Okay! I am trying to be pretty descriptive here. Suppose you have created a certification in Sailpoint's Identity IQ. The Certification Owner has revoked a user and saved the certification. Then the certification header would be something like this.
An email is sent to the administrator to revoke the entitlement/account. Administrator, being a good employee has done the revocation right away.A scheduled Account Aggregation, in the next few hours, get kicked off and brings in the new data regarding the revocation.
An Identity refresh scheduled for the same night, updates the entitlements for the users.
Problem:You still do not notice the update in the Certification header. It still shows a list of items, which were completed, as due.
Solution:In every Certification configuration there is a parameter named nextRevocationsScantimeThis has a default setting which is inherited from a SystemConfiguration setting. remediationScanInterval set to 86400000 milliseconds
nextRevocationsScantime attribute is created along with remediationsKickedOff="2"The above attribute is created, once you revoke someone and save the cert.
Later when you remove the entitlements in database and do an account aggregation and identity refresh; it shall not directly reflect in your cert. Once the nextRevocationsScantime is complete and PERFORM MAINTENANCE TASK runs then it scans and completes the process.
Later in the cert you will not see nextRevocationsScantime. Rather you would see this. remediationsCompleted="1" remediationsKickedOff="1"Hope this helps to few consultants.