TTechclick ⚡ XP 0% All lessons
SailPoint · Identity Governance · Access CertificationsInteractive · L1 / L2 / L3

SailPoint Access Certifications — Campaigns, Reviews & Revocations

Access certifications are how SailPoint IGA closes the loop on who still needs what. This lesson walks every campaign type — manager, source owner, role and search — through the reviewer workflow, revocation and remediation, continuous certification, and the design choices that keep your review cycles lean and audit-ready.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master SailPoint access certifications in 2026: manager, source, role and search campaigns, reviewer workflows, revocations, continuous certification and design best practices for IGA compliance.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What it is

Why certifications exist and what they prove.

 2

Campaign types

Manager, source, role and search campaigns.

 3

Review & revocation

Reviewer workflow, decisions and remediation.

 4

Continuous & design

Always-on certs and best-practice design.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What is the main purpose of an access certification campaign?

Answered in What it is.

2. Which campaign type asks a manager to review all entitlements held by their direct reports?

Answered in Campaign types.

3. What happens after a reviewer clicks 'Revoke' in SailPoint?

Answered in Review & revocation.

Most engineers think…

Most people treat access certifications as an annual checkbox — a spreadsheet that managers rubber-stamp right before an audit. That mental model creates real risk and always surfaces in interviews.

SailPoint access certifications are a structured, trackable governance workflow: the platform generates campaigns, routes entitlement-level decisions to the right reviewers, records every approve/revoke with a timestamp, and triggers provisioning to actually remove revoked access. Add continuous certification and the review cycle becomes event-driven, not calendar-driven. Understanding those mechanics — not just 'we do annual reviews' — is what separates a confident IGA practitioner from a tick-the-box one.

① Why access certifications exist — and what they actually prove

Every identity accumulates access over time: a new project, a temporary system grant, a role given during onboarding that was never removed. Access certification (also called an access review) is the process that periodically forces a human — the right human — to look at each entitlement and say 'yes, still needed' or 'no, revoke it'.

In SailPoint IGA, certifications are not spreadsheets. They are structured campaigns with defined scope, designated reviewers, deadlines, escalation rules and a full audit trail. The output is not just a report — it is a set of provisioning actions that the platform executes to fulfil revocations. Auditors (SOX, HIPAA, ISO 27001) accept this trail as evidence that access is controlled.

The core value: certifications catch permission creep — the slow accumulation of access that no one deliberately granted but nobody removed either. Without them, over time almost every identity holds more access than it needs.

Figure 1 — The certification lifecycle
Every SailPoint certification campaign moves through the same five stages from creation to closed audit evidence.The certification lifecycleCreatescope, reviewers,deadlineActivereviewers get tasksDecisionsapprove / revoke /reassignRemediaterevokes provisionedoutCompleteaudit trail closed
Every SailPoint certification campaign moves through the same five stages from creation to closed audit evidence.
Quick check · Q1 of 10 · Understand

What problem do SailPoint access certifications primarily solve?

Correct: b. Certifications address permission creep — the accumulation of access no one deliberately granted but nobody removed. Reviewers confirm or revoke each entitlement, and SailPoint actions the revocations through provisioning.
👉 So far: Access certifications catch permission creep — structured campaigns with designated reviewers, decisions per entitlement, and provisioning-backed revocations, all stored as audit evidence.

② The four campaign types — choosing the right scope

SailPoint IGA offers four campaign types, each scoping the review differently. Manager campaigns are the most common: every manager reviews the full set of entitlements held by their direct reports. This maps to the real-world question 'does my team still need this access?' and scales naturally with org structure.

Source owner campaigns flip the lens: instead of asking managers, the owner of a system (e.g. the Salesforce admin) reviews all identities that have access to that source. This is ideal for privileged or regulated systems where the source owner knows best who should be there.

Role and search campaigns

Role campaigns review membership in a role — useful when roles bundle many entitlements and you want to confirm who is legitimately in each role. Search campaigns are the most flexible: an administrator defines a custom filter (identities with a specific entitlement, in a department, on a risk score) and that cohort becomes the review scope. Use search campaigns for surgical, risk-based reviews outside the normal manager or source cycle.

