diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx index 5e0211b..f536b1f 100644 --- a/product/admin/campaigns.mdx +++ b/product/admin/campaigns.mdx @@ -74,6 +74,12 @@ Fill out the form, providing the following information: - **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign. + - **Review type:** Select the type of access review campaign you want to run: + + - **Entitlements**: Review user access to specific entitlements or applications. This is the most common type of campaign. + + - **Access conflicts**: Review user access that has triggered a violation in one of your enabled conflict monitors. This is a great option for quickly remediating high-risk access issues identified by your conflict monitors. + - **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner. Each owner must have the Campaign Administrator or Super Administrator user role in ConductorOne. - **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process. @@ -83,152 +89,175 @@ Click **Continue**. The campaign is created. -### Step 2: Choose what to review - -Next, define the scope of resources that your campaign will review. - +### Step 2: Configure how the campaign will run -On the **Scope** tab of your campaign, click the **Apps and resources** section to make initial scoping selections. Available scope types: +On the new campaign's **Configuration** tab, review and update the details you've entered so far. + + +If you want to provide any instructions to reviewers about how to complete access reviews in this campaign, click **Edit** and enter the instructions in the **Review instructions** field. - - **Review specific resources** — Use this option to review access to specific permissions. If you use this option, you can edit the scope to remove entitlements from the review or update the policy used to review specific entitlements. + The instructions you enter will be displayed to all reviewers at the top of the page where they complete their access reviews. You can format your instructions using Markdown to add emphasis, links, and structure. + + +If you want all reviewers to receive their campaign tasks in the same format, select a **Default access review view**: - - **Review application access** — Use this option to review access to specific applications. + - **By application:** review access to one application at a time - - **Review resource types** — Use this option to review all resources of a given type within a specific application (such as all groups within Slack). + - **By user:** review one user's access at a time - - **Review access conflicts** — Review access violations associated with users, based on your configured [conflict monitors](/product/admin/access-conflicts). Use this option to run a targeted review of users who hold combinations of access that violate separation of duties (SoD) policies. + - **Unstructured:** all the assigned reviews together in one list - - **Reviewing access conflicts?** You must have at least one enabled [conflict monitor](/product/admin/access-conflicts) configured before you can scope a campaign by access conflicts. - + If a default view is selected, each reviewer's access reviews will open in that view, but individual reviewers can switch to a different view if desired. + + +By default, all campaign tasks will be created using the review policy you chose. If instead you want campaign tasks to use the review policies set on the entitlements or apps in the campaign, click **Edit** and click to turn on **Use preferred review policies**. - - **You can only use one scope type per campaign.** If you want to review both application access and specific resources in a single campaign, select **Review specific resources** and add the relevant entitlements. - + If this option is enabled, ConductorOne will apply policies using this order of precedence: entitlement, application, campaign. - + +By default, campaigns are started and ended manually. If you want to automatically start or end the campaign, find the **Schedule** section of the page and click **Edit**. -To further refine the scope of your campaign, you can filter by user, account, and/or grant criteria. If you do not make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. + - To automatically start the campaign on a specific date and time, click to turn on **Automatically start campaign**, then set the scheduled start date. -**Optional. User selection:** Find the **User selection** section of the page and click **Make selections**. If you want to narrow the focus of the UAR: + - If the campaign is set to automatically start, choose whether to proceed with auto-start if there are unresolved campaign data accuracy issues. Campaign owners will be notified of any data accuracy issues when they are discovered. - - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. + - To automatically end the campaign on a specific date, click to turn on **Automatically end campaign**, then set the date. - **OR** + - If the campaign is set to automatically end, choose whether incomplete reviews will be revoked or skipped when the campaign ends. + + +In the **Notifications and reporting** section, you can configure what notifications the campaign will automatically generate: - - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**. + * Notify all reviewers with assigned review tasks when the campaign begins - You can mix and match these options: + * Notify all campaign owners and reviewers when the campaign ends - - User status in ConductorOne + * When the campaign is complete, generate a campaign report and notify all campaign owners when it's ready for download - - Direct reports of a manager + If you do not pre-configure these options here, you'll have another chance to send out notifications and generate a report when ending the campaign. + + +If you want to use a Slack channel for communication about this campaign, click **Add Slack channel**. