User entitlement


You can create user entitlement certification campaign to certify user application accesses.

Steps to guide you with example

  1. Create campaign
  2. View campaign
  3. Edit campaign
  4. Pause and resume campaign
  5. Cancel campaign

1. Create campaign

Navigate to Applications -> Access certification -> Create campaign

  • General setup
    Specify campaign name, optionally add description, select User entitlement campaign type, and priority.

  • Scope
    Select applications to review accesses in this campaign. All users that are entitled to the selected applications will be included. To filter this campaign's scope to a subset of users, use Include only option to select specific users or users of groups, or use Except for option to select all entitled users except for specified users or users of groups. If users or groups are added in Include only section. Then, Except for configuration will be ignored.

    • Scope applications

    • Scope users

  • Reviewer settings
    Select reviewer to certify accesses for users. There are 2 options to select reviewer.

    • User manager: a review notification will be send to the manager of each user in the campaign.

    • Specify reviewer: search an user and add single reviewer for all users in the campaign.


You can choose to log reviewer's decisions to know about each user's entitlement. There will no change in users' entitlements. Otherwise, you can choose when reviewer's decisions should take effect.

  • When the campaign ends: Rejection will trigger revocation of entitlement and deprovision of account according to the lifecycle policy for application once campaign will end.

  • Immediately: Rejection will trigger an immediate revocation of entitlement and deprovision of account according to the lifecycle policy for application.

  • Let the reviewer decide: Reviewer can decide to revoke entitlement immediately or when campaign will end.

  • Campaign supervisor settings
    If you wish to add other users to help you to track the progress of campaign. Then, you can add one or more users as supervisor of the campaign. They can track the progress of the campaign along with you.

  • Schedule
    You can either start campaign immediately or select a start date and time along with a frequency to re-run the campaign. Duration of the campaign should be between 1 to 365 days for reviewer to certify accesses.

    • Schedule immediately

    • Schedule later on

  • Reminder and campaign end
    If you wish to set reminder for reviewers. Then, you can specify the number of days to send daily reminders to reviewer before campaign ends. You can define the action for unreviewed entitlements after the campaign ends.

    • Take no action: There will be no change in the entitlements.

    • Approve all: All entitlements will be approved automatically.

    • Reject all: All entitlements will be rejected automatically.


2. View campaign

You can select a campaign to view its configuration details and progress.

  • Campaign results by reviewer

  • Campaign results by entitlement


3. Edit campaign

You can edit description and priority of the campaign.


4. Pause and resume campaign

You can pause the campaign.


Once campaign is paused. Then, reviewers will no longer see campaign to certify the entitlements.


You can also resume the campaign.


Once campaing is resumed. Then, reviewers will start seeing campaign again to certify the entitlements.


5. Cancel campaign

You can cancel the campaign.


Once campaign is cancelled. It will be no longer available for review.



Aakash Prajapati, IBM Security