Figure 2 — Four campaign types, one engine
All four campaign types run through the same SailPoint certification engine — only the review scope and reviewer assignment differ.Four campaign types, one engineCert EngineSailPoint IGAManager campaignSource owner camp.Role campaignSearch campaign
All four campaign types run through the same SailPoint certification engine — only the review scope and reviewer assignment differ.
👔
Manager campaign
tap to flip

The manager reviews all entitlements held by their direct reports. Most common campaign type — maps to real org structure and satisfies broad hygiene requirements.

🖥️
Source owner campaign
tap to flip

The owner of a source (system admin) reviews all identities that have access to that source. Best for privileged or regulated systems where the admin knows who belongs.

🎭
Role campaign
tap to flip

Reviews membership in a SailPoint role. Useful when roles bundle many entitlements — confirm who is legitimately in each role before the next role-based provisioning cycle.

🔍
Search campaign
tap to flip

The most flexible type: an admin defines a filter (entitlement, department, risk score) and that cohort is reviewed. Use for surgical, risk-based reviews outside the standard manager or source cycle.

Match campaign type to the reviewer's knowledge

Manager campaigns work when the manager knows what their reports do day-to-day. Source owner campaigns work when the system admin knows who belongs on their platform. Never use a manager campaign to review a privileged system the manager has never logged into — that is rubber-stamping by design. Match the campaign scope to the person who genuinely knows the answer.

Quick check · Q2 of 10 · Apply

A security team wants to review all identities that hold a specific high-risk entitlement, regardless of department. Which campaign type fits best?

Correct: c. A search campaign lets admins define a custom filter — in this case, all identities holding a specific entitlement — and scope the review exactly to that cohort. Manager campaigns follow org hierarchy; source campaigns follow system ownership.
👉 So far: Four types: manager (review by org hierarchy), source owner (review by system admin), role (review role membership), search (custom filter, surgical scope). Match type to who knows the answer.

③ Reviewer workflow, decisions and revocation

Once a campaign is launched, SailPoint generates individual certification tasks for each reviewer. The reviewer sees a list of identities (or entitlements, depending on campaign type) and for each item makes one of three decisions: Approve (access is correct, keep it), Revoke (access should be removed), or Reassign (send this line to another reviewer for a second opinion or delegation).

SailPoint's AI recommendation layer presents a recommendation alongside each item. Studies of the platform show reviewers revoke access roughly twice as often when AI recommendations highlight risky or unused entitlements, reducing the rubber-stamp problem significantly.

From decision to revocation

When all reviewers sign off, the campaign either completes (all approved) or moves into a remediation phase. In remediation, every revoke decision generates a provisioning task — SailPoint sends the de-provisioning request to the source connector (Active Directory, Salesforce, AWS, etc.) and tracks fulfilment. Administrators can see open remediation items, chase overdue tickets, and confirm closure. The entire chain — reviewer decision, timestamp, provisioning action and confirmation — is stored for audit evidence.

Figure 3 — From revoke decision to access removed
A single reviewer revoke click triggers a chain that ends with the entitlement removed at the source and confirmed in SailPoint.From revoke decision to access removedRevoke clickreviewer decisionRemediationtask created in SPConnectorde-provision requestSourceaccess removed
A single reviewer revoke click triggers a chain that ends with the entitlement removed at the source and confirmed in SailPoint.
'Revoke clicked = access removed' is wrong

A revoke decision moves the campaign into remediation and creates a provisioning task — but the entitlement is not removed until the source connector confirms it. If the connector is misconfigured or the ticket stalls, the identity keeps the access. Always monitor open remediation items and set an SLA on their closure. The audit evidence is complete only when the provisioning task is confirmed, not when the reviewer clicks.

▶ Watch a manager certification run end-to-end

Follow a single entitlement from campaign launch to revocation confirmed at the source. Press Play for the healthy path, then Break it to see the classic failure.

① LaunchAdmin creates a manager campaign scoped to all direct reports in the finance department; SailPoint generates reviewer tasks and sends notification emails.
② ReviewThe manager opens their certification queue, sees AI recommendations, and clicks Revoke on a legacy ERP admin entitlement no longer needed.
③ RemediateCampaign closes; SailPoint creates a provisioning task and sends a de-provisioning request to the ERP connector.
④ ConfirmedThe connector removes the entitlement, marks the task fulfilled, and the audit trail shows the full chain: decision, timestamp, action, confirmation.
Press Play to step through the healthy certification path. Then press Break it.
Quick check · Q3 of 10 · Remember

What does SailPoint do after a reviewer marks an access item as 'Revoke' and the campaign closes?

