Identity Governance
Certification campaigns — your access review engine.
In Saviynt, a certification campaign closes the loop between entitlement provisioning and ongoing governance. It is how organizations prove — continuously — that the right people have the right access for the right reasons.
7
Campaign types
6
Lifecycle steps
3
Core reviewer actions
0
Uncertified access tolerated
Step 1 — Understand the concept
What is a certification campaign in Saviynt?
A certification campaign (access review campaign) is a structured, time-boxed activity in Saviynt IGA where designated reviewers — managers, application owners, role owners, or risk teams — evaluate whether assigned privileges are still appropriate, necessary, and compliant.
Certification campaigns are the operational backbone of access governance. Rather than assuming access granted months ago is still valid, they force a periodic, documented reckoning: for every user–entitlement pair in scope, a reviewer must decide — Approve, Revoke, or Delegate. No decision can mean automatic revocation. Every action is time-stamped and audit-ready.
Expert insight
Reduce reviewer fatigue before you widen scope
Scoping too broadly kills participation rates; scoping too narrowly misses governance gaps. Start with highest-risk entitlements, show reviewers rich context (last used, peer comparison, risk score), and keep campaign windows short — 2–3 weeks with clear reminders. Fatigued reviewers rubber-stamp; informed reviewers revoke.
Strategic pillars
Why certification campaigns matter
Six pillars connect periodic reviews to governance, compliance, risk, lifecycle, audit evidence, and SoD.
Pillar 01
Access governance
Ensure users only hold access proportionate to their current role. As jobs evolve, entitlements accumulate — campaigns surface and clean this drift systematically.
Pillar 02
Regulatory compliance
Meet audit requirements for SOX, GDPR, HIPAA, PCI DSS, and ISO 27001. Reviewer decisions create the evidence trail auditors expect — dated, attributable, exportable.
Pillar 03
Risk mitigation
Remove excessive, toxic, or orphaned access before it becomes a breach vector. Campaigns can be risk-weighted — high-risk entitlements quarterly, low-risk annually.
Pillar 04
Lifecycle alignment
Joiner-Mover-Leaver handles events; campaigns handle accumulation between events. Together they close the governance loop.
Pillar 05
Audit readiness
Turn “who had what access and why?” from a scramble into a documented, searchable record — timestamped packages for SOC 2, ISO, or external audit.
Pillar 06
SoD enforcement
Surface separation-of-duties violations during review. Flag toxic combinations so reviewers remediate before conflicts are exploited.
Step 2 — The seven campaign types
Types of certification campaigns in Saviynt
Seven distinct campaign types map to reviewer persona and governance scope. Choosing the right type determines who reviews, what they review, and at what granularity.
User access review by manager
Each manager reviews all access held by direct reports. Ideal for broad workforce certifications with contextual judgment of job fit.
Direct manager
Access review by application owner
The owner reviews who has access to their application and what they can do. Best for critical apps where privilege creep is visible immediately.
Application owner
Access review by role owner
The role owner reviews all users assigned to a specific role — effective for high-privilege or sensitive roles and SoD-aware reviews.
Role owner
Access review by entitlement owner
Data stewards or admins review each user holding a specific entitlement — the most granular type for sensitive data or privileged permissions.
Entitlement owner
User self-review
Users certify their own access. Scalable but limited alone — most frameworks require a second reviewer. Use as a first-pass filter before manager or owner review.
User (self)
Peer group access review
Analytics compares a user’s profile to peers; outliers are flagged for expedited review — strong for privilege creep and insider-risk signals.
Analytics-driven
Event-triggered review
Reviews fire when defined events occur — role change, high-risk grant, policy violation — near-real-time governance instead of only periodic bulk runs.
Event-triggered
Step 3 — Campaign lifecycle
From scope definition to audit report
Six structured steps from definition to closure. Configuration choices directly affect participation, completeness, and the quality of compliance evidence.
Define the campaign scope
Choose the campaign type and applications, users, roles, or entitlements to include. Apply exclusions for service accounts or low-risk items. Scoping too broadly kills participation; too narrowly misses gaps. Start with highest-risk entitlements.
