See how Ramp uses ConductorOne
ConductorOne

ConductorOne Docs

Create review policies

Review policies are sets of instructions for how the structure of an access review should proceed, the reviewers involved, and any follow-up tasks.

View available review policies

ConductorOne provides a default review policy to get you started. To view this and all other review policies currently saved in your ConductorOne instance:

  1. In the navigation panel, click Policies.
  2. Use the Type filter and select Review to view all available review policies.

Create a new review policy

If the existing policies don’t match the workflow you need to perform during an access review campaign, create a new review policy.

Part 1: Set up the new policy

  1. In the navigation panel, click Policies.
  2. Click Create.
  3. Give your policy a name and an optional description.
  4. Select Review from the Policy Type menu.
  5. Click Create.

Part 2: Choose reviewers and set conditions

  1. In the Execution process area of the page, select the user type who should review current access and provide decisions:
    • User: ConductorOne will require the user who is the subject of the review to first validate that they still need this access.
    • Manager: ConductorOne will identify the user’s manager (via the information pulled from your company’s identity provider) and ask the manager to validate that the access is still needed and appropriate.
    • App Owner: ConductorOne will identity the owner of the application (via the ownership set for the application in ConductorOne) and ask that individual to validate that the access is still needed and appropriate.
    • Account Owner: ConductorOne will assign the review task to the individual identified as the owner of the user account in ConductorOne and ask that individual to validate that the access is still needed and appropriate.
    • Entitlement Owner: ConductorOne will identity the owner of the entitlement (via the ownership set for the entitlement in ConductorOne) and ask that individual to validate that the access is still needed and appropriate.
  2. If you selected Manager, Account Owner or Entitlement Owner in Step 1, you have the option to provide a fallback reviewer. In the event that ConductorOne cannot identify the specified reviewer on a task, the system will fall back to the secondary reviewer you set here.
    • Often, the Campaign Owner sets themself or another administrator as the fallback reviewer.
    • If the Campaign Owner checks Permit reviewer to reassign task on the policy, the fallback reviewer can then reassign the task to an appropriate contact.
    • Multiple fallback reviewers can be listed, but only one needs to take action.
  3. Set whether the reviewer (or the fallback reviewer, if applicable) can reassign the task, and whether reassigned tasks require a reason for their reassignment.
  4. Set whether a reviewer can complete a review that they are the subject of. (This option is not available for Account Owner reviews.)
  5. Set whether approvals require the reviewer to enter a reason for the continued access.
  6. Finally, if more than one approval step is needed (for instance, if first a user self-review and then a manager approval is required), click Add reviewer step and repeat Steps 1-5.
  7. Click Save.

Part 3: Add followup tasks

  1. In the Post execution actions section of the page, set whether ConductorOne should automatically create a new task to update a user’s permissions (revoking access automatically or creating a manual deprovisioing task, as appropriate) if their access is denied.

Your policy is now ready for use! You can review or edit the policy’s details any time by clicking on its name on the Policies page.