Global settings
These tasks all require the Super Administrator role in ConductorOne.
Set attribute values
Create custom risk level and compliance framework tags (called attribute values), and apply these values to entitlements. You can then sort and select entitlements for access reviews and access profiles by compliance framework or risk level.
Step 1: Set your attribute values
Navigate to Admin > Settings > Tags.
In the Attribute values section of the page, click Edit.
In either the Compliance framework or Risk level field, type the name of the value you wish to add and press Enter.
Repeat the process, adding additional attribute values as needed. Click the x next to any value to delete it from the list.
If you delete a value that is currently in use in ConductorOne, that value will not be removed from any entitlements it is assigned to.
When you’re finished, click Save and confirm your action.
Step 2: Add attributes to entitlements
Navigate to Admin > Applications.
On the Managed apps tab, select an application and click Entitlements.
Click the name of an entitlement. On the Details tab, in the Attributes area of the page, click Edit.
Select the correct risk level for the entitlement, or select None.
If applicable, select any compliance frameworks that apply to the entitlement.
Click Save.
Repeat this process on each applicable entitlement.
That’s it! You can now filter entitlements by attribute when creating an access review campaign or access profile.
Send digest emails
Enable email digest notifications to automatically send users a daily or weekly summary of their open tasks.
Navigate to Admin > Settings > Notifications.
Click Edit.
Set the Email digest toggle to Yes, send email digest.
Choose the email digest frequency. You can send email digests every weekday, or weekly on Tuesdays. In either case, emails are sent between 9AM and 10AM Pacific time.
Click Save.
That’s it! Any user who has at least one open task will now receive a digest at the email address associated with their ConductorOne user.
Set trusted domains
If needed, you can set a list of domains trusted by your organization. Any accounts associated with a domain not on the trusted domain list will be marked External in ConductorOne.
Navigate to Admin > Settings > Organization.
In the Domains area of the page, click Edit.
Add a trusted domain (such as
example.com
) and press Enter. Repeat this process as needed.Subdomains are automatically included, so you don’t need to create separate entries for
hr.example.com
,sales.example.com
, anddesign.example.com
.Click Save.
That’s it! Accounts associated with a domain not explicitly marked as trusted will be tagged External when the connectors complete their next sync or when you refresh account data uploaded to ConductorOne in a spreadsheet or CSV file.
Configure session length
By default, ConductorOne sessions are set to 20 hours. Customize your organization’s session length to adhere to your internal security policies and best practices.
Navigate to Admin > Settings > SSO & Sessions.
In the Session configuration area of the page, click Edit.
Select the new maximum session length from the dropdown. Options range from 45 minutes to 20 hours.
Click Save.
That’s it! Your session length has been updated. ConductorOne will require all users in your organization to start new sessions every time the maximum length you selected elapses.
Configure global IP allow lists
To enhance security and ensure that ConductorOne is only accessed over trusted networks, configure the global IP allow list. You can fine-tune the allowed IP ranges by category to adhere to your organization’s best practices for network and API key security.
Navigate to Admin > Settings > SSO & Sessions.
In the Global IP allow list configuration area of the page, click Edit.
Enable the toggles for each allow list you want to configure:
- SSO sessions for all users
- SSO sessions for users with the Super Administrator user role
- API keys for all users
- API keys with Super Administrator-level user permissions
- API keys used for configuring connectors
All allow lists are opt-in: any category that is not enabled will not place any limits on IP addresses.
For each category you’ve enabled, enter the allowed IP ranges (CIDRs). Up to 32 CIDRs are accepted.
As a safeguard against locking yourself out of the system, ConductorOne displays a banner showing whether your current IP address is allowed or denied access.
If you accidentally lock yourself out, contact the ConductorOne support team.
- When you’ve finished adding allowed IP ranges, click Save. Changes may take up to 60 seconds to take effect.
Frequently asked questions about global IP allow lists
What happens if I save an empty allow list? Saving an empty allow list means “no IP addresses are allowed,” which effectively blocks all access. This can be used strategically: for example, you could disable the ability to create API keys with Super Administrator-level user permissions by saving an empty allow list for this category.
Can I block a specific IP range? No, only explicit allow lists are supported. If the IP range is not included in an allow list, is is effectively banned.
If an allow list is configured for both SSO sessions and API keys, which is evaluated first? API keys that have a source IP allow list are evaluated first, followed by other types of access.