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create. - - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. + All campaign owners and users assigned access reviews will be automatically added to this channel when the campaign starts. - - Exclude users in specific groups from the campaign + + **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you configure it here, or the notifications won't be delivered. + + + - **OR** +### Step 3: Choose what to review - - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid. +Next, build a list of the resources that your campaign will review. -**Optional. Account parameters:** Find the **Account parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR: + + +On the **Scope** tab of your campaign, find the **Apps and resources** section of the page and click **Make selections**. - - Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**. + - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**. - You can mix and match these options: + When selecting specific resources, you can use the filter bar to narrow results by **Application**, **Resource type**, **Risk level**, and **Compliance framework**. Select one or more values for any filter to find matching entitlements. Filters use **OR** logic within a single filter type and **AND** logic across filter types. For example, selecting risk levels "High" and "Critical" along with compliance framework "SOX" returns entitlements that are (High OR Critical) AND (SOX). - - No account owner + **OR** - - Account status + - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**. - - Account type + **OR** - - Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization) + - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. - **OR** + **OR** - - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the accounts you want to review. The expression must return a list of accounts to be valid. + - To run a UAR on all entitlements that match a certain risk level or compliance framework, click **By criteria** and select the relevant risk levels and compliance frameworks, then click **Save**. The campaign will include all entitlements that match the criteria you select when you prepare the campaign. -**Optional. Grant parameters:** Find the **Grant parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR: + + **You cannot mix selections from the four tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + - - Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**. + + **Don't see risk level or compliance framework values in the filter dropdowns?** You must first create attribute values in **Settings** > **Tags** and assign them to entitlements. See [Setting entitlement attributes](/product/admin/managing-entitlements#setting-entitlement-attributes) for details. + + + +If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. - You can mix and match these options: + + ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) + + + +**Optional.** Find the **User selection** section of the page and click **Make selections**. - - New grants added within the time period you select or between two specific dates + If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - - Temporary (time-limited) or permanent grants + - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. - - Grants that have not been used in the time period you select (this information is not available for all applications) + **OR** - - Direct grants (permissions assigned directly to users) or inherited grants (permissions assigned to a group or role, which are "inherited" by users assigned to that group or role) + - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**. - - Grants sourced from access profiles (check the box to exclude these grants from your campaign) + You can mix and match these options: -A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope. + - User status in ConductorOne -Once you're satisfied with your selections, move on to the next step. + - Direct reports of a manager -### Step 3: Configure how the campaign will run - - -On the new campaign's **Configuration** tab, review and update the details you've entered so far. - - -If you want to provide any instructions to reviewers about how to complete access reviews in this campaign, click **Edit** and enter the instructions in the **Review instructions** field. + - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. + + - Exclude users in specific groups from the campaign + + **OR** + + - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid. - The instructions you enter will be displayed to all reviewers at the top of the page where they complete their access reviews. You can format your instructions using Markdown to add emphasis, links, and structure. -If you want all reviewers to receive their campaign tasks in the same format, select a **Default access review view**: +**Optional.** Find the **Account parameters** section of the page and click **Make selections**. - - **By application:** review access to one application at a time + If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - - **By user:** review one user's access at a time + - Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**. - - **Unstructured:** all the assigned reviews together in one list + You can mix and match these options: - If a default view is selected, each reviewer's access reviews will open in that view, but individual reviewers can switch to a different view if desired. - - -By default, all campaign tasks will be created using the review policy you chose. If instead you want campaign tasks to use the review policies set on the entitlements or apps in the campaign, click **Edit** and click to turn on **Use preferred review policies**. + - No account owner - If this option is enabled, ConductorOne will apply policies using this order of precedence: entitlement, application, campaign. - - -By default, campaigns are started and ended manually. If you want