Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Global settings

Configure global settings such as attribute values, the length of ConductorOne sessions, and digest notifications.

These tasks all require the Super Administrator role in ConductorOne.

Set attribute values

Create custom risk level and compliance framework tags (called attribute values), and apply these values to entitlements. You can then sort and select entitlements for access reviews and access profiles by compliance framework or risk level.

Step 1: Set your attribute values

  1. In the navigation panel, open Admin and click Settings.

  2. On the Attribute values tab, click Edit.

  3. In either the Compliance framework or Risk level field, type the name of the value you wish to add and press Enter.

  4. Repeat the process, adding additional attribute values as needed. Click the x next to any value to delete it from the list.

    If you delete a value that is currently in use in ConductorOne, that value will not be removed from any entitlements it is assigned to.

  5. When you’re finished, click Save and confirm your action.

Step 2: Add attributes to entitlements

  1. In the navigation panel, click Applications.

  2. On the Managed apps tab, select an application and click Entitlements.

  3. Select an entitlement. On the Details tab, in the Attributes area of the page, click Edit.

  4. Select the correct risk level for the entitlement, or select None.

  5. If applicable, select any compliance frameworks that apply to the entitlement.

  6. Click Save.

  7. Repeat this process on each applicable entitlement.

That’s it! You can now filter entitlements by attribute when creating an access review campaign or access profile.

Send digest emails

Enable email digest notifications to automatically send users a daily or weekly summary of their open tasks.

  1. In the ConductorOne navigation panel, open Admin and click Settings.

  2. In the Notifications area of the page click Edit.

  3. Set the Email digest toggle to Yes, send email digest.

  4. Choose the email digest frequency. You can send email digests every weekday, or weekly on Tuesdays. In either case, emails are sent between 9AM and 10AM Pacific time.

  5. Click Save.

That’s it! Any user who has at least one open task will now receive a digest at the email address associated with their ConductorOne user.

Configure session length

By default, ConductorOne sessions are set to 20 hours. Customize your organization’s session length to adhere to your internal security policies and best practices.

  1. In the navigation panel, open Admin and click Settings > SSO & Sessions.

  2. In the Session configuration area of the page, click Edit.

  3. Select the new maximum session length from the dropdown. Options range from 45 minutes to 20 hours.

  4. Click Save.

That’s it! Your session length has been updated. ConductorOne will require all users in your organization to start new sessions every time the maximum length you selected elapses.

Configure global IP allow lists

To enhance security and ensure that ConductorOne is only accessed over trusted networks, configure the global IP allow list. You can fine-tune the allowed IP ranges by category to adhere to your organization’s best practices for network and API key security.

  1. In the navigation panel, open Admin and click Settings > SSO & Sessions.

  2. In the Global IP allow list configuration area of the page, click Edit.

  3. Enable the toggles for each allow list you want to configure:

    • SSO sessions for all users
    • SSO sessions for users with the Super Administrator user role
    • API keys for all users
    • API keys with Super Administrator-level user permissions
    • API keys used for configuring connectors

    All allow lists are opt-in: any category that is not enabled will not place any limits on IP addresses.

  4. For each category you’ve enabled, enter the allowed IP ranges (CIDRs). Up to 32 CIDRs are accepted.

    As a safeguard against locking yourself out of the system, ConductorOne displays a banner showing whether your current IP address is allowed or denied access.

    If you accidentally lock yourself out, contact the ConductorOne support team.

  1. When you’ve finished adding allowed IP ranges, click Save. Changes may take up to 60 seconds to take effect.

Frequently asked questions about global IP allow lists

What happens if I save an empty allow list? Saving an empty allow list means “no IP addresses are allowed,” which effectively blocks all access. This can be used strategically: for example, you could disable the ability to create API keys with Super Administrator-level user permissions by saving an empty allow list for this category.

Can I block a specific IP range? No, only explicit allow lists are supported. If the IP range is not included in an allow list, is is effectively banned.

If an allow list is configured for both SSO sessions and API keys, which is evaluated first? API keys that have a source IP allow list are evaluated first, followed by other types of access.

Delegate a user’s tasks

Set a delegate for a user who should not or cannot be assigned ConductorOne tasks. Tasks will be automatically reassigned to the delegated user unless the task’s policy doesn’t allow delegation.

When should I set a delegate?

In some cases, you might not want to assign ConductorOne tasks or send the corresponding notifications to certain users. For example, if a policy assigns access review or access request tasks to an executive, you might want to automatically redirect those tasks to a lower-level employee. If an employee is on extended leave, you might want to delegate their tasks to a colleague or manager until they return. In cases like these, you can set a delegate for the user.

Set a delegate for a user

  1. In the navigation panel, open Admin and click Users.

  2. Locate and click the name of the user you want to set up a delegate for.

  3. In the Delegation area of the page, click Edit.

  4. Locate and select the user to whom you want to delegate tasks. Only one delegate per user is allowed.

  5. Click Save.

New tasks will now be automatically reassigned to the user’s delegate, except when prevented by policy rules. Each task’s audit log will contain an entry showing the delegation reassignment. All email and Slack notifications for the task will also be sent to the delegate, and not to the original user.

Delegation in policy rules

Policies allow delegation by default, but this setting can be changed. If a user with a delegate is assigned a task that was created using a policy that does not allow delegation, then the user, not their delegate, will be assigned the task and will receive notifications about it.

To review or update a policy’s delegation rules:

  1. In the navigation panel, open Admin and click Policies.

  2. Click the name of the policy you want to review.

  3. In the Details area of the page, find the Delegation entry, which shows whether delegation is allowed by this policy.

  4. To change the delegation rules, click Edit on the Details area and check or uncheck the Automatically reassign tasks to delegates option, then click Save.