From 313bdb9a2cfb729000822e97cff9534df10b9284 Mon Sep 17 00:00:00 2001 From: "c1-dev-bot[bot]" <2740113+c1-dev-bot[bot]@users.noreply.github.com> Date: Thu, 5 Mar 2026 23:34:48 +0000 Subject: [PATCH 1/4] docs: add dynamic campaign scoping by entitlement tags Document the ability to filter campaign scope by risk level and compliance framework entitlement tags, including: - Tag filter options in the resource selection flow for both single campaigns and templates - Filter logic (OR within tag type, AND across tag types) - Dynamic scope re-evaluation behavior for campaign templates - Limitations (built-in tags only, no mixing with manual selection) - FAQ entries for common tag scoping questions - Cross-references to entitlement attribute setup documentation - Remove duplicate step in template flow --- product/admin/campaigns.mdx | 96 ++++++++++++++++++++++++------------- 1 file changed, 63 insertions(+), 33 deletions(-) diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx index d4397d9..b052d68 100644 --- a/product/admin/campaigns.mdx +++ b/product/admin/campaigns.mdx @@ -152,37 +152,43 @@ On the **Scope** tab of your campaign, find the **Apps and resources** section o - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**. - **OR** + When selecting specific resources, you can use the filter bar to narrow results by **Application**, **Resource type**, **Risk level**, and **Compliance framework**. Select one or more values for any filter to find matching entitlements. Filters use **OR** logic within a single filter type and **AND** logic across filter types. For example, selecting risk levels "High" and "Critical" along with compliance framework "SOX" returns entitlements that are (High OR Critical) AND (SOX). + + **OR** - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**. - **OR** + **OR** - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. - **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + + + + **Don't see risk level or compliance framework values in the filter dropdowns?** You must first create attribute values in **Settings** > **Tags** and assign them to entitlements. See [Setting entitlement attributes](/product/admin/managing-entitlements#setting-entitlement-attributes) for details. -If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. +If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) -**Optional.** Find the **User selection** section of the page and click **Make selections**. +**Optional.** Find the **User selection** section of the page and click **Make selections**. - If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. + - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. **OR** - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**. - You can mix and match these options: + You can mix and match these options: - User status in ConductorOne @@ -190,11 +196,11 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. - - Exclude users in specific groups from the campaign + - Exclude users in specific groups from the campaign **OR** - - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid. + - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid. @@ -456,53 +462,52 @@ Next, build a list of the resources that campaigns made from this template will On the **Scope** tab of your template, find the **Apps and resources** section of the page and click **Make selections**. - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**. - - **OR** + + When selecting specific resources, you can use the filter bar to narrow results by **Application**, **Resource type**, **Risk level**, and **Compliance framework**. Select one or more values for any filter to find matching entitlements. Filters use **OR** logic within a single filter type and **AND** logic across filter types. For example, selecting risk levels "High" and "Critical" along with compliance framework "SOX" returns entitlements that are (High OR Critical) AND (SOX). + + **OR** - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**. - **OR** + **OR** - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. - **You cannot mix selections from the three tabs in a single campaign.** - - If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + **You cannot mix selections from the three tabs in a single campaign.** + + If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. - - -If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. - - ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) - + + **Don't see risk level or compliance framework values in the filter dropdowns?** You must first create attribute values in **Settings** > **Tags** and assign them to entitlements. See [Setting entitlement attributes](/product/admin/managing-entitlements#setting-entitlement-attributes) for details. + -If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. +If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) -**Optional.** Find the **User selection** section of the page and click **Make selections**. +**Optional.** Find the **User selection** section of the page and click **Make selections**. - If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. + - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. **OR** - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**. - You can mix and match these options: + You can mix and match these options: - User status in ConductorOne - Direct reports of a manager - - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. + - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. **Optional.** Find the **Account parameters** section of the page and click **Make selections**. @@ -542,15 +547,31 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r - Grants sourced from access profiles (check the box to exclude these grants from your campaign) -A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. +A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. + +Once you're satisfied with your selections, move on to the next step. -Once you're satisfied with your selections, move on to the next step. +#### Dynamic scope re-evaluation for tag-filtered templates + +When you use risk level or compliance framework filters to select entitlements for a campaign template, ConductorOne saves the **filter criteria** rather than a fixed list of entitlements. Each time a campaign is created from the template and prepared, the system re-evaluates the tag criteria against the current state of your entitlements. This means: + +- Entitlements that have been tagged since the template was last configured are **automatically included** in the next campaign. +- Entitlements that have had tags removed are **automatically excluded**. +- You do not need to manually update the template scope when entitlement tags change. + + +Use **Validate scope** before preparing a campaign to review which entitlements currently match the template's tag criteria and confirm the scope is as expected. + + + +Tag-based scope filtering applies only to [entitlement attribute values](/product/admin/managing-entitlements#setting-entitlement-attributes) (risk level and compliance framework). Custom tags are not supported for campaign scoping. + ### Step 4: Review and start a campaign created from a template -When a new campaign is created from the template, it is shown on the template's **Campaigns** tab and also added to the **Drafts** tab. +When a new campaign is created from the template, it is shown on the template's **Campaigns** tab and also added to the **Drafts** tab. -Edit the campaign as needed, then follow Steps 3 through 5 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary). +Edit the campaign as needed, then follow Steps 3 through 5 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary). ## Frequently asked questions about creating campaigns @@ -559,7 +580,16 @@ Edit the campaign as needed, then follow Steps 3 through 5 in [Create a new camp In short, nothing. If you select a resource for your campaign that does not have any grants on any of its entitlements, no review tasks will be created for the resource, as there is nothing to review. You can add these resources to your campaign without impact, or leave them out: it's up to you. -Yes, you can! Go to the running campaign's **Configuration** tab and add or edit the campaign instructions. Reviewers will see the new version of the instructions as soon as you click **Save**. +Yes, you can! Go to the running campaign's **Configuration** tab and add or edit the campaign instructions. Reviewers will see the new version of the instructions as soon as you click **Save**. + + +If your campaign template scope is filtered by risk level or compliance framework, newly tagged entitlements are automatically included the next time a campaign is created from the template and prepared. ConductorOne saves the tag criteria, not a static list, so the scope is re-evaluated against current entitlement tags at each campaign preparation. + + +Tag-based filtering is used to narrow the list of entitlements shown when selecting specific resources. You select entitlements from the filtered results, and for campaign templates, the filter criteria are saved for dynamic re-evaluation. You cannot mix manually selected individual entitlements with a purely tag-driven dynamic scope in the same campaign. + + +You can filter entitlements by **risk level** and **compliance framework** — these are the built-in entitlement attribute types in ConductorOne. To use these filters, first create attribute values in **Settings** > **Tags** and assign them to your entitlements. See [Setting entitlement attributes](/product/admin/managing-entitlements#setting-entitlement-attributes) for setup instructions. From f24654a89e46021760b7ce57dc6493cd39d1670e Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 10 Mar 2026 13:22:29 -0700 Subject: [PATCH 2/4] docs: apply style guide fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove "please" from prepare campaign