to automatically start or end the campaign, find the **Schedule** section of the page and click **Edit**. + - Account status - - To automatically start the campaign on a specific date and time, click to turn on **Automatically start campaign**, then set the scheduled start date. + - Account type - - If the campaign is set to automatically start, choose whether to proceed with auto-start if there are unresolved campaign data accuracy issues. Campaign owners will be notified of any data accuracy issues when they are discovered. + - Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization) - - To automatically end the campaign on a specific date, click to turn on **Automatically end campaign**, then set the date. + **OR** + + - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the accounts you want to review. The expression must return a list of accounts to be valid. - - If the campaign is set to automatically end, choose whether incomplete reviews will be revoked or skipped when the campaign ends. -In the **Notifications and reporting** section, you can configure what notifications the campaign will automatically generate: +**Optional.** Find the **Grant parameters** section of the page and click **Make selections**. - * Notify all reviewers with assigned review tasks when the campaign begins + If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - * Notify all campaign owners and reviewers when the campaign ends + - Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**. - * When the campaign is complete, generate a campaign report and notify all campaign owners when it's ready for download + You can mix and match these options: - If you do not pre-configure these options here, you'll have another chance to send out notifications and generate a report when ending the campaign. - - -If you want to use a Slack channel for communication about this campaign, click **Add Slack channel**. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create. + - New grants added within the time period you select or between two specific dates - All campaign owners and users assigned access reviews will be automatically added to this channel when the campaign starts. + - Temporary (time-limited) or permanent grants - - **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you configure it here, or the notifications won't be delivered. - + - Grants that have not been used in the time period you select (this information is not available for all applications) + + - Direct grants (permissions assigned directly to users) or inherited grants (permissions assigned to a group or role, which are "inherited" by users assigned to that group or role) + + - Grants sourced from access profiles (check the box to exclude these grants from your campaign) +A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope. + +Once you're satisfied with your selections, move on to the next step. ### Step 4: Check data accuracy @@ -258,7 +287,7 @@ No. This information is presented for your awareness and to help you ensure that -When you're ready, click **Prepare campaign**. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Please be patient: depending on the size of the campaign, preparing it might take several minutes. +When you're ready, click **Prepare campaign**. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Depending on the size of the campaign, preparing it might take several minutes. **Your campaign is a snapshot of access data as it exists the moment you click this button.** Any access changes or updates to data sources that take place after you prepare the campaign will not be reflected in the campaign. @@ -339,6 +368,12 @@ Fill out the form, providing the following information: - **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run. + - **Review type:** Select the type of access review template you want to create: + + - **Entitlements**: Review user access to specific entitlements or applications. This is the most common type of campaign. + + - **Access conflicts**: Review user access that has triggered a violation in one of your enabled conflict monitors. This is a great option for quickly remediating high-risk access issues identified by your conflict monitors. + - **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator user role in ConductorOne. - **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process. @@ -348,17 +383,7 @@ Click **Continue**. The template is created. -### Step 2: Choose what to review - -The scope options for templates are the same as for single campaigns. On the **Scope** tab of your template, configure the apps, resources, and filtering criteria for campaigns created from this template. - -See [Step 2: Choose what to review](/product/admin/campaigns#step-2-choose-what-to-review) above for details on each scope type and filtering option. - -A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. - -Once you're satisfied with your selections, move on to the next step. - -### Step 3: Configure how campaigns created from this template will run +### Step 2: Configure how campaigns created from this template will run You can set the template to create instances of the campaign on a date in the future or on a recurring schedule. You can also create an on-demand instance of the campaign at any time. @@ -444,6 +469,122 @@ If you want to use a Slack channel for communication about this campaign, click +### Step 3: Choose what to review + +Next, build a list of the resources that campaigns made from this template will review. + + + +On the **Scope** tab of your template, find the **Apps and resources** section of the page and click **Make selections**. + + - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**. + + When selecting specific resources, you can use the filter bar to narrow results by **Application**, **Resource type**, **Risk level**, and **Compliance framework**. Select one or more values for any filter to find