Shine a light on shadow apps

ConductorOne Docs

Create an access review campaign

As an organization, you need to know who has access to what, each user's level of access, and if the access is appropriate and needed. Access review campaigns are a chance to systematically review and update user access.

Why run an access review campaign?

Access review campaigns help Security and IT teams to securely control what software users can access, all while making sure employees can also successfully complete their work.

From a least privilege and security perspective, ensuring that users only have the access they need, for only as long as they need it, reduces the access footprint of your company for sensitive systems and data. Running regular access review campaigns also helps you to achieve compliance with security standards and audit requirements.

Step 1: Set up the campaign

Only users with the Campaign Administrator or Super Administrator user roles in ConductorOne can create and manage campaigns. See User roles for more information.

  1. In the navigation panel, click Campaigns.

    A list of all campaigns created by your organization is shown. Once your new campaign is created, it will be added to this list.

  2. Click Create.

  3. Fill out the form, providing the following information:

    • Name: The campaign’s name, which will be displayed to reviewers and shown in the campaign list view.

    • Description: The description of what this campaign entails and any directions you want to deliver to reviewers.

    • Campaign owners: The campaign’s owner, who will manage creating the campaign and the access review tasks within the campaign.You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator role in ConductorOne.

    • Target completion date: The scheduled end date for the campaign.

    • Review policy: The campaign’s default review policy. You’ll be able to review and change the policy to be used for the review of individual resources later in the campaign creation process.

  4. Click Continue.

Step 2: Choose what to review

Next, build a list of the resources that your campaign will review. Here are some tips to help you:

  • Use the quick filters at the top of the page to zero in on Accounts, Roles, or Groups. Or select from the list of All resources, and filter the list by:

    • App, such as Okta, GitHub, or Datadog.

    • Resource type, such as group, project, team, credential, or repository.

    • Risk level, as set on an entitlement’s Details tab in the Attributes section. See Use custom entitlement attributes for more on setting attributes.

  • Use the checkboxes at the right of the screen to select the resources you want to review in the campaign. The count of selected entitlements updates as you add or remove resources.

  • The Entitlements column shows the individual permissions (called entitlements) on each resource. The number attached to each entitlement is the number of user accounts that are currently granted that entitlement.

    What happens if I add an empty entitlement to the campaign? In short, nothing. If you select a resource for your campaign that does not have any grants on any of its entitlements, no review tasks will be created for the resource, as there is nothing to review. You can add these resources to your campaign without impact, or leave them out: it’s up to you.

  • When you’ve selected all the resources you want to review (don’t worry, you can make further adjustments to your resources list before starting the campaign), click Add [your number of selected resources] to campaign.

Step 3: Fine-tune and validate your campaign

  1. On the Configuration tab, review and make any edits needed to the campaign’s details.

    • If you’d like to use a Slack channel for communication about this campaign, click Add to Slack channel. See Create a campaign Slack channel for more information.
  2. On the Scope tab, make further adjustments to the scope of your campaign:

    • Set campaign parameters: See Scope a campaign for information on using parameters to fine-tune the scope of the campaign.

    • Review resource selections: Click Edit resource selection to return to the previous page and adjust your campaign selections. Alternatively, click the red minus (-) button to remove a resource from the list of selected resources.

    • Adjust entitlements and their policies: Click Edit scope on a resource to make changes to the entitlements in scope or the entitlement policies, if needed. Use the checkboxes to remove entitlements from the campaign, as needed, and click Change policy to update the review policy to be used for an entitlement.

    • Reset policies to their defaults: If you’ve made changes to the policies to be applied to entitlements in the campaign and need to reset your choices to their default values, click the more actions ( … ) menu and select Reset policies. Resetting recreates all campaign selections so that each uses the policy inherited from (in order of precedence) the entitlement’s configuration, the application’s configuration, or the campaign’s configuration. This can be especially useful when working with a duplicated campaign.

    Why aren’t all the entitlements showing the policy I selected for this campaign? Entitlements inherit their policies from (in order of precedence):

    1. The entitlement’s configuration
    2. The application’s configuration
    3. The campaign’s configuration

    So if a policy is set on the entitlement or the application, those selections will overrule the policy you set for the campaign. But any changes you make on the Edit scope screen overrule all inherited configuration.

  1. Click Validate scope to see a preview of the access reviews that will be included in the campaign. Continue to edit and validate until you’re satisfied. Be aware that you won’t be able to make further changes to the resources under review, parameters, or policies once you move on to the next step.

Step 4: Prepare the campaign

  1. When you’re ready, click Prepare campaign. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Please be patient: depending on the size of the campaign, preparing it might take several minutes.

    Your campaign is a snapshot of access as it exists the moment you click this button. Any access changes that take place after you prepare the campaign will not be reflected in the campaign.

  1. Review the draft campaign’s details. If necessary, make additional changes on the Configuration tab.

Step 5: Start the campaign

  1. When you’re ready, click Start campaign. Select whether ConductorOne should send out campaign kickoff notifications to the users who are assigned the access reviews in the campaign.

  2. Click Start campaign. Again, depending on the size of the campaign, starting it might take several minutes.

That’s it! Your access review campaign is underway.

What’s next?

Check out Administer an active campaign to learn more about what to expect as your campaign progresses, how to end the campaign, and how to generate campaign reports.