[Demo] ConductorOne's Policy Engine

ConductorOne docs

Global settings

Configure global settings such as attribute values, the length of ConductorOne sessions, and digest notifications.

These tasks all require the Super Administrator role in ConductorOne.

Set attribute values

Create custom risk level and compliance framework tags (called attribute values), and apply these values to entitlements. You can then sort and select entitlements for access reviews and access profiles by compliance framework or risk level.

Step 1: Set your attribute values

  1. Navigate to Admin > Settings > Tags.

  2. In the Attribute values section of the page, click Edit.

  3. In either the Compliance framework or Risk level field, type the name of the value you wish to add and press Enter.

  4. Repeat the process, adding additional attribute values as needed. Click the x next to any value to delete it from the list.

    If you delete a value that is currently in use in ConductorOne, that value will not be removed from any entitlements it is assigned to.

  5. When you’re finished, click Save and confirm your action.

Step 2: Add attributes to entitlements

  1. Navigate to Admin > Applications.

  2. On the Managed apps tab, select an application and click Entitlements.

  3. Select an entitlement. On the Details tab, in the Attributes area of the page, click Edit.

  4. Select the correct risk level for the entitlement, or select None.

  5. If applicable, select any compliance frameworks that apply to the entitlement.

  6. Click Save.

  7. Repeat this process on each applicable entitlement.

That’s it! You can now filter entitlements by attribute when creating an access review campaign or access profile.

Send digest emails

Enable email digest notifications to automatically send users a daily or weekly summary of their open tasks.

  1. Navigate to Admin > Settings > Notifications.

  2. Click Edit.

  3. Set the Email digest toggle to Yes, send email digest.

  4. Choose the email digest frequency. You can send email digests every weekday, or weekly on Tuesdays. In either case, emails are sent between 9AM and 10AM Pacific time.

  5. Click Save.

That’s it! Any user who has at least one open task will now receive a digest at the email address associated with their ConductorOne user.

Configure session length

By default, ConductorOne sessions are set to 20 hours. Customize your organization’s session length to adhere to your internal security policies and best practices.

  1. Navigate to Admin > Settings > SSO & Sessions.

  2. In the Session configuration area of the page, click Edit.

  3. Select the new maximum session length from the dropdown. Options range from 45 minutes to 20 hours.

  4. Click Save.

That’s it! Your session length has been updated. ConductorOne will require all users in your organization to start new sessions every time the maximum length you selected elapses.

Configure global IP allow lists

To enhance security and ensure that ConductorOne is only accessed over trusted networks, configure the global IP allow list. You can fine-tune the allowed IP ranges by category to adhere to your organization’s best practices for network and API key security.

  1. Navigate to Admin > Settings > SSO & Sessions.

  2. In the Global IP allow list configuration area of the page, click Edit.

  3. Enable the toggles for each allow list you want to configure:

    • SSO sessions for all users
    • SSO sessions for users with the Super Administrator user role
    • API keys for all users
    • API keys with Super Administrator-level user permissions
    • API keys used for configuring connectors

    All allow lists are opt-in: any category that is not enabled will not place any limits on IP addresses.

  4. For each category you’ve enabled, enter the allowed IP ranges (CIDRs). Up to 32 CIDRs are accepted.

    As a safeguard against locking yourself out of the system, ConductorOne displays a banner showing whether your current IP address is allowed or denied access.

    If you accidentally lock yourself out, contact the ConductorOne support team.

  1. When you’ve finished adding allowed IP ranges, click Save. Changes may take up to 60 seconds to take effect.

Frequently asked questions about global IP allow lists

What happens if I save an empty allow list? Saving an empty allow list means “no IP addresses are allowed,” which effectively blocks all access. This can be used strategically: for example, you could disable the ability to create API keys with Super Administrator-level user permissions by saving an empty allow list for this category.

Can I block a specific IP range? No, only explicit allow lists are supported. If the IP range is not included in an allow list, is is effectively banned.

If an allow list is configured for both SSO sessions and API keys, which is evaluated first? API keys that have a source IP allow list are evaluated first, followed by other types of access.