User access review
The user access certification means configuring and executing periodic user access checks. These checks should be an integral part of a larger strategy to improve security and ensure that users have only the required level of access. These reviews are also important for supporting regulatory requirements such as SOC-2 audits.
To implement user access certification, you will need to address the following.
| Topic | Description |
|---|---|
| Collect evidence of access | Collecting evidence of the access users have by using the connector and data synchronization tools to import data from the application, which OpenIAM needs to conduct certification. |
| Configure the certification | The certification configuration process requires defining the scope of the review and the reviewer workflow. Use the rows below to configure the certification based on its type.
|
| Execute the certification | This step allows starting the certification process and the reviewer will be notified of the ability to start the user access certification. |
| Allow bulk approval (optional) | An optional, risky reviewer convenience that lets reviewers certify or revoke all of a user's or entitlement's access in one action instead of reviewing each item individually. Off by default and not recommended — see Allow bulk approval. |
| Reports for Auditors | After the certification has been completed, the campaign manager will need to obtain reports from OpenIAM to attach those into audit documentation. This process can be found in sections, dedicated to reporting. |
| Monitor and manage a running campaign | Use the Campaign dashboard to track review progress, manage campaign managers, and perform lifecycle actions (delete, expire, extend). |
The certification-manager microservice
As of v2026.6.1, certification runs in a dedicated microservice,
certification-manager, with its own JVM, its own resource budget, and its own database (certification) — certification configurations, campaigns and access review items no longer live in theopeniamdatabase or share heap withopeniam-esb. The service owns the certification data tier and the campaign compute (campaign initialization and scope filtering, report generation, review completion and revocation handling, review-complete notification data). The Activiti review workflow itself stays in theworkflowservice; its certification steps delegate the compute tocertification-managerover RabbitMQ.
What this means for you
Starting with v2026.6.1, access certification runs as its own dedicated part of OpenIAM. You don't need to change how you create or run campaigns — everything works exactly as before. The difference is in how smoothly it runs behind the scenes:
- Faster, smoother campaigns. Launching a large certification — covering thousands of users and their access — has its own dedicated resources, so it starts and completes more quickly, even for big reviews.
- No impact on the rest of OpenIAM. Running a heavy campaign or generating large reports no longer slows down everyday activities like signing in, requesting access, or other administrative work. Certification now runs in its own space.
- More reliable. If something goes wrong during a certification, it stays contained to certification — the rest of OpenIAM keeps working normally.
- Built to grow with you. As your organization and the size of your reviews grow, the certification service can be given more capacity on its own, without affecting anything else.
In short: the same certification experience you already know, now faster and more dependable — especially for large, organization-wide reviews.
Operational notes when deploying certification-manager:
- Create a
certificationdatabase/schema on your existing database server before the first start; the service applies its own migrations. - Configure the connection (and the matching Vault secrets) in
datasource.properties:
jdbc.certification.url=<jdbc URL for the new certification DB>vault.secret.certification.jdbc.username=<username>vault.secret.certification.jdbc.password=<password>certification.databaseSchema.name=<schema name, e.g. certification>
- To copy existing certification data from the legacy
openiamdatabase, start the service once withorg.openiam.certification.migrate-from-openiam=true, verify the row counts, then switch the flag back tofalse. - Deploy the
certification-managerHelm chart (or Docker service) alongsideopeniam-esb, the same waybatch-task-manageris deployed.
Terminology used throughout this guide: a certification is the configuration of a review (scope, reviewers, schedule); a campaign is one run of that certification. Earlier releases called these "access certification" and used the UAR (User Access Review) abbreviation; both refer to the same feature.
to hide the button), which is in the selfservice.ui.properties file at /openiam-selfservice/src/main/resources.false