See how Ramp uses ConductorOne
ConductorOne

ConductorOne Docs

Create an access review campaign

As an organization, you need to know who has access to what, the level of access, and if the access is correct. Access review campaigns are a chance to systematically review and update user access.

Periodic use of access review campaigns help Security and IT teams to securely control and monitor what users can access while making sure employees can also successfully manage their operations. Access review campaigns also help you to achieve compliance with security standards and audit requirements.

Step 1: Create a new campaign

Only users with the Campaign Administrator or Super Administrator user roles in ConductorOne can create and manage campaigns. See User roles for more information. The campaign’s creator can elect to include other Campaign Administrators as Campaign Owners, who will also have control and management rights on the campaign.

  1. Before you begin, review the information in Get ready to run access review campaigns.
  2. In the navigation panel, click Campaigns. A list of all campaigns created by your organization is shown. Once your new campaign is created, it will be added to this list.
  3. Click Create.
  4. Fill out the form, providing the following information:
    • Name: This name will be displayed to users and shown in the campaign list view.
    • Description: The description of what this Campaign will entail and any directions you want to deliver to end users.
    • Owners: Campaign Owners are allowed to manage the settings of a campaign and any access reviews within a campaign. Note that a Campaign Owner must also be assigned the Campaign Administrator user role to receive these permissions.
    • Review Policy: The default review policy used for entitlements selected for the campaign. If needed, you can change the policy applied to the review of individual entitlements later in the campaign creation process.
    • Target Completion Date: The scheduled end date for the campaign.
    • Reminder Notifications: If enabled, users assigned review tasks for the campaign will be notified on a periodic basis about the campaign’s status and the tasks that require their input. See Send campaign notifications for information about what notifications are sent and when.
  5. Click Create Campaign and Select Entitlements.

Step 2: Select entitlements

  1. Next, build a list of the entitlements that your campaign will review. You can select from the list of all available entitlements, or use the panel on the left side of the screen to filter the list by:
    • Resource Type, such as groups, roles, credentials, or repositories.
    • Application, such as Okta, GitHub, or Datadog.
    • Entitlement Risk Level and Compliance Framework, as set on an entitlement’s Details tab in the Attributes section.
  2. Your list of selected entitlements is shown on the right side of the screen. When you’ve selected all the needed entitlements (don’t worry, you can make further adjustments to the entitlements list before starting the campaign), click Add entitlements to campaign.

Step 3: Fine-tune and validate your campaign

  1. On the Configuration tab, review and make any edits needed to the campaign’s details.

    • If you’d like to create a dedicated Slack channel for communication about this campaign, click Create Slack Channel. See Create a campaign Slack channel for more information.
  2. On the Scope tab, make further adjustments to the scope of your campaign by using the following controls:

    • Entitlements in scope: Click Add entitlements to adjust the list of entitlements selected for this campaign.

    • Refresh policies: Entitlements inherit their policies from (in order of precedence):

      1. The entitlement’s configuration
      2. The application’s configuration
      3. The campaign’s configuration

      If the policies listed for your entitlements on this page don’t look correct, you can leave the campaign builder (your campaign will remain in draft mode) and update the policies on the entitlement or the application level, as needed. Then return to the draft campaign and click Refresh policies to recreate all your campaign selections so that they use the updated policies and assignments.

    • Set campaign parameters: See Adjust campaign scope for information on using parameters to fine-tune the scope of the campaign.

  3. Click Validate Scope to see a preview of the access reviews that will be included in the campaign. Continue to edit and validate until you’re satisfied. Be aware that you won’t be able to make further changes to the entitlements under review once you move on to the next step.

Step 4: Prepare and start the campaign

  1. When you’re ready, click Prepare Campaign. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Please be patient: depending on the size of the campaign, preparing it might take several minutes.
  2. Review the draft campaign’s details. If necessary, make additional changes on the Configuration tab.
  3. When you’re ready, click Start Campaign. Select whether ConductorOne should send out campaign kickoff notifications to the users who are assigned the access reviews in the campaign.
  4. Click Start Campaign. Again, depending on the size of the campaign, starting it might take several minutes.

That’s it! You access review campaign is underway.