Nailing the Security Audit with RRCU

ConductorOne docs

How to complete access change tasks

ConductorOne tasks are assigned to you when your expertise is needed to approve, provision, or revoke access to applications and specific resources for members of your team.

Complete a request task

Request tasks are assigned to you when a colleague asks for new access and your review of the request is needed. Reviewers are assigned based on the request policy governing the requested app or resource.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not direct you to the task list automatically, locate it by clicking on Assignments in the navigation panel and selecting Requests at the top of the page.

Step 2: Review the task and take action

Each line in the table is a task assigned to you. For each task, complete the appropriate steps:

  1. Review the request

    • Look at the account and the resource. Is this access needed for the user’s work and appropriate to the user’s role in the company?
  2. Learn more about the request

    If you need more information about the request, click the task number to open the details view, where you’ll find additional information to help you make your decision.

    If you’re a reviewer for emergency access requests: Go to Enable emergency access requests to learn more about how and when these special requests are created and how they’re designated in the ConductorOne app.

View insights from ConductorOne Access Copilot to help make your decision.

The detail view of a request task showing a list of Insights.
  1. Provide your decision

    • If you agree that the access should be granted, click Approve.

    • If you don’t think this access should be granted, click Deny.

    I see there is more than one review step. If I deny the request does it still go to other reviewers? No, the review will stop at you, and the request will be closed.

Step 3: Repeat the process

Repeat these steps to review and take action on each request task assigned to you.

To take the same action on multiple tasks at once, select each task by clicking its checkbox, then select the action from the menu at the bottom left. You’ll be prompted to add a comment about your action, which is posted on each impacted task.

Click Completed tasks to see everything you’ve finished so far.

Complete a provisioning task

A request to grant new access has already been reviewed and approved. A provisioning task is now assigned to you because manual provisioning of the new access is required and you are a designated provisioner for the app.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a provisioning task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not automatically direct you to the task, locate it by clicking on Assignments in the navigation panel and selecting Requests at the top of the page.

Step 2: Review the task and take action

  1. Go to the Awaiting provisioning tab. Each line in the table is a provisioning task assigned to you.

  2. Complete the provisioning process in the requested app, then click Provisioned. Click the more actions () menu for additional options, such as marking the task as Won’t provision.

  3. If you need additional guidance or context, click the task number to open the task’s details page. Here you’ll find additional information:

    • If the ConductorOne admins at your company have provided any notes or instructions for how to complete the provisioning assignment, these are shown on the details page.

    • The Comments section shows any notes other members of your organization have made about this task. (Comments posted in Slack about this task are also displayed here.)

    • The Task details section shows the task’s workflow, highlighting the role you play and the policy being applied to this task. In this section you’ll also find controls to reassign the task, if reassignment is allowed.

Step 3: Repeat the process

Repeat these steps to complete each provisioning task assigned to you. Click Completed tasks to see everything you’ve finished so far.

Complete a revocation task

Revocation tasks are generated when someone (such as a manager or app owner) decides that some access is no longer used, needed, or appropriate, and recommends its removal.

ConductorOne creates a revocation task and assigns it to the appropriate reviewer (you’re likely reading this because that’s you!). Reviewers are assigned based on the applicable revocation policy.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a revocation task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not direct you to the task list automatically, locate it by clicking on Assignments in the navigation panel and selecting Revocations at the top of the page.

Step 2: Review the task and take action

Each line in the table is a task assigned to you. For each task, complete the appropriate steps:

  1. Review the proposal

    • Look at the account and the resource. Is this access no longer needed for the user’s work, or no longer appropriate to the user’s role in the company?
  2. (Optional) Find more information about the proposal

    If you need more information, click the task number to open the details view, where you’ll find additional information to help you make your decision:

    • Click the arrow next to the account name to open the Account attributes panel. Here you’ll see all attributes associated with the application account.

    • The Comments section shows any notes other members of your organization have made about this task. (Comments posted in Slack about this revocation proposal are also shown here.)

    • The Task details section shows the task’s workflow, highlighting the role you play, and the policy being applied to this task. In this section you’ll also find controls to reassign the task, if reassignment is allowed.

  3. Provide your decision

    • If you agree that the access should be revoked, click Confirm.

    • If you don’t think this access should be revoked, click Deny. This means you believe the access is still needed and appropriate. Clicking Deny will halt the revocation process and close the task.

Step 3: Repeat the process

Repeat these steps to review and take action on each task assigned to you.

To take the same action on multiple tasks at once, select each task by clicking its checkbox, then select the action from the menu at the bottom left. You’ll be prompted to add a comment about your action, which is posted on each impacted task.

Click Completed tasks to see everything you’ve finished so far.

Complete a deprovisioning task

A revocation proposal (see above) has already been reviewed and approved. A deprovisioning task is now assigned to you because manual deprovisioning of the revoked access is required and you are a designated manual deprovisioner for the app.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a deprovisioning task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not automatically direct you to the task, locate it by clicking on Assignments in the navigation panel and selecting Revocations at the top of the page. The badges next to each of these menu items show the number of tasks of each type currently awaiting your attention.

Step 2: Review the task and take action

  1. Go to the Awaiting deprovisioning tab. Each line in the table is a deprovisioning task assigned to you.

  2. Complete the deprovisioning process in the requested app, then click Deprovisioned. Click the more actions () menu for additional options, such as marking the task as Won’t deprovision.

  3. If you need additional guidance or context, click the task number to open the task details page. Here you’ll find additional information to help you:

    • If the ConductorOne admins at your company have provided any notes or instructions for how to complete the deprovisioning assignment, these are shown on the details page.

    • The Comments section shows any notes other members of your organization have made about this task. (Comments posted in Slack about this task are also displayed here.)

    • The Task details section shows the task’s workflow, highlighting the role you play, and the policy being applied to this task. In this section you’ll also find controls to reassign the task, if reassignment is allowed.

Step 3: Repeat the process

Repeat these steps to complete each deprovisioning task assigned to you.

Click Completed tasks to see everything you’ve finished so far.

Reassign a task

If you need to reassign a task:

  1. In the task list, click Reassign. Alternatively, from a task’s details view, click Reassign in the Assigned to area.

  2. Select the new assignee and provide a reason for the reassignment.

The newly assigned reviewer will receive email and Slack (if enabled) notifications about their new task assignment.