Nailing the Security Audit with RRCU

ConductorOne docs

Create an access review campaign

Create one-time user access review (UAR) campaigns or reusable campaign templates that can be run on a schedule.

Why run an access review campaign?

Access review campaigns help Security and IT teams to securely control what software users can access, all while making sure employees can also successfully complete their work.

From a least privilege and security perspective, ensuring that users only have the access they need, for only as long as they need it, reduces the access footprint of your company for sensitive systems and data. Running regular access review campaigns also helps you to achieve compliance with security standards and audit requirements.

View all campaigns

On the Campaigns page, campaigns are sorted by state and type:

  • Running campaigns are currently in progress.

  • Draft campaigns have not yet started.

  • Completed campaigns have ended.

  • Templates are saved campaign outlines used to create one-time or recurring scheduled campaigns.

How do campaign templates work?

If there’s a campaign pattern you use repeatedly, create a reusable campaign template instead of configuring the same campaign from scratch every time.

Once a campaign template is set up, use it to create single campaigns whenever you need them or set a schedule for automated campaign creation. When a schedule is running, ConductorOne automatically creates new instances of the campaign for you and adds them to the Drafts tab. You can review, fine-tune, and start these campaigns when you’re ready.

Need to reuse a campaign just once? Duplicate any existing campaign from the (more actions) menu on the Running, Drafts, or Completed tabs.

Create a new campaign

Follow this process to create a single campaign. Jump to Create a campaign template to set up a template that can be used to create many similar campaigns.

Only users with the Campaign Administrator or Super Administrator user roles in ConductorOne can create and manage campaigns.

Step 1: Set up the campaign

  1. In the navigation panel, click Campaigns.

  2. Click New campaign.

  3. Fill out the form, providing the following information:

    • Name: The campaign’s name, which will be displayed to reviewers and shown in the campaign list view.

    • Description: The description of what this campaign entails and any directions you want to deliver to reviewers.

    • Campaign type: Select Single instance, then set the Target completion date for the campaign.

    • Owner: The campaign’s owner, who will manage the campaign while it is in progress. You can set more than one campaign owner. Each owner must have the Campaign Administrator or Super Administrator user role in ConductorOne.

    • Review policy: The campaign’s default review policy. If needed, you’ll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.

  4. Click Continue. The campaign is created.

  5. On the Configuration tab, review and update the details you’ve entered so far.

  6. If you want to use a Slack channel for communication about this campaign, click Add Slack channel. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create.

    All campaign owners and users assigned access reviews will be automatically added to this channel when the campaign starts.

Step 2: Choose what to review

Next, build a list of the resources that your campaign will review.

  1. On the Scope tab of your campaign, find the Apps and resources section of the page and click Make selections.

    • To run a UAR on user access to applications, click Review application access and select apps, then click Save.

      OR

    • To run a UAR on user access to specific permissions, click Review specific resources and select resources, then click Save.

    You cannot mix selections from the two tabs in a single campaign. If you want to review both application access and specific non-access resources in a single campaign, select Review specific resources and add the Credential resource type to the campaign.

  1. If you’re building a UAR reviewing specific resources, click Edit scope to remove entitlements from the review or update the policy used to review specific entitlements. Click Apply changes when you’re finished.

  2. Optional. Find the User selection section of the page and click Make selections.

    If you don’t make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

    • Click Select specific users to build a list of users whose access will be reviewed, then click Save.

      OR

    • Click Select users by criteria to review users who match the criteria you set, then click Save.

      You can mix and match these options:

      • User status in ConductorOne

      • Direct reports of a manager

      • User profile attributes. For example, to run an access review campaign on all the AcmeApp users in your company with the job title “Engineer,” create the parameter User AcmeJob is Engineer.

  3. Optional. Find the Account parameters section of the page and click Make selections.

    If you don’t make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

    • Click Select accounts by criteria to review app accounts that match the criteria you set, then click Save.

      You can mix and match these options:

      • No account owner

      • Account status

      • Account type

  4. Optional. Find the Grant parameters section of the page and click Make selections.

    If you don’t make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

    • Click Select grants by criteria to review only the access grants that match the criteria you set, then click Save.

      You can mix and match these options:

      • New grants added within the time period you select

      • Temporary (time-limited) or permanent grants

      • Grants that have not been used in the time period you select (this information is not available for all applications)

A summary of your choices is shown on the Scope tab. Click Validate scope at any time to generate a report showing a preview of the campaign based on the current scope.

Once you’re satisfied with your selections, move on to the next step.

Step 3: Prepare the campaign

  1. When you’re ready, click Prepare campaign. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Please be patient: depending on the size of the campaign, preparing it might take several minutes.

    Your campaign is a snapshot of access as it exists the moment you click this button. Any access changes that take place after you prepare the campaign will not be reflected in the campaign.

  1. Review the draft campaign’s details. If necessary, you can make changes on the Configuration tab, but you cannot alter the campaign’s scope or policy once it has been prepared.

Step 4: Start the campaign

  1. When you’re ready, click Start campaign. Select whether ConductorOne should email campaign kickoff notifications to the users who are assigned the access reviews in the campaign.

  2. Click Start campaign. Again, depending on the size of the campaign, starting it might take several minutes.

That’s it! Your access review campaign is underway. Check out Manage active campaigns to learn about campaign reminders, reports, and revoking access denied during the campaign.