Configure review attributes and reviewers
Define access attributes reviewers see (account, entitlement description, last used, risk score). Assign primary and backup reviewers with fallback rules. Configure delegation. Context quality is the biggest driver of decision accuracy.
Duration, reminders, escalation
Set the campaign window (often 2–4 weeks), automated reminders, and escalation if reviewers stall. Optionally enable auto-revocation for undecided items at close — powerful, but must be communicated before launch.
Launch — reviewers notified
Saviynt sends email notifications with a link to the certification dashboard: who holds what, when it was granted, last used date, and risk score — actionable without spreadsheets.
Review — approve, revoke, or delegate
Approve retains access; Revoke triggers deprovisioning via ServiceNow, Jira, or Saviynt workflows; Delegate reassigns when context is insufficient. Every path is logged.
Close and report
At close, Saviynt generates an audit report — every decision, timestamp, and item. Undecided items follow policy (e.g. auto-revoked). Export PDF or CSV for SOX, HIPAA, or ISO evidence. Results refresh the access intelligence layer.
Step 4 — Reviewer decision framework
Three core actions — and what each triggers
Every access item requires an explicit decision. Reviewers are active governance participants; their choices drive provisioning and audit outcomes.
Action 01
Approve — access retained
The reviewer certifies access as appropriate for the current role. The entitlement stays; the approval is date-stamped and attributed.
Action 02
Revoke — deprovisioning triggered
Access is no longer needed. A deprovisioning workflow runs via Saviynt, ServiceNow ticket, or target system API — removal tracked end-to-end.
Action 03
Delegate — reassigned to expert
Insufficient context to decide — delegate to a colleague or data owner. Chains are tracked; depth is usually limited to one hop.
Action 04
Comment and flag for exception
Attach rationale or flag for committee review before close — so high-risk access is not approved without oversight.
Auto-action
No action = auto-revoke
When enabled, undecided items at close are automatically revoked — eliminating implicit approval through inaction.
Step 5 — Choose the right type
Campaign types compared
Reviewer persona, scope, granularity, and audit value differ by type. Combine types across your access landscape where needed.
- Reviewer
- Direct manager
- Scope
- All access per user
- Granularity
- Medium
- Audit value
- High
- Best for
- Broad workforce certifications, SOX, quarterly reviews
- Reviewer
- Application owner
- Scope
- All users of one app
- Granularity
- High
- Audit value
- High
- Best for
- Critical business apps, ERP, financial systems
- Reviewer
- Role / group owner
- Scope
- All users in a role
- Granularity
- High
- Audit value
- High
- Best for
- Privileged roles, admin groups, sensitive functions
- Reviewer
- Data / system owner
- Scope
- All users per entitlement
- Granularity
- Very high
- Audit value
- High
- Best for
- Sensitive data entitlements, PCI / HIPAA-scoped access
- Reviewer
- The user themselves
- Scope
- Own access only
- Granularity
- Low
- Audit value
- Low alone
- Best for
- First-pass filter, low-risk apps, cost reduction
- Reviewer
- Analytics + manager
- Scope
- Outlier users only
- Granularity
- Targeted
- Audit value
- High
- Best for
- Privilege creep detection, anomaly review
- Reviewer
- Triggered reviewer
- Scope
- Event-specific item
- Granularity
- Surgical
- Audit value
- Very high
- Best for
- High-velocity orgs, real-time risk
| Type | Reviewer | Scope | Granularity | Audit value | Best for |
|---|---|---|---|---|---|
| Manager | Direct manager | All access per user | Medium | High | Broad workforce certifications, SOX, quarterly reviews |
| App owner | Application owner | All users of one app | High | High | Critical business apps, ERP, financial systems |
| Role owner | Role / group owner | All users in a role | High | High | Privileged roles, admin groups, sensitive functions |
| Entitlement owner | Data / system owner | All users per entitlement | Very high | High | Sensitive data entitlements, PCI / HIPAA-scoped access |
| Self-certification | The user themselves | Own access only | Low | Low alone | First-pass filter, low-risk apps, cost reduction |
| Peer-based | Analytics + manager | Outlier users only | Targeted | High | Privilege creep detection, anomaly review |
| Continuous | Triggered reviewer | Event-specific item | Surgical | Very high | High-velocity orgs, real-time risk |
Step 6 — Reporting and audit evidence
What Saviynt generates when a campaign closes
Reviewer decisions become structured, auditor-ready evidence — who certified what, when, and why — without multi-day investigations.