matching entitlements. Filters use **OR** logic within a single filter type and **AND** logic across filter types. For example, selecting risk levels "High" and "Critical" along with compliance framework "SOX" returns entitlements that are (High OR Critical) AND (SOX). + + **OR** + + - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**. + + **OR** + + - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. + + **OR** + + - To run a UAR on all entitlements that match a certain risk level or compliance framework, click **By criteria** and select the relevant risk levels and compliance frameworks, then click **Save**. The campaign will include all entitlements that match the criteria you select when you prepare the campaign. + + + **You cannot mix selections from the four tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + + + + **Don't see risk level or compliance framework values in the filter dropdowns?** You must first create attribute values in **Settings** > **Tags** and assign them to entitlements. See [Setting entitlement attributes](/product/admin/managing-entitlements#setting-entitlement-attributes) for details. + + + +If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. + + + ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) + + + +**Optional.** Find the **User selection** section of the page and click **Make selections**. + + If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + + - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. + + **OR** + + - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**. + + You can mix and match these options: + + - User status in ConductorOne + + - Direct reports of a manager + + - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. + + +**Optional.** Find the **Account parameters** section of the page and click **Make selections**. + + If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + + - Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**. + + You can mix and match these options: + + - No account owner + + - Account status + + - Account type + + - Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization) + + + +**Optional.** Find the **Grant parameters** section of the page and click **Make selections**. + + If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + + - Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**. + + You can mix and match these options: + + - New grants added within the time period you select or between two specific dates + + - Temporary (time-limited) or permanent grants + + - Grants that have not been used in the time period you select (this information is not available for all applications) + + - Direct grants (permissions assigned directly to users) or inherited grants (permissions assigned to a group or role, which are "inherited" by users assigned to that group or role) + + - Grants sourced from access profiles (check the box to exclude these grants from your campaign) + + +A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. + +Once you're satisfied with your selections, move on to the next step. + +#### Dynamic scope re-evaluation for tag-filtered templates + +When you use risk level or compliance framework filters to select entitlements for a campaign template, ConductorOne saves the **filter criteria** rather than a fixed list of entitlements. Each time a campaign is created from the template and prepared, the system re-evaluates the tag criteria against the current state of your entitlements. This means: + +- Entitlements that have been tagged since the template was last configured are **automatically included** in the next campaign. +- Entitlements that have had tags removed are **automatically excluded**. +- You do not need to manually update the template scope when entitlement tags change. + + +Use **Validate scope** before preparing a campaign to review which entitlements currently match the template's tag criteria and confirm the scope is as expected. + + + +Tag-based scope filtering applies only to [entitlement attribute values](/product/admin/managing-entitlements#setting-entitlement-attributes) (risk level and compliance framework). Custom tags are not supported for campaign scoping. + + ### Step 4: Review and start a campaign created from a template When a new campaign is created from the template, it is shown on the template's **Campaigns** tab and also added to the **Drafts** tab. @@ -459,6 +600,15 @@ In short, nothing. If you select a resource for your campaign that does not have Yes, you can! Go to the running campaign's **Configuration** tab and add or edit the campaign instructions. Reviewers will see the new version of the instructions as soon as you click **Save**. + +If your campaign template scope is filtered by risk level or compliance framework, newly tagged entitlements are automatically included the next time a campaign is created from the template and prepared. ConductorOne saves the tag criteria, not a static list, so the scope is re-evaluated against current entitlement tags at each campaign preparation. + + +Tag-based filtering is used to narrow the list of entitlements shown when selecting specific resources. You select entitlements from the filtered results, and for campaign templates, the filter criteria are saved for dynamic re-evaluation. You cannot mix manually selected individual entitlements with a purely tag-driven dynamic scope in the same campaign. + + +You can filter entitlements by **risk level** and **compliance framework** — these are the built-in entitlement attribute types in ConductorOne. To use these filters, first create attribute values in **Settings** > **Tags** and assign them to your entitlements. See [Setting entitlement attributes](/product/admin/managing-entitlements#setting-entitlement-attributes) for setup instructions. + No. The scope type you choose when creating a campaign cannot be changed afterward. If you need a different scope type, create a new campaign.