Correct: c. After a revoke decision, SailPoint moves the campaign into remediation and creates provisioning tasks sent to the appropriate source connector. The fulfilment is tracked and confirmed, creating a full audit trail.
👉 So far: Reviewer decisions: Approve / Revoke / Reassign. Revoke triggers a remediation phase — a provisioning task de-provisions the entitlement at the source. Audit trail is complete only when provisioning is confirmed.

④ Continuous certification and design best practices

Continuous certification moves beyond fixed-schedule campaigns. Rather than waiting for the quarterly cycle, SailPoint monitors access-risk signals — a user changing roles, an entitlement being flagged as sensitive, a peer-group anomaly — and triggers a targeted review automatically. The reviewer is asked to recertify just the changed or risky access item, not a full entitlement list. This keeps governance real-time without reviewer fatigue from large annual campaigns.

Design best practices

Well-designed certification programmes share a few traits. Right reviewer, right scope: manager campaigns for broad hygiene, source-owner campaigns for privileged systems, search campaigns for risk spikes. Reasonable cadence: quarterly for most access, annual for low-risk, event-driven continuous for high-risk. AI recommendations on: always enable them — the data consistently shows higher revocation rates and fewer rubber stamps. Deadlines and escalation: set a firm deadline with an escalation to the reviewer's manager; campaigns without escalation stall. Remediation SLA: a revoke decision means nothing if the provisioning ticket sits open for 90 days — track and close every remediation item.

Figure 4 — Periodic vs continuous certification
Scheduled campaigns cover broad hygiene; continuous certification handles real-time risk without waiting for the next cycle.Periodic vs continuous certificationPeriodic (scheduled)Fixed cadence (quarterly/annual)Full entitlement list per reviewerEasy to plan and auditRisk: access wrong between cyclesContinuous (event-driven)Triggered by risk signalsTargeted single-item reviewReal-time governance postureRisk: needs tuned signal
Scheduled campaigns cover broad hygiene; continuous certification handles real-time risk without waiting for the next cycle.

Priya at a Pune fintech runs into this

The quarterly manager certification campaign has a 15 % completion rate three days before the deadline, and the CISO is asking for audit evidence.

Likely cause

Managers are assigned 200+ entitlements each to review, there is no escalation rule set, and no reminder emails are configured — reviewers deprioritised the task.

Diagnosis

Campaign dashboard shows most certifications are still 'In Progress'; reviewer workloads are far too large and the campaign has no escalation path.

Admin ▸ Certifications ▸ Active Campaigns ▸ Campaign Details ▸ Reviewer Progress
Fix

For this cycle: manually escalate overdue certs to reviewer managers. Going forward: split large campaigns into source-scoped or search-scoped subsets, enable AI recommendations to cut decision time, set a deadline with auto-escalation to the reviewer's manager at day 5 of 7, and configure reminder notifications at day 3.

Verify

Next campaign: completion rate above 90 % by day 6; AI recommendations visible on each decision; escalation emails sent automatically on day 5.

Check the audit trail, not the campaign status

A campaign showing 'Complete' does not guarantee all revocations are actioned. Open the remediation report for the campaign and confirm every revoke has a fulfilled provisioning task with a closed date. Auditors look at the remediation evidence, not the completion banner. This is the step most IGA teams skip and the one that gets flagged in audits.

Quick check · Q4 of 10 · Analyze

Why does continuous certification reduce reviewer fatigue compared to a large annual campaign?

Correct: c. Continuous certification is event-driven and targeted — a reviewer sees only the changed or risky access item, not hundreds of entitlements on a fixed-schedule list. Fatigue comes from volume and irrelevance; continuous certification solves both by scoping each review to exactly what changed.
👉 So far: Continuous certification is event-driven — risk signals trigger targeted single-item reviews in real time. Best practice: right reviewer, right scope, AI recommendations on, escalation rules set, remediation SLA enforced.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which campaign type asks each manager to review the entitlements held by their direct reports?

Correct: d. Manager campaigns scope the review to a manager's direct reports. Source owner campaigns scope to a system; role campaigns to role membership; search campaigns to a custom filter.
Q6 · Understand

Why is a 'Complete' campaign status not sufficient audit evidence on its own?