100%
Decision coverage
Complete audit trail
Every approve, revoke, and delegate logged with timestamp, reviewer identity, and item reviewed — immutable and exportable as PDF or CSV.
Live
During-campaign metrics
Dashboard completion metrics
Track completion by reviewer, department, and application in real time — target reminders before close.
SOX
Compliance evidence
Regulator-ready evidence package
Structured for SOX 404, HIPAA access audits, PCI DSS 7.x, and ISO 27001 A.9 — scope, configuration, decisions, and revocation confirmations.
↘
Risk posture
Revocation impact report
Which access was revoked, which workflows ran, and whether they completed — clear picture of risk reduction per campaign.
AI
Analytics layer
Peer analytics and risk refresh
Results feed access intelligence; repeated revocations flag structurally over-provisioned entitlements upstream.
SLA
Operational metrics
Reviewer performance report
Time-to-decision, escalation frequency, delegation rate, and no-action rate — surface governance bottlenecks outside the tool.
Step 7 — Ecosystem & Saviynt automation
Campaigns in your governance ecosystem
Real value appears when certification connects to ITSM, cloud directories, and GRC — closed-loop revocation and evidence, not PDF theater.
Saviynt integration
ServiceNow
Revoke decisions open change requests or incidents; deprovisioning is tracked with SLAs and confirmation back to Saviynt.
Saviynt integration
Microsoft Entra ID and Azure
Group memberships, app roles, and policies feed campaign scope; revocations write back to Entra in real time.
Saviynt integration
AWS IAM and Identity Center
Roles, permission sets, and policies in scope; revocations trigger API removal of assignments — no manual follow-up.
Saviynt integration
GRC and audit platforms
Evidence exports populate Archer, MetricStream, or ServiceNow GRC controls — auditors get structured packages.
Saviynt integration
HR systems (Workday, SAP HCM)
Org-chart-driven reviewer routing updates automatically as structures change.
Saviynt integration
SIEM and SOC
Campaign and revocation events as structured telemetry to Splunk, Sentinel, or Elastic — governance beside security signals.
Step 8 — Best practices
What high-maturity certification programs do differently
Design choices separate campaigns that satisfy auditors from those that actually improve security posture.
Run campaigns on a predictable cadence
High-risk entitlements: quarterly. Standard apps: semi-annual. Low-risk: annual. Document the schedule in policy before launch — ad-hoc runs signal a reactive program.
Risk-prioritize scope relentlessly
Start with entitlements that would cause the most harm if over-assigned — finance admin, cloud root equivalents, PII stores. Low-risk read-only test access can wait.
Enable auto-revocation for undecided items
The strongest control is consequence for inaction. Communicate before launch: inaction must never mean implicit approval.
Show reviewers context — not just checkboxes
“SAP_FI_ADMIN” alone gets rubber-stamped. Add last-used date, peer comparison, and risk score so reviewers can revoke with confidence.
Integrate deprovisioning before first launch
A revoke that only generates a PDF is theater. Connect Saviynt to targets or ITSM so revocation is automatic and tracked.
Keep campaigns short; hold reviewers accountable
Beyond four weeks, completion drops. Use 2–3 week bursts with reminders on days 3, 7, and two days before close.
Pair periodic runs with continuous certification
Periodic reviews are lagging; event-triggered reviews catch high-risk grants immediately. Use bulk campaigns as a safety net, not the only control.
Measure campaign health over time
Track completion, revocation, delegation, and time-to-decision each cycle. Falling revocation rates may mean rubber-stamping; rising delegation may mean missing context.
Ready to run your first certification campaign?
FuturevisionIA designs, configures, and optimizes Saviynt certification programs — strategy, scope, reviewer training, ServiceNow integration, and audit evidence packaging.