Testing Certification Reminder and Escalations

Applicable IdentityIQ Versions: 5.5, 6.0, 6.1, 6.2

Certification reminders and escalations are time-dependent in their execution: a specified amount of time must
pass before they will occur. During development of escalation rules or reminder/escalation notice email
templates, much time could be lost while waiting for the required time to elapse to test them. This document
describes some alternatives that allow for testing of these rules and templates without waiting days for them to
execute.

NOTE: The options described here assume the tests are being conducted in a non-production environment.

Artificially Advance Time

The easiest way to test escalations is to artificially alter time for the application. For Pre-6.0 versions of
IdentityIQ, this can be done by adjusting the operating system clock. IdentityIQ 6.0 introduced a new feature in
the Debug pages called Time Machine which can simulate time advancement within the escalation/reminder
time calculation algorithm to assist in this testing.

NOTE: Changing time may have consequences for other actions occurring in the system, so the techniques
outlined in this document may work best in non-shared environments. Time Machines effect on time is more
limited than system clock alterations; it only affects the time calculations for work item escalations and
reminders, which includes certification work items.

Using Time Machine

The Time Machine feature affects the calculation algorithm for determining when to trigger certification (and
other work item) reminders and escalations by incorporating an advancement of the specified number of days
(or hours or minutes) in that calculation. It is disabled by default. Enable it by navigating to the Debug Pages
and adding this entry to the System Configuration object:

<entry key="timeMachineEnabled" value="true"/>

Testing Certification Reminders and Escalations Page 1 of 8

 Figure 1: System Configuration object in Debug Pages

Save the System Configuration object and navigate to URL: [IdentityIQ Base URL]/debug/timeMachine.jsf
(this is a hidden page). Specify the number of days (or hours or minutes) to move forward in time and click
Advance Time. The system reports the time advanced and the new current date/time that will be used in
reminder/escalation determinations.

Figure 2: Advancing Time with Time Machine

Any subsequent advancements of time are applied cumulatively until time is reset. For example, if time is first
advanced by 3 days and then by 1 day, the current date/time used for these determinations will be 4 days in the
future from the actual current date/time.

To revert to the real current time, click Reset.

Figure 3: Reset to Current Date

Testing Certification Reminders and Escalations Page 2 of 8

The time advancement is saved in the JVM so it applies to any escalation/reminder calculations that occur in the
UI instance until time is reset or the application server is stopped and restarted. It is not applied at the
operating system level, so the system clock remains unchanged; it also does not update the JVM clock directly,
so other actions such as scheduling certifications or running tasks will still be time-stamped with the real
current time. If more than one instance of IdentityIQ is running (e.g. a request server and a task server), only
actions taken by the same application server will use the time advancement, so the same server where Time
Machine is used must also run the Check Expired Work Items task. Time advancements applied in the UI do not
apply to actions taken in the iiq console, since that runs in a separate JVM. The console has its own
timeMachine function that allows advancement by a specified number of days.

NOTE: Certification reminders and escalations are scheduled by days, so in general, only the Time Machines
Days increment is useful for this testing, except in cases where a substantial amount of time has already passed
and the next notification event should happen in a matter of minutes or hours.

System Clock Alteration

For pre-6.0 installations, or for 6.0 installations needing a broader application of the time change for their
testing, changing the system clock can be done manually or through a script. The script below works in a
Windows environment to set the date and time to the timestr and datestr values recorded in it.

