ReddRadar
Agent skill
performing-access-recertification-with-saviynt
Configure and execute access recertification campaigns in Saviynt Enterprise Identity Cloud to validate user entitlements, revoke excessive access, and maintain compliance with SOX, SOC2, and HIPAA.
Install this agent skill to your Project
npx add-skill https://github.com/autohandai/community-skills/tree/main/performing-access-recertification-with-saviynt
SKILL.md
Performing Access Recertification with Saviynt
Overview
Access recertification (also called access certification or access review) is a periodic process where designated reviewers validate that users have appropriate access to systems and data. Saviynt Enterprise Identity Cloud (EIC) automates this process through certification campaigns that present reviewers with current access assignments and collect approve/revoke/conditionally-certify decisions. Campaigns can be triggered on schedule (quarterly, semi-annually), event-driven (department transfer, role change), or on-demand. Saviynt provides intelligence features including risk scoring, usage analytics, and peer-group analysis to help reviewers make informed decisions.
Prerequisites
- Saviynt Enterprise Identity Cloud (EIC) tenant with admin access
- Identity data synchronized from authoritative sources (HR, AD, cloud)
- Entitlement data imported from target applications
- Certifier roles assigned (managers, application owners, data owners)
- Campaign templates defined for each certification type
Core Concepts
Campaign Types
| Type | Scope | Trigger | Certifier |
|---|---|---|---|
| User Manager | All access for users under a manager | Scheduled (quarterly) | Direct manager |
| Entitlement Owner | All users with a specific entitlement | Scheduled (semi-annually) | Entitlement/app owner |
| Application | All access to a specific application | Scheduled | Application owner |
| Role-Based | All users assigned to a specific role | Scheduled | Role owner |
| Event-Based | Users whose attributes changed | Attribute change trigger | New manager |
| Micro-Certification | Single user, single entitlement | On-demand | Manager or owner |
Certification Decisions
| Decision | Effect | Use Case |
|---|---|---|
| Certify (Approve) | Access maintained | Access is still required |
| Revoke | Access removal ticket created | Access no longer needed |
| Conditionally Certify | Access maintained with conditions | Access needed temporarily, review again |
| Delegate | Reassign to another certifier | Certifier lacks knowledge to decide |
| Abstain | No decision recorded | Conflict of interest |
Campaign Lifecycle
CONFIGURATION → PREVIEW → ACTIVE → IN PROGRESS → COMPLETED → REMEDIATION
│ │ │ │ │ │
│ │ │ │ │ └── Revoke tickets
│ │ │ │ │ executed
│ │ │ │ │
│ │ │ │ └── All decisions
│ │ │ │ collected
│ │ │ │
│ │ │ └── Certifiers reviewing
│ │ │ and making decisions
│ │ │
│ │ └── Campaign launched,
│ │ notifications sent
│ │
│ └── Read-only preview for validation
│
└── Campaign parameters defined
Implementation Steps
Step 1: Configure Campaign Template
In Saviynt Admin Console:
- Navigate to Certifications > Campaign > Create New Campaign
- Define campaign parameters:
| Parameter | Value |
|---|---|
| Campaign Name | Q1 2025 Manager Access Review |
| Campaign Type | User Manager |
| Description | Quarterly review of all user access |
| Certifier Type | Manager (dynamic - user's direct manager) |
| Secondary Certifier | Application Owner (fallback if manager unavailable) |
| Due Date | 14 days from launch |
| Reminder Schedule | Day 7, Day 10, Day 13 |
| Escalation | Auto-revoke on Day 15 if no decision |
-
Configure scope filters:
- Include: All active users
- Exclude: Service accounts, break-glass accounts
- Application filter: All connected applications
-
Configure intelligence features:
- Enable risk scoring (high-risk entitlements highlighted)
- Enable usage data (last access date shown)
- Enable peer analysis (compare access to peer group)
- Enable SoD violation flagging
Step 2: Configure Certifier Experience
Customize what certifiers see during the review:
Columns Displayed:
- User name and title
- Application name
- Entitlement/role name
- Risk score (1-10)
- Last access date
- Peer group comparison (% of peers with same access)
- SoD violation flag
Decision Options:
- Certify with justification (free text)
- Revoke with reason (dropdown: no longer needed, SoD conflict, role change)
- Conditionally certify with expiry date
Bulk Actions:
- Certify all low-risk items
- Revoke all items not accessed in 90+ days
- Filter by application, risk level, or SoD status
Step 3: Launch Campaign via API
import requests
SAVIYNT_URL = "https://tenant.saviyntcloud.com"
SAVIYNT_TOKEN = "your-api-token"
def create_certification_campaign(campaign_config):
"""Create and launch a Saviynt certification campaign."""
