Shine a light on shadow apps

ConductorOne Docs

Review revocation proposals

Revocation tasks are assigned to you when your expertise is needed to review the proposed removal of a colleague's access to an application or specific resource.

Complete a revocation task

Revocation tasks are generated when someone (such as the user, their manager, or a reviewer during an access review campaign) decides that access is no longer used, needed, or appropriate, and recommends its removal. You are assigned a revocation task so that you can review the proposed revocation before the access is removed. Reviewers are assigned based on the applicable revoke policy.

How are revocation tasks created?

A revocation task can be created in three ways:

  1. When the account owner’s manager, the application owner, or the resource owner clicks Revoke on either an application’s Grants tab or on an entitlement’s Grants tab, this creates create a revocation task. This type of revocation can happen at any time, and isn’t tied to an access review campaign.

  2. When the account’s access to the resource is reviewed and denied during an access review campaign. The revocation task is automatically created when the campaign ends if the review policy used includes a revocation followup step.

  3. When the account’s access to the resource is reviewed and denied during an access review campaign, but the review policy used does not include a revocation followup step, the Campaign Owner can manually create a revocation task.

In all three of these cases, ConductorOne creates a revocation task and assigns it to the appropriate reviewer (you’re likely reading this because that’s you!).

If you approve the proposed revocation, ConductorOne will next create a deprovisioning task, which might be automatic or manual.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a revocation task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not direct you to the task list automatically, locate it by clicking on Revocations in the Assignments section of the navigation panel. The badges next to each of these menu items show the number of tasks of each type currently awaiting your attention.

Step 2: Review the task and take action

Each line in the table is a task assigned to you. For each task, complete the appropriate steps:

  1. Review the proposal

    • Look at the account and the resource. Is this access no longer needed for the user’s work, or no longer appropriate to the user’s role in the company?

  2. (Optional) Find more information about the proposal

    If you need more information about the request, click the task number to open the details view, where you’ll find additional information to help you make your decision:

    • Click the arrow next to the account name to open the Account attributes panel. Here you’ll see all attributes associated with the application account.

    • The Comments section shows any notes other members of your organization have made about this task.

    • The Task details section shows the task’s workflow, highlighting the role you play, and the policy being applied to this task. In this section you’ll also find controls to reassign the task, if reassignment is allowed.

  3. Provide your decision

    • If you agree that the access should be revoked, click Confirm.

    • If you don’t think this access should be revoked, click Deny. This means you believe the access is still needed and appropriate.

Step 3: Repeat the process

Repeat these steps to review and take action on each task assigned to you.

To take the same action on multiple tasks at once, select each task by clicking its checkbox, then select the action from the menu at the bottom left. You’ll be prompted to add a comment about your action, which is posted on each impacted task.

Click Completed tasks to see everything you’ve finished so far.

Reassign a revocation task

In some cases, such as when an employee has moved to a new position in the company or when a colleague is out of the office on an extended vacation or leave, the task cannot be completed by its assigned reviewer and must be reassigned.

  1. In the task list, click Reassign. Alternatively, from a task’s details view, click Reassign in the Assigned to area.

  2. Select the new assignee and provide a reason for the reassignment.

The newly assigned reviewer will receive email and Slack (if enabled) notifications about their new revocation task assignment.