Idea Details

Trigger based certification campaigns in CA Identity Governance

Last activity 06-03-2019 08:34 PM
Matthew_Miller's profile image
07-09-2015 04:40 PM

I am requesting an enhancement request for the added functionality of "trigger based certification campaigns" to the CA Identity Suite.


The workflow would be an event occurs within an enterprise that would require a recertification on a single entity. This workflow should be triggered by Policy Xpress based on the defined conditions.


Example Use Cases:


  • User Termination. A user termination is initiated within the CA Identity Suite. This should trigger a certification campaign on that user and their associated entitlements. Any residual entitlements can subsequently be rejected and removed by the system as part of a user based certification campaign. This ensures all access tied to that user is removed.
  • User Transfer. A user transitions to a new position within the company. Changes to a user's attribute or set of attributes should trigger a user based certification campaign to validate old access is removed and new access is appropriate to the new position.
  • Role Changes. When a Provisioning Role or Account Template is modified, a role based certification campaign is triggered. All associated entitlements / objects are recertified by the application owner and / or role owner to validate the change was made in accordance to the role model. A secondary approval could be included for the RBAC / INFOSEC / Internal Audit team to validate the changes.


03-05-2018 12:10 PM

Hi Hila,

Glad to know that this may be coming our way. Matt and I are trying to get this as OOTB feature. I do believe, this will also improve our positioning in Gartner matrix. I would like to invite comments from Dave C. on it as well. Alan_Baugher, panba01 and Enrique_L._Torres what do you guys think about including this?


02-28-2018 10:26 AM

This is indeed a great idea which we would like to implement, it would first require us to make some modifications in our architecture before it can be developed. Moving it to wish-list until we're at a time we can implement this.

07-15-2016 09:11 AM



This is a wonderful idea and helps expand smart provisioning functionality to any managed IDM objects and not just users/accounts that IDM manages. Also, when you expand IDM to manage PAM , this same module could then be used for privileged access review as well.


I hope this gets accepted and implemented quickly.