for_status()
    data = response.json()

    return {
        "campaign_id": campaign_id,
        "status": data.get("status"),
        "total_items": data.get("totalLineItems", 0),
        "certified": data.get("certifiedCount", 0),
        "revoked": data.get("revokedCount", 0),
        "pending": data.get("pendingCount", 0),
        "completion_rate": data.get("completionPercentage", 0),
    }

Step 4: Monitor Campaign Progress

Track certification progress and send escalations:

  • Dashboard: Saviynt provides real-time campaign dashboard with completion rates
  • Reminders: Automatic email reminders at configured intervals
  • Escalation: If certifier does not respond by due date, escalate to manager's manager or auto-revoke
  • Delegation: Allow certifiers to delegate specific items to application owners

Step 5: Execute Remediation

After campaign closes:

  1. Auto-Remediation: Saviynt automatically creates provisioning tasks to revoke denied access
  2. Ticket Integration: Revocation tasks create tickets in ServiceNow/Jira for tracking
  3. Grace Period: Configure a grace period (e.g., 5 business days) before access is actually removed
  4. Verification: After revocation, verify access is removed from target systems
  5. Audit Trail: All decisions, revocations, and remediations logged for compliance evidence

Validation Checklist

  • Campaign templates configured for each certification type
  • Certifier roles assigned (managers, app owners, data owners)
  • Risk scoring and usage analytics enabled
  • SoD violation detection configured
  • Reminder and escalation schedules defined
  • Auto-revoke policy for non-responsive certifiers configured
  • Campaign launched and certifiers notified
  • Campaign completion rate > 95% before close
  • Revocation tasks created for all denied entitlements
  • Remediation completed within SLA
  • Campaign report generated for compliance audit
  • Evidence archived for regulatory retention period

References

Info
Category Development
Name performing-access-recertification-with-saviynt
Version v20260317
Size 16.72KB
Source mukul975/Anthropic-Cybersecurity-Skills
Updated At 2026-03-18
Language
简体中文
English