User access review

The user access certification means configuring and executing periodic user access checks. These checks should be an integral part of a larger strategy to improve security and ensure that users have only the required level of access. These reviews are also important for supporting regulatory requirements such as SOC-2 audits.

To implement user access certification, you will need to address the following.

TopicDescription
Collect evidence of accessCollecting evidence of the access users have by using the connector and data synchronization tools to import data from the application, which OpenIAM needs to conduct certification.
Configure the certificationThe certification configuration process requires defining the scope of the review and the reviewer workflow. Use the rows below to configure the certification based on its type.
  • User based certification option deals with all the access that users have. During the configuration, you will be able to determine which users should be included in the certification.
  • Application + entitlements option deals with a specific set of entitlements in an application or a group of applications. These are sometimes referred to as Micro-certifications.
Execute the certificationThis step allows starting the certification process and the reviewer will be notified of the ability to start the user access certification.
Allow bulk approval (optional)An optional, risky reviewer convenience that lets reviewers certify or revoke all of a user's or entitlement's access in one action instead of reviewing each item individually. Off by default and not recommended — see Allow bulk approval.
Reports for AuditorsAfter the certification has been completed, the campaign manager will need to obtain reports from OpenIAM to attach those into audit documentation. This process can be found in sections, dedicated to reporting.
Monitor and manage a running campaignUse the Campaign dashboard to track review progress, manage campaign managers, and perform lifecycle actions (delete, expire, extend).
Note: Every run of a User Access Certification creates a new review campaign. Every campaign generates a new set of data, being unique for the configurations chosen for a particular campaign. Hence, in the User Access Certification dashboard tab there might exist several campaigns with different data.

The certification-manager microservice

As of v2026.6.1, certification runs in a dedicated microservice, certification-manager, with its own JVM, its own resource budget, and its own database (certification) — certification configurations, campaigns and access review items no longer live in the openiam database or share heap with openiam-esb. The service owns the certification data tier and the campaign compute (campaign initialization and scope filtering, report generation, review completion and revocation handling, review-complete notification data). The Activiti review workflow itself stays in the workflow service; its certification steps delegate the compute to certification-manager over RabbitMQ.

What this means for you

Starting with v2026.6.1, access certification runs as its own dedicated part of OpenIAM. You don't need to change how you create or run campaigns — everything works exactly as before. The difference is in how smoothly it runs behind the scenes:

  • Faster, smoother campaigns. Launching a large certification — covering thousands of users and their access — has its own dedicated resources, so it starts and completes more quickly, even for big reviews.
  • No impact on the rest of OpenIAM. Running a heavy campaign or generating large reports no longer slows down everyday activities like signing in, requesting access, or other administrative work. Certification now runs in its own space.
  • More reliable. If something goes wrong during a certification, it stays contained to certification — the rest of OpenIAM keeps working normally.
  • Built to grow with you. As your organization and the size of your reviews grow, the certification service can be given more capacity on its own, without affecting anything else.

In short: the same certification experience you already know, now faster and more dependable — especially for large, organization-wide reviews.

Operational notes when deploying certification-manager:

  • Create a certification database/schema on your existing database server before the first start; the service applies its own migrations.
  • Configure the connection (and the matching Vault secrets) in datasource.properties:
jdbc.certification.url=<jdbc URL for the new certification DB>
vault.secret.certification.jdbc.username=<username>
vault.secret.certification.jdbc.password=<password>
certification.databaseSchema.name=<schema name, e.g. certification>
  • To copy existing certification data from the legacy openiam database, start the service once with org.openiam.certification.migrate-from-openiam=true, verify the row counts, then switch the flag back to false.
  • Deploy the certification-manager Helm chart (or Docker service) alongside openiam-esb, the same way batch-task-manager is deployed.

Terminology used throughout this guide: a certification is the configuration of a review (scope, reviewers, schedule); a campaign is one run of that certification. Earlier releases called these "access certification" and used the UAR (User Access Review) abbreviation; both refer to the same feature.

Selecting access in SelfService

Note: To avoid the case of “Access Rights were not selected against the roles or groups assigned to the users” while creating access certification, make sure to select access rights user when assigning a user to a role. Access certification works if access rights are selected to the role or group for the users, which are certified. You can do that in SelfService when creating a request, as shown above.
Note: When creating a User access review (UAR) in SelfService portal, there is a Compare with button. Users can sometimes be confused with this button, hence there is an option to hide it. This can be done by means of overriding the UI properties, as specified in this document. The property you will need to override is openiam.ui.webconsole.user.compare.with.button.show (set it to
false
to hide the button), which is in the selfservice.ui.properties file at /openiam-selfservice/src/main/resources.