ConductorOne Unveils Access Requests

ConductorOne Docs

Create policies

Policies are sets of instructions for how an access review, request, or revocation process should proceed, the reviewers involved, and any follow-up tasks.

View the available policies

ConductorOne provides three default policies to get you started. To view these and any other policies currently saved in your ConductorOne instance:

  1. In the navigation panel, click Policies.
  2. Optional. Use the Type filter to filter polices by type:
    • Review policies are used for access review campaigns.
    • Request policies are used for user access requests.
    • Revoke policies are used when reviewing access that has been recommended for revocation.

Create a new policy

If the existing policies don’t match the workflow you need, create a new policy.

Step 1: Set up the new policy

  1. In the navigation panel, click Policies.
  2. Click Create.
  3. Give your policy a name and an optional description.
  4. Select the relevant policy type from the Policy Type menu.
  5. Click Create.

Step 2: Choose reviewers and set conditions

  1. In the Execution process area of the page, select who should review the access being certified, requested, or revoked, and provide a decision:
    • User: ConductorOne will assign the task to the specific individual or individuals who you select as reviewers.
    • Manager: ConductorOne will identify the user’s manager (via the information pulled from your company’s identity provider) and assign them the task.
    • App Owner: ConductorOne will identity the owner of the application (via the ownership set for the application in ConductorOne) and assign them the task.
    • Group: ConductorOne will assign the task to the members of the selected group. Only one member needs to complete the task, but all members will be notified. If there are more then 128 members in the selected group, the task will not notify the group’s members, but will instead use the fallback reviewer.
    • Account Owner: ConductorOne will assign the task to the individual identified as the owner of the user account in ConductorOne. In almost all cases, selecting this option results in a self-review of the access.
    • Entitlement Owner: ConductorOne will identity the owner of the entitlement (via the ownership set for the entitlement in ConductorOne) and assign them the task.
  2. If you selected Manager, Group, Account Owner, or Entitlement Owner in Step 1, you have the option to provide a fallback reviewer. In the event that ConductorOne cannot identify the specified reviewer on a task (or the task is assigned to a group with more than 128 members), the system will fall back to the secondary reviewer you set here.
    • If you check Permit reviewer to reassign task on the policy, the fallback reviewer can then reassign the task to an appropriate contact.
    • Multiple fallback reviewers can be listed, but only one needs to take action.
  3. Set whether the reviewer (or the fallback reviewer, if applicable) can reassign the task, and whether reassigned tasks require a reason for their reassignment.
  4. Set whether a reviewer can complete a review that they are the subject of. (This option is not available for Account Owner reviews since these reviews are, by nature, generally self-reviews.)
  5. Set whether approvals require the reviewer to enter a reason for the continued access.
  6. Finally, if more than one approval step is needed (for instance, if first a account owner self-review and then a manager approval is required), click Add reviewer step and repeat Steps 1-5.
  7. Click Save.

Step 3: Add followup tasks to review policies

  1. For review policies only. In the Post execution actions section of the page, set whether ConductorOne should automatically create a new task to update a user’s permissions (revoking access automatically or creating a manual deprovisioing task, as appropriate) if their access is denied.

Your policy is now ready for use! You can review or edit the policy’s details any time by clicking on its name on the Policies page.