String timestr="15:00";
String datestr="09-23-2011";
Runtime rt = Runtime.getRuntime();
Process proc;
proc = rt.exec("cmd /C date " + datestr);
proc = rt.exec("cmd /C time " + timestr);

Testing Cert Reminders/Escalations with Time Movement

These are the steps required to test reminders/escalations through time movement.
1. Generate a certification with the appropriate reminder schedule and template or escalation rule and
template specified.
2. Advance time by the number of days required to trigger a reminder or escalation.
3. Run the Check Expired Work Items task to execute pending reminders and escalations. By default, this
task is configured to run once daily at midnight, so advancing the system clock by a day or more at a
time will automatically launch that task immediately. Time Machine adjustments do not trigger the
scheduled task, so in that case, this task must be run manually.
The Perform Maintenance task also affects certifications and may need to run to test other certification-
related activities, such as moving from one phase to another. It is not, however, necessary for testing
only reminders and escalations. This task runs by default every 5 minutes, though that schedule can be
altered or the task can be run manually as needed.
4. Examine the emails sent or look at the workItem(s) to see their changes in ownership through
escalation.
5. Repeat steps 2 - 4 until all reminders/escalations have run.

Testing Certification Reminders and Escalations Page 3 of 8

This example illustrates this process.

1. Create a certification with an active period duration of 1 week, a reminder set for 4 days before
expiration and an escalation configured to occur 1 day after one reminder is sent. (For this example,
escalation to a new owner is configured to occur only once.)
NOTE: The method for configuring additional escalations in versions 6.0+ is different from 5.5 and earlier
versions. Pre 6.0, only a single escalation configuration could be specified per certification; it could be
run more than once during the certifications lifecycle and its escalation rule had to determine the
appropriate new owner for each escalation level. Beginning with 6.0, each reminder series and each
escalation can be independently specified, providing additional flexibility in the notification options;
multiple separate escalation configurations can be added to each certification configuration as needed.
This means that different timings, email templates, and escalation rules can now be applied to each
escalation, and each escalation rule only needs to return a single new escalation owner. See the
Lifecycle of a Certification white paper for further information.

Figure 4: Reminder/Escalation in IdentityIQ 5.5

Testing Certification Reminders and Escalations Page 4 of 8

 Figure 5: Reminder/Escalation in IdentityIQ 6.0

2. Move time forward 3 days and watch the reminder occur; verify that the email was sent.
3. Move time forward 1 more day and see the escalation occur.
NOTE: In 5.5 and earlier versions, the reminder specification applies to the escalation recipient as well,
so they will also receive daily reminders after escalation. In 6.0, that reminder series must be explicitly
configured to occur after the escalation if it is desired.

Modify the WorkItems WakeUpDate

The other method for testing reminders or escalations in a compressed time period applies only to version 5.5
and earlier; this method is no longer supported in versions 6.0+. This method alters the timing in the workItem
itself, rather than changing time.

The delay duration before sending a reminder or escalating the workItem is controlled by the wakeUpDate
attribute on the workItem. That attribute can be altered on the workItem to trigger the reminder or escalation.

These are the steps to test reminders and escalations through modification of the workItem.
1. Generate a certification with the appropriate reminder schedule, reminder email template, escalation
rule, and escalation email template specified. This creates one or more workItems which each reference
a certification access review. (Subsequent steps assume the test is being conducted with a single access
review and therefore a single workItem.)
2. Open the workItem in the IdentityIQ Debug pages and change its wakeUpDate to -1 to indicate that
wake-up time has passed, meaning it is time for the first reminder or escalation to occur.
<WorkItem certification="4028df013e320270013e3db3e48605f8" created="1366834800906"
expiration="1367439599750" handler="sailpoint.api.Certificationer"
id="4028df013e320270013e3db3e90a0624" level="Normal"

Testing Certification Reminders and Escalations Page 5 of 8

 modified="1366834861921" name="0000000102" type="Certification"
wakeUpDate="-1">
<Description>Manager Access Review for Catherine Simmons</Description>

</WorkItem>

To skip reminders and go straight to escalation, change the escalationMaxReminders value on the
WorkItems NotificationConfig to 0. .
<NotificationConfig escalationEnabled="true" escalationMaxReminders="0"
initialReminderMillisBeforeEnd="345600000" reminderFrequency="86400000"
remindersEnabled="true">

</NotificationConfig>

3. Run the Check Expired Work Items task; escalation and reminder actions only take place during a scan
for expired work items. Examine the emails that are generated or examine the workItems current
ownership to see that the escalation has been performed as expected.
4. Repeat steps 2 - 3 until all reminders/escalations have run.