Duplicate a past campaign

Only users with the Campaign Administrator or Super Administrator user roles in ConductorOne can create and manage campaigns.

Instead of creating a campaign from scratch, you can save time and effort by duplicating a past campaign and tailoring it to your current needs.

  1. In the navigation panel, click Campaigns.

  2. Locate and click on the name of the campaign that you want to duplicate.

  3. From the more actions (…) menu, select Duplicate.

  4. Review the campaign’s details and update the information as necessary.

  5. Follow the instructions above to validate, prepare, and start the duplicate campaign.

That’s it! Your duplicated access review campaign is underway.

Create a campaign template

Only users with the Campaign Administrator or Super Administrator user roles in ConductorOne can create and manage campaign templates.

Step 1: Set up the template

  1. In the navigation panel, click Campaigns.

  2. Click New campaign.

  3. Fill out the form, providing the following information:

    • Name: The campaign’s name, which will be displayed to reviewers and shown in the campaign list view.

    • Description: The description of what this campaign entails and any directions you want to deliver to reviewers.

    • Campaign type: Select Template, then set the Campaign duration, or how long each campaign created from the template will run.

    • Owner: The campaign’s owner, who will manage the campaign while it is in progress. You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator user role in ConductorOne.

    • Review policy: The campaign’s default review policy. If needed, you’ll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.

  4. Click Continue. The template is created.

  5. Optional. If you’d like to use a Slack channel for communication about the campaigns created by this template, click Add Slack channel. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create.

    When a new campaign made from this template starts, all campaign owners and users assigned access reviews will be automatically added to this channel.

    When new campaign instances are created from this template, you’ll have a chance to change the Slack channel before starting the campaign.

Step 2: Choose what to review

Next, build a list of the resources that campaigns made from this template will review.

  1. On the Scope tab of your template, find the Apps and resources section of the page and click Make selections.

    • To run a UAR on user access to applications, click Review application access and select apps, then click Save.

    OR

    • To run a UAR on user access to specific permissions, click Review specific resources and select resources, then click Save.

    You cannot mix selections from the two tabs in a single campaign. If you want to review both application access and specific non-access resources in a single campaign, select Review specific resources and add the Credential resource type to the campaign.

  1. If you’re building a UAR reviewing specific resources, click Edit scope to remove entitlements from the review or update the policy used to review specific entitlements. Click Apply changes when you’re finished.

  2. Optional. Find the User selection section of the page and click Make selections.

    If you don’t make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

    • Click Select specific users to build a list of users whose access will be reviewed, then click Save.

    OR

    • Click Select users by criteria to review users who match the criteria you set, then click Save.

      You can mix and match these options:

      • User status in ConductorOne

      • Direct reports of a manager

      • User profile attributes. For example, to run an access review campaign on all the AcmeApp users in your company with the job title “Engineer,” create the parameter User AcmeJob is Engineer.

  3. Optional. Find the Account parameters section of the page and click Make selections.

    If you don’t make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

    • Click Select accounts by criteria to review app accounts that match the criteria you set, then click Save.

      You can mix and match these options:

      • No account owner

      • Account status

      • Account type

  4. Optional. Find the Grant parameters section of the page and click Make selections.

    If you don’t make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

    • Click Select grants by criteria to review only the access grants that match the criteria you set, then click Save.

      You can mix and match these options:

      • New grants added within the time period you select

      • Temporary (time-limited) or permanent grants

      • Grants that have not been used in the time period you select (this information is not available for all applications)

A summary of your choices is shown on the Scope tab. Click Validate scope at any time to generate a report showing a preview of a campaign made from the template based on the current scope.

Once you’re satisfied with your selections, move on to the next step.

Step 3: Schedule upcoming or recurring campaigns

You can set the template to create instances of the campaign on a date in the future or on a recurring schedule. You can also create an on-demand instance of the campaign at any time.

Want to create a campaign from this template right now? On the Campaigns tab, click Create campaign to create an on-demand draft campaign from the template.

  1. Return to the Configuration tab.

  2. Optional. If you’d like to automatically create draft instances of this campaign, either once on a date in the future or regularly on a set schedule, go to the Schedule area of the page and click Edit.

    1. Set the schedule toggle to On.

    2. Choose the date you want a draft instance of this campaign to be created.

    3. Using the Frequency selector, choose a frequency option to automatically create recurring instances of the campaign, beginning on the date you chose and recurring at the frequency you set.

      Choose None if you only want to create a single scheduled instance of the campaign on the date you chose.

    4. Click Save.

New campaign drafts will be created on the schedule you set. The template’s owners will be notified by email that a new draft campaign has been set up.

Step 4: Review and start a campaign created from a template

When a new campaign is created from the template, it is shown on the template’s Campaigns tab and also added to the Drafts tab.

Edit the campaign as needed, then follow Steps 3 and 4 in Create a new campaign to prepare and start the campaign.

Frequently asked questions about creating campaigns

What happens if I add an empty entitlement to the campaign?

In short, nothing. If you select a resource for your campaign that does not have any grants on any of its entitlements, no review tasks will be created for the resource, as there is nothing to review. You can add these resources to your campaign without impact, or leave them out: it’s up to you.