Performing Access Recertification with Saviynt

Overview

Access recertification (also called access certification or access review) is a periodic process where designated reviewers validate that users have appropriate access to systems and data. Saviynt Enterprise Identity Cloud (EIC) automates this process through certification campaigns that present reviewers with current access assignments and collect approve/revoke/conditionally-certify decisions. Campaigns can be triggered on schedule (quarterly, semi-annually), event-driven (department transfer, role change), or on-demand. Saviynt provides intelligence features including risk scoring, usage analytics, and peer-group analysis to help reviewers make informed decisions.

When to Use

• When conducting security assessments that involve performing access recertification with saviynt
• When following incident response procedures for related security events
• When performing scheduled security testing or auditing activities
• When validating security controls through hands-on testing

Prerequisites

• Saviynt Enterprise Identity Cloud (EIC) tenant with admin access
• Identity data synchronized from authoritative sources (HR, AD, cloud)
• Entitlement data imported from target applications
• Certifier roles assigned (managers, application owners, data owners)
• Campaign templates defined for each certification type

Core Concepts

Campaign Types

Certification Decisions

Campaign Lifecycle

CONFIGURATION → PREVIEW → ACTIVE → IN PROGRESS → COMPLETED → REMEDIATION
       │            │         │          │             │            │
       │            │         │          │             │            └── Revoke tickets
       │            │         │          │             │                executed
       │            │         │          │             │
       │            │         │          │             └── All decisions
       │            │         │          │                 collected
       │            │         │          │
       │            │         │          └── Certifiers reviewing
       │            │         │              and making decisions
       │            │         │
       │            │         └── Campaign launched,
       │            │             notifications sent
       │            │
       │            └── Read-only preview for validation
       │
       └── Campaign parameters defined

Workflow

Step 1: Configure Campaign Template

In Saviynt Admin Console:

1. Navigate to Certifications > Campaign > Create New Campaign
2. Define campaign parameters:

1. Configure scope filters:

   • Include: All active users
   • Exclude: Service accounts, break-glass accounts
   • Application filter: All connected applications

2. Configure intelligence features:

   • Enable risk scoring (high-risk entitlements highlighted)
   • Enable usage data (last access date shown)
   • Enable peer analysis (compare access to peer group)
   • Enable SoD violation flagging

Step 2: Configure Certifier Experience

Customize what certifiers see during the review:

Columns Displayed:

• User name and title
• Application name
• Entitlement/role name
• Risk score (1-10)
• Last access date
• Peer group comparison (% of peers with same access)
• SoD violation flag

Decision Options:

• Certify with justification (free text)
• Revoke with reason (dropdown: no longer needed, SoD conflict, role change)
• Conditionally certify with expiry date

Bulk Actions:

• Certify all low-risk items
• Revoke all items not accessed in 90+ days
• Filter by application, risk level, or SoD status

Step 3: Launch Campaign via API

import requests

SAVIYNT_URL = "https://tenant.saviyntcloud.com"
SAVIYNT_TOKEN = "your-api-token"

def create_certification_campaign(campaign_config):
    """Create and launch a Saviynt certification campaign."""
    headers = {
        "Authorization": f"Bearer {SAVIYNT_TOKEN}",
        "Content-Type": "application/json"
    }

    # Create campaign
    response = requests.post(
        f"{SAVIYNT_URL}/ECM/api/v5/createCampaign",
        headers=headers,
        json={
            "campaignname": campaign_config["name"],
            "campaigntype": campaign_config["type"],
            "description": campaign_config["description"],
            "certifier": campaign_config["certifier_type"],
            "duedate": campaign_config["due_date"],
            "reminderdays": campaign_config["reminder_days"],
            "autorevoke": campaign_config.get("auto_revoke", True),
            "autorevokedays": campaign_config.get("auto_revoke_days", 15),
            "scope": campaign_config.get("scope", {}),
        }
    )
    response.raise_for_status()
    campaign_id = response.json().get("campaignId")

    # Launch campaign
    launch_response = requests.post(
        f"{SAVIYNT_URL}/ECM/api/v5/launchCampaign",
        headers=headers,
        json={"campaignId": campaign_id}
    )
    launch_response.raise_for_status()

    return {
        "campaign_id": campaign_id,
        "status": "launched",
        "certifications_created": launch_response.json().get("certificationCount", 0)
    }

def get_campaign_status(campaign_id):
    """Get current status and progress of a campaign."""
    headers = {"Authorization": f"Bearer {SAVIYNT_TOKEN}"}
    response = requests.get(
        f"{SAVIYNT_URL}/ECM/api/v5/getCampaignDetails",
        headers=headers,
        params={"campaignId": campaign_id}
    )
    response.raise_for_status()
    data = response.json()

    return {
        "campaign_id": campaign_id,
        "status": data.get("status"),
        "total_items": data.get("totalLineItems", 0),
        "certified": data.get("certifiedCount", 0),
        "revoked": data.get("revokedCount", 0),
        "pending": data.get("pendingCount", 0),
        "completion_rate": data.get("completionPercentage", 0),
    }

Step 4: Monitor Campaign Progress

Track certification progress and send escalations:

• Dashboard: Saviynt provides real-time campaign dashboard with completion rates
• Reminders: Automatic email reminders at configured intervals
• Escalation: If certifier does not respond by due date, escalate to manager's manager or auto-revoke
• Delegation: Allow certifiers to delegate specific items to application owners

Step 5: Execute Remediation

After campaign closes:

1. Auto-Remediation: Saviynt automatically creates provisioning tasks to revoke denied access
2. Ticket Integration: Revocation tasks create tickets in ServiceNow/Jira for tracking
3. Grace Period: Configure a grace period (e.g., 5 business days) before access is actually removed
4. Verification: After revocation, verify access is removed from target systems
5. Audit Trail: All decisions, revocations, and remediations logged for compliance evidence

Validation Checklist

• Campaign templates configured for each certification type
• Certifier roles assigned (managers, app owners, data owners)
• Risk scoring and usage analytics enabled
• SoD violation detection configured
• Reminder and escalation schedules defined
• Auto-revoke policy for non-responsive certifiers configured
• Campaign launched and certifiers notified
• Campaign completion rate > 95% before close
• Revocation tasks created for all denied entitlements
• Remediation completed within SLA
• Campaign report generated for compliance audit
• Evidence archived for regulatory retention period

References

• Saviynt Campaigns and Certifications Documentation
• Saviynt Simplifying Certifications with Intelligence
• Saviynt Advanced Access Reviews
• ISACA Access Recertification Best Practices