Test Reminder or Escalation Email Alone

If the purpose of the test is simply to verify an email template, it is possible to test either reminder emails or
escalation emails (but not both simultaneously) in minutes without needing to move the system clock or alter
the workItems at all. To test either of these options alone:
1. Specify a certification with an active period duration of 1 day.
2. Request a reminder or an escalation 1 day before expiration.
3. Run the Check Expired Work Items task. The reminder or escalation occurs immediately.
The fastest both options can be tested in sequence without moving the system clock or altering the workItem
artificially is 24 hour. Likewise, testing multiple escalations without using either of the artificial acceleration
means requires a minimum of 24 hours between escalations.

Altering TaskSchedule Frequency

In some cases, it may also be helpful to alter the execution frequency of a scheduled task. For these testing
options, for example, the Check Expired Work Items task could be scheduled to run once a minute instead of
once a day so it would not have to be run manually as part of these procedures. The timing of a scheduled task is
controlled by the CronExpressions value in its TaskSchedule XML, which can be seen through the IdentityIQ
Debug pages. The taskSchedule for the expired work items task is called Check expired work items daily. The
cron string for execute once every minute is: 0 0/1 * * * ?

Testing Certification Reminders and Escalations Page 6 of 8

 Figure 6: Cron string for every-minute execution

NOTE: The new frequency does not take effect until the next time the task runs according to the previous
schedule, so either wait for the task to run again or advance the system clock to force it to run to reset the task
execution frequency. To verify that the timing change has been set correctly, click the Scheduled Tasks tab on
the Monitor -> Tasks window and examine the next execution time for the Check expired work items daily task.

Testing Certification Reminders and Escalations Page 7 of 8

Document Revision History
Revision Date Written/Edited By Comments
Feb. 13, 2012 Jennifer Mitchell Compiled options into one document from other sources
April 2013 Jennifer Mitchell Reworked for clarity and compatibility with IdentityIQ 6.0
August 2013 Aaron Saenz Reviewed for compatibility with IdentityIQ 6.1
Feb 2014 Jennifer Mitchell Confirmed compatibility with IdentityIQ 6.2

Copyright 2014 SailPoint Technologies, Inc., All Rights Reserved.

SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be liable for errors contained herein or
direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Restricted Rights Legend. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to another
language without the prior written consent of SailPoint Technologies. The information contained in this document is subject to change
without notice.

Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in
Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the
Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.

Regulatory/Export Compliance. The export and reexport of this software is controlled for export purposes by the U.S. Government. By
accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign export laws and regulations as they
relate to software and related documentation. Licensee will not export or reexport outside the United States software or documentation,
whether directly or indirectly, to any Prohibited Party and will not cause, approve or otherwise intentionally facilitate others in so doing.
A Prohibited Party includes: a party in a U.S. embargoed country or country the United States has named as a supporter of international
terrorism; a party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S.
Government's Entities List; a party prohibited from participation in export or reexport transactions by a U.S. Government General Order;
a party listed by the U.S. Government's Office of Foreign Assets Control as ineligible to participate in transactions subject to U.S.
jurisdiction; or any party that licensee knows or has reason to know has violated or plans to violate U.S. or foreign export laws or
regulations. Licensee shall ensure that each of its software users complies with U.S. and foreign export laws and regulations as they relate
to software and related documentation.

Trademark Notices. Copyright 2014 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo, SailPoint IdentityIQ,
and SailPoint Identity Analyzer are trademarks of SailPoint Technologies, Inc. and may not be used without the prior express written
permission of SailPoint Technologies, Inc. All other trademarks shown herein are owned by the respective companies or persons
indicated.

Testing Certification Reminders and Escalations Page 8 of 8