headers = {
"Authorization": f"Bearer {SAVIYNT_TOKEN}",
"Content-Type": "application/json"
}
# Create campaign
response = requests.post(
f"{SAVIYNT_URL}/ECM/api/v5/createCampaign",
headers=headers,
json={
"campaignname": campaign_config["name"],
"campaigntype": campaign_config["type"],
"description": campaign_config["description"],
"certifier": campaign_config["certifier_type"],
"duedate": campaign_config["due_date"],
"reminderdays": campaign_config["reminder_days"],
"autorevoke": campaign_config.get("auto_revoke", True),
"autorevokedays": campaign_config.get("auto_revoke_days", 15),
"scope": campaign_config.get("scope", {}),
}
)
response.raise_for_status()
campaign_id = response.json().get("campaignId")
# Launch campaign
launch_response = requests.post(
f"{SAVIYNT_URL}/ECM/api/v5/launchCampaign",
headers=headers,
json={"campaignId": campaign_id}
)
launch_response.raise_for_status()
return {
"campaign_id": campaign_id,
"status": "launched",
"certifications_created": launch_response.json().get("certificationCount", 0)
}
def get_campaign_status(campaign_id):
"""Get current status and progress of a campaign."""
headers = {"Authorization": f"Bearer {SAVIYNT_TOKEN}"}
response = requests.get(
f"{SAVIYNT_URL}/ECM/api/v5/getCampaignDetails",
headers=headers,
params={"campaignId": campaign_id}
)
response.raise_for_status()
data = response.json()
return {
"campaign_id": campaign_id,
"status": data.get("status"),
"total_items": data.get("totalLineItems", 0),
"certified": data.get("certifiedCount", 0),
"revoked": data.get("revokedCount", 0),
"pending": data.get("pendingCount", 0),
"completion_rate": data.get("completionPercentage", 0),
}
Step 4: Monitor Campaign Progress
Track certification progress and send escalations:
- Dashboard: Saviynt provides real-time campaign dashboard with completion rates
- Reminders: Automatic email reminders at configured intervals
- Escalation: If certifier does not respond by due date, escalate to manager's manager or auto-revoke
- Delegation: Allow certifiers to delegate specific items to application owners
Step 5: Execute Remediation
After campaign closes:
- Auto-Remediation: Saviynt automatically creates provisioning tasks to revoke denied access
- Ticket Integration: Revocation tasks create tickets in ServiceNow/Jira for tracking
- Grace Period: Configure a grace period (e.g., 5 business days) before access is actually removed
- Verification: After revocation, verify access is removed from target systems
- Audit Trail: All decisions, revocations, and remediations logged for compliance evidence
Validation Checklist
- Campaign templates configured for each certification type
- Certifier roles assigned (managers, app owners, data owners)
- Risk scoring and usage analytics enabled
- SoD violation detection configured
- Reminder and escalation schedules defined
- Auto-revoke policy for non-responsive certifiers configured
- Campaign launched and certifiers notified
- Campaign completion rate > 95% before close
- Revocation tasks created for all denied entitlements
- Remediation completed within SLA
- Campaign report generated for compliance audit
- Evidence archived for regulatory retention period
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
autohandai/community-skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
autohandai/community-skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
autohandai/community-skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
autohandai/community-skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
autohandai/community-skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
autohandai/community-skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?