# User-based certification

User-based certification reviews all the access that a selected group of users has. It is the broadest certification type and is typically used for periodic reviews of an entire user population or a specific segment of it.

Before starting, ensure data from the applications that need to be part of the review has already been imported into OpenIAM.

## Creating a new certification

{% stepper %}
{% step %}

#### Log in to the webconsole

Go to **Access Control → Access Certification**.<br>
{% endstep %}

{% step %}

#### Create a new certification

Click **New Access Certification** from the side menu.

<figure><img src="/files/GAlGm2ruCea7VpyoKqOg" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Complete the form

Use the following fields:

| Field                      | Required | Description                                                                                                                                                                                                                                                                                                                                                         |
| -------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Access Certification name  | Yes      | A descriptive name to uniquely identify this campaign.                                                                                                                                                                                                                                                                                                              |
| Type of certification      | Yes      | Select **User** for a user-focused review.                                                                                                                                                                                                                                                                                                                          |
| Description                | No       | Summary describing the goals of this campaign.                                                                                                                                                                                                                                                                                                                      |
| Status                     | Yes      | Active or inactive. This only affects the **automatic schedule** — it does not affect the ability to launch manually.                                                                                                                                                                                                                                               |
| Scheduled interval         | No       | Automatically run the campaign at regular intervals: annually, semi-annually, or quarterly.                                                                                                                                                                                                                                                                         |
| Reference start date       | No       | Used to calculate the schedule for automatic runs. This is **not** related to manual execution.                                                                                                                                                                                                                                                                     |
| Email template             | No       | Email template to use for reviewer notifications.                                                                                                                                                                                                                                                                                                                   |
| Managers of access review  | No       | The people responsible for overseeing campaign execution. You can assign **multiple** campaign managers. Each has access to the dashboard and reports and can delegate requests. Managers are different from reviewers who participate in the review steps. Managers can also be updated after a campaign has been launched via the `UPDATE_CAMPAIGN_MANAGERS` API. |
| Membership tags to exclude | No       | Filter out specific types of access assignments from the review. See [Membership tags](/access-review/membership-tags.md).                                                                                                                                                                                                                                          |
| {% endstep %}              |          |                                                                                                                                                                                                                                                                                                                                                                     |

{% step %}

#### Save the campaign

Click **Save**. The campaign configuration is saved and additional tabs become available.

<figure><img src="/files/Hnm2byMXyVNeE4SSvEDF" alt=""><figcaption></figcaption></figure>
{% endstep %}
{% endstepper %}

## Types of reviewers

You can configure one or more reviewer types for a campaign. Only **one manager** is allowed per review, but additional reviewer types can be added. The available reviewer types are:

<table><thead><tr><th width="251.3333740234375">Reviewer type</th><th>Description</th></tr></thead><tbody><tr><td>User manager</td><td>A supervisor of any type.</td></tr><tr><td>Organization certifier</td><td>The certifier assigned to the user's organization. Configure via <strong>Access Control → Organization → Edit → Organization Certifier</strong>.</td></tr><tr><td>Select reviewer</td><td>A specific named user chosen as the reviewer.</td></tr><tr><td>Group</td><td>A group of users who will perform the review.</td></tr><tr><td>User reviews their own access</td><td>The target user reviews their own access via the Self-Service portal (self-review).</td></tr><tr><td>Service account owner</td><td>If the target user is a related account, the review is assigned to the primary user. See Concepts.</td></tr><tr><td>Supervisor</td><td>The user's direct supervisor. If no supervisor is assigned, the review is routed to the Sysadmin account.</td></tr><tr><td>Application Admin / Owner</td><td>For Application Certification campaigns. Each application has an assigned Admin/Owner who receives the review tasks. If no Admin/Owner or reviewer's manager is assigned, the review goes to the Sysadmin account. To assign: <strong>Access Control → Resources → Edit → Application Admin/Owner</strong>.</td></tr><tr><td>Entitlement Admin / Owner</td><td>For campaigns involving roles or groups. The review is sent to the Admin/Owner of the entitlement. If none is assigned, the review goes to the Sysadmin account. To assign: <strong>Access Control → Role/Group → Edit → Role/Group Admin/Owner</strong>.</td></tr></tbody></table>

{% hint style="info" %}
Dates configured in the Reviewers section are measured in **calendar days**.
{% endhint %}

## User selection

In the **User selection** tab, you can narrow the campaign to a specific subset of users. To certify only a specific user type (for example, contractors or service accounts):

{% stepper %}
{% step %}

#### Select the user type filter

In the **Selection type** dropdown, select **User type**.

<figure><img src="/files/5iYfBTP2F36SlprNqKFk" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Choose the user type

In the next dropdown, select the type of users to review.

<figure><img src="/files/D35J6QBjAUUIik1Q65sb" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Preview the users

Click **Preview Users** to see which users match the selection before launching.

<figure><img src="/files/6Dyv6SD6RWraHXbxxZGc" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Save and launch

Click **Save** and launch the campaign. It will run only for the users specified.
{% endstep %}
{% endstepper %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/access-review/user-based-certification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.