Correct: b. Campaign completion means reviewers finished their decisions. Revoked entitlements are only actually removed when the provisioning tasks in the remediation phase are confirmed fulfilled by the source connector. Auditors need that remediation evidence, not just the completion status.
Q7 · Apply

A Salesforce admin wants to review every identity that has the 'System Administrator' profile in Salesforce. Which campaign type is most appropriate?

Correct: b. A source owner campaign scopes the review to a specific source (Salesforce) and assigns it to the source owner — in this case the Salesforce admin who knows best who should hold System Administrator access. A search campaign could also work but source owner is the canonical fit here.
Q8 · Analyze

An IGA team notices managers consistently approve everything without reading the items. Which change most directly addresses this?

Correct: b. Enabling AI recommendations is the evidence-backed intervention — studies of SailPoint deployments show reviewers revoke access roughly twice as often when AI suggestions are visible, because they no longer have to research each item themselves. Annual campaigns reduce frequency but do not fix rubber-stamping; bulk-approve makes it worse.
Q9 · Evaluate

A campaign is approaching its deadline and only 40% of reviewers have responded. What is the most effective escalation strategy?

Correct: c. Auto-escalation to the reviewer's manager plus reminders is the standard IGA best practice for stalled campaigns. Auto-approving outstanding items defeats the purpose of certification. Deleting the campaign loses work done. Indefinite extension is not audit-acceptable.
Q10 · Evaluate

What is the primary advantage of continuous certification over a purely scheduled quarterly campaign?

Correct: d. Continuous certification is event-driven — risk signals (role change, peer anomaly, new sensitive entitlement) trigger a targeted single-item review immediately. A quarterly campaign would leave risky access in place for up to three months after a risk signal fires.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: explain the difference between a campaign completing and the revocation being done. Then compare with the expert version.

Expert version: A campaign completes when all reviewers have signed off their decisions. That is the governance step. The revocation is done only when the remediation phase creates a provisioning task, the source connector de-provisions the entitlement, and the task is confirmed as fulfilled. The audit trail is not complete until that last confirmation is recorded — campaign completion is necessary but not sufficient for a clean audit.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Access certification
A structured review campaign in which designated reviewers confirm or revoke identities' entitlements; the output is a provisioning-backed audit trail.
Manager campaign
A certification type where each manager reviews all entitlements held by their direct reports, mapped to org hierarchy.
Source owner campaign
A certification type where the owner of a source (e.g. a system admin) reviews all identities with access to that source.
Remediation phase
The post-review stage of a campaign where revoke decisions are converted into provisioning tasks sent to source connectors to remove access.
Continuous certification
Event-driven certification triggered by risk signals (role change, peer anomaly, new sensitive entitlement) in real time, rather than on a fixed schedule.
Permission creep
The gradual accumulation of access rights over time that goes beyond what a user currently needs, addressed by regular certification campaigns.
Provisioning task
A tracked work item in SailPoint that carries a de-provisioning instruction to a source connector; the task must be confirmed fulfilled to complete the audit trail.
AI recommendation
SailPoint's AI-generated approve or revoke suggestion per entitlement, based on usage data, peer-group analysis and risk signals, shown to reviewers to reduce rubber-stamping.

📚 Sources

  1. SailPoint Documentation — Certifications Overview: campaigns, reviewer workflows and remediation. documentation.sailpoint.com/saas/help/certs/index.html
  2. SailPoint Documentation — Starting a Manager or Source Owner Campaign. documentation.sailpoint.com/saas/help/certs/starting_campaign.html
  3. SailPoint Documentation — Understanding Certifications: lifecycle, decisions and audit trail. documentation.sailpoint.com/saas/help/certs/understanding_certifications.html
  4. SailPoint Documentation — Completing a Certification Campaign: remediation and fulfilment. documentation.sailpoint.com/saas/help/certs/completing_campaigns.html
  5. SailPoint — Identity Governance and Administration: continuous certification and AI recommendations. sailpoint.com/identity-library/identity-governance
  6. SailPoint Developer Community — Certification Campaigns API (v2024). developer.sailpoint.com/idn/api/beta/certification-campaigns/

What's next?

Got certifications covered? Next, explore SailPoint role management and access request policies — how roles bundle entitlements, how requests are approved, and how separation-of-duty rules prevent toxic combinations.

Next · All interview lessons → Practice on exam.techclick.in →