Certify user access

This topic describes how to certify or revoke user access to resources during an identity certification campaign.

What is an identity certification campaign?

An identity certification campaign enables your organization to define and run a periodic review of the access a group of users have to various resources. For example, your organization can create a monthly campaign to review users' access to finance applications, as well as to selected Safes or roles.

A campaign consists of one or more cycles. A cycle is a period of time during which you may review user access. If a campaign ends before you have reviewed all items, your administrator has configured the campaign to either continue or revoke users' access for the unreviewed items.

What does a certifier do?

You are the certifier because you are the users' manager, or your organization specifically selected you to certify access. Your task as a certifier is to certify, revoke, or acknowledge access to resources for each user included in the campaign. You might have to do this on-demand, or at intervals configured by your organization.

Certifier actions

As a certifier, it is important to understand how your actions affect each user in the campaign.

Certifier actions




Certifying confirms that a user is permitted to access associated resources.

Certifiers can only certify or revoke access to resources that the user was manually given access to by an administrator or as part of an access request.


Revoking removes a user's permission to access associated resources. An administrator may configure Identity Compliance to revoke user access when any of the following events take place:

  • The certifier saves a campaign cycle.

  • The certifier signs off on the campaign cycle.


Certifiers see the Acknowledge option only if a user has access due to role or group membership. Clicking Acknowledge indicates that the certifier reviewed a specific resource for a user, but does not modify user access.


The certifier saves all decisions entered in the current campaign cycle session. After saving, the certifier can return to review access as many times as necessary until the cycle is completed. Saving does not complete the campaign cycle.

Sign off

The certifier signs off to complete the campaign cycle. After signoff, all decisions that have not yet taken effect become operative. Decisions cannot be changed after signoff.

If you do not finish the campaign cycle in the time allowed, then users' access to resources where you did not yet make a decision either continues or is automatically revoked, depending on how your organization configured the campaign.

Resources for review

You can review the following types of resources associated with each user.

Resource Types

Resource Type



Web applications deployed to the user through CyberArk Identity.


Privilege Cloud or PAM Safes and all of the permissions in each Safe.

Your organization uses Safes to store and organize authorized user accounts. For example, your organization can create a Safe for each department such as Finance or HR, and store the accounts for that department in the relevant Safe.


A user's role and its associated resources, including applications, Safe permissions (Privilege Cloud only), and groups linked to the role.

Certify user access in an identity certification campaign

This procedure describes how to certify or revoke access for users in a campaign.

To certify or revoke user access to resources:
  1. Sign in to the Identity User Portal, then go to Identity Certification and open a campaign to review.

  2. Select a user to review on the left. On the right, select the tab for the resource type you are reviewing (Applications, Safes, Users, or Groups). Review each resource and click Certify or Revoke as needed.

    You can also perform the following additional actions.

    Certification actions



    Bulk certify, revoke, or acknowledge access for all resources in the list.

    Click Bulk Actions > Certify or acknowlege all or Revoke or acknowledge all.

    You can perform a bulk action on one user or multiple users. First select user A, select the resources to act on, then select user B and select resources for that user. Click Save when you're done. Decisions will be taken on all users and resources you selected.

    You can undo a bulk action before you save the campaign by clicking Undo bulk action. This action reverses decisions for all resources in the list. After you save the campaign, you cannot reverse any revocations that were triggered immediately. You can reverse other decisions until campaign sign-off. After sign-off, no decisions can be reversed.

    Add a comment for each decision.

    Add a comment containing information about the decision. For example, you can provide a reason why you revoked access. For bulk actions, one comment applies to all resources. Your organization might require a comment.

    To add a comment, click the comment button to the right of the decision buttons.

    View the certification history for a resource.

    View the history for a resource, add a comment, and submit your decision directly from the history report. To view history, click the history button to the left of the decision buttons.

  3. Repeat the process for all resources for every user included in the campaign.

    Click Save to save your progress and return to the campaign later.

  4. After you complete all decisions in the campaign, click Sign off to sign off on the campaign cycle.

    You might have to complete MFA challenges to verify your identity for audit purposes before you sign off.

    After sign-off, all decisions take effect and the cycle is complete. You can't change decisions after you sign off.