Shine a light on shadow apps

ConductorOne Docs

How to run a privileged access review

Follow our step-by-step guide to running a privileged access review with ConductorOne.

Why run a privileged access review?

Privileged access reviews are essential for maintaining a secure IT environment. They help to ensure that privileged users only have the access they need, when they need it. By regularly reviewing privileged access, your organization can reduce the risk of insider threats, data breaches, and compliance violations.

đź“‹ Before you begin

A ConductorOne user with either the Super Admin or Campaign Admin user role must complete this process, as only users with these roles are able to create new access review campaigns. Go to Assign user roles to learn more.

Before you begin, make sure you’ve completed these setup tasks:

  1. Sign up for ConductorOne using your SSO provider, connect your user directory, and map key user attributes.

  2. Integrate each of the applications your colleagues will be able to request access to.

Step 0: Determine what to review

To ensure a successful review, you first need to determine what you will be reviewing. This includes identifying the following:

  • Privileged roles and resources: What are the most sensitive roles and resources in your organization? These are the roles and resources that should be prioritized in your review.

  • Users and groups: Who has privileged access to the roles and resources you identified? Make a list of all users and groups with privileged access.

  • Business justification: Why do each user and group need the privileged access they have? You should be able to justify each user and group’s access.

Once you have identified the privileged users, roles, and resources to review, you can begin to set up your privileged access review campaign. By carefully considering what to review, you can ensure that your privileged access review is effective in identifying and mitigating risks.

Step 1: Create review policies

If this is your first time running a privileged access review with ConductorOne, you might need to create policies specific to reviewing privileged access. Policies are sets of instructions for how an access review process should proceed, the reviewers involved, and any follow-up tasks.

Follow the instructions in Create policies to set up any new policies needed for your privileged access review.

Tips and reminders:

  • Make sure to choose the Review policy type when prompted.

  • To automatically kick off a revocation flow for any access denied during the campaign, add a post-execution step to the review policy you create. See Add followup tasks to review policies to learn more.

Step 2: Apply policies

Once you’ve set up the policies you’ll use in the access review, apply them to the applications and entitlements you plan to review. ConductorOne applies review policies using this order of precedence:

  1. The entitlement’s configuration
  2. The application’s configuration
  3. The campaign’s configuration

In other words, if an entitlement policy is set, it overrules both the application policy and the campaign policy. Keep this in mind when deciding where to apply your review policy.

When applying policies to be used in your privileged access review campaign, you have a few options:

  • Apply the policy to the application. If all entitlements for a certain application should be reviewed using a single policy, you can apply that policy to the application as a whole. Follow the instructions in Set application-level policies to apply your chosen review policy to the application as a whole.

  • Apply the policy to specific entitlements. If you only need to apply the privileged access review policy to certain sensitive entitlements, follow the instructions in Configure entitlement review settings to apply your chosen review policy to the specific entitlements in scope for the review.

  • Apply the policy to the privileged access review campaign. If you do not set specific review policies on either the applications or specific entitlements, ConductorOne will use the review policy you select when setting up the access review campaign. We’ll cover setting the campaign’s policy in Step 3.

Step 3: Create the campaign

Now it’s time to set up the campaign itself. Follow the instructions in Create an access review campaign or check out our video tutorial:

Tips and reminders:

  • If your organization previously created a privileged access review campaign that’s similar to the one you plan to run, follow the instructions in Duplicate a past campaign to use the existing campaign as a template.

  • When prompted to select a review policy for the campaign, choose the privileged access review policy you created in Step 1.

  • If your organization uses Slack, ConductorOne can create a custom Slack channel dedicated to sharing updates and information about the campaign. Go to Create a campaign Slack channel to learn more.

Step 4: Start the campaign

When you start the campaign, review tasks will be automatically generated and assigned to the appropriate reviewers. If you check Yes, send out notifications when starting the campaign, reviewers will be notified by email (and Slack, if enabled) that a new campaign is underway and they have reviews to complete.

Reviewers will receive an email that looks like this:

The campaign kickoff email sent by ConductorOne, showing the campaign name, owner, due date, basic instructions, and that the recipient's input is needed.

Tips and reminders:

  • Do your reviewers need a little more guidance on how to complete their reviews? Direct them to the Complete access reviews instructions.

Step 5: Manage the campaign

Once the campaign is running, use the dashboard to see the campaign’s progress and outstanding tasks.

On the campaign’s Tasks tab, you can open individual access reviews, view details, and take action:

  • See the status of the access review (completed or open)
  • See the outcome of the access review (approved, denied)
  • Reassign the review
  • Restart the review
  • Send the assigned reviewer a reminder notification
  • Add comments
  • View the audit log
  • View related tasks

Step 6: Remind users to complete their assignments

In the event that some of the reviewers who have been assigned tasks in your privileged access review campaign need a bit of a nudge to finish their work, you have several options:

  • To remind a single reviewer to finish a single open task: On the Access reviews tab of the campaign page, click the more actions (…) menu on the task and select Send reminder. The user will be sent a personalized email that looks like this:

    The campaign task reminder email, addressed to a single user and referencing a single task.

    If the ConductorOne Slack app is enabled for your organization, the reviewer will also receive a Slack notification.

  • To remind all reviewers who still have open tasks to finish their work: On the Access reviews tab of the campaign page, click Send reminders. All reviewers who still have open tasks in the campaign will be sent a personalized email that looks like this:

    The open campaign tasks reminder email, addressed to a single user and referencing the number of open tasks.

    If the ConductorOne Slack app is enabled for your organization, the reviewers will also each receive a Slack notification.

Step 7: End the campaign

When you’re ready, you must actively end the campaign. Campaigns do not end automatically, even if their target completion date has passed. Ending a campaign finalizes all open access reviews and archives the campaign as completed.

Click End campaign at the top of the campaign page to finish and close an active campaign.

Depending on your organization’s policies and procedures, once the campaign ends you can choose to kick off a revocation cycle for access that reviewers recommended removing from user accounts during the campaign. Go to Revoke access that was denied during the campaign to learn more.

Tips and reminders:

  • If any reviews are outstanding, ending a campaign cancels those requests.

  • When ending the campaign, you’ll be asked if remaining open reviews should be Skipped or Revoked.

Once a campaign is ended, the configuration and access reviews for the campaign cannot be changed. However, you can still view and generate reports for the campaign.

Step 8: Generate audit reports

Finally, create reports that you can present to auditors and other stakeholders in your organization showing the scope and outcome of your privileged access review campaign.

Go to Generate campaign reports to get started.

Success!

That’s it! By following these steps, you’ve completed a successful privileged access review using ConductorOne and helped to ensure that privileged users only have the access they need, when they need it.

It’s important to note that a privileged access review is not a one-time event. It should be conducted on a regular basis to ensure that privileged access is always under control. The frequency of your reviews will depend on your organization’s risk profile, internal policies, and the types of systems and applications you’re running.

Thanks for joining us in this how-to guide!