# Membership tags

Membership tags are a concept introduced in OpenIAM version 4.2.2. A **membership tag** is a metadata type that characterizes how access is derived for a user — it describes the *type* of relationship a user has with a role or group, explaining *why* a user has that access.

Membership tags replace the older `IsCertified` access right type, which previously required administrators to manually ensure every assignment carried the `IsCertified` flag for it to appear in access reviews. Membership tags make this automatic and more transparent.

{% hint style="info" %}
`IsCertified` still exists and can be used, but it no longer determines whether a user's membership appears in access certification. Membership tags now control this.
{% endhint %}

***

## Default tags

There are four default system tags. They **cannot be removed** as they are required by the platform. Administrators can create additional custom tags and assign them via Groovy scripts or API calls.

<figure><img src="/files/IX8Asf1PUtbvlCVrrmGA" alt=""><figcaption></figcaption></figure>

### Admin assignment

Automatically applied to every assignment made through the webconsole or via API. Whenever an administrator assigns access to a user in the webconsole, or when the API property `entitled` is used, this tag is applied.

To verify: go to **User search → Edit → User entitlements → Add group/role**. The role or group added will carry the Admin assignment tag.

### Admin owner system access

Represents access rights a user holds by virtue of being listed as an **Owner** or **Admin** of a Role, Group, or Resource.

To assign: go to **Access Control → Group/Role → Edit → Group/Role Owner/Admin → Add user → Save**. When that user is included in an access certification and it is executed, they will appear with the Admin owner system access tag.

<figure><img src="/files/yQRsjYA7sP62lzXSMLOA" alt=""><figcaption></figcaption></figure>

### Birthright assignment

Applied when access is granted through a business rule. If a business rule automatically assigns Roles, Groups, Resources, or Organizations, the resulting entitlements are tagged as Birthright assignment.

To create: configure a business rule that assigns a Group or Role, then create a user that triggers the rule.

### Requested access

Applied when access is granted as a result of a user request through the SelfService portal. When a user submits a request via the catalog and it is approved, the assigned access carries the Requested access tag.

To verify: log in to **SelfService** → **Create request** → Choose a service from the catalog → Select a **Role/Group** → Submit and approve the request. The Role/Group will be added with the Requested access tag.

***

## Using membership tags in certification

Membership tags play a key role in access certification reviews by allowing administrators to filter out certain types of access assignments. The **Membership tags to exclude** field in the certification configuration lets reviewers focus only on the access types that are relevant to the review — for example, excluding system assignments or role owners to concentrate on member access.

<figure><img src="/files/ky2Ge66kBde0Gu5N3b0N" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/access-review/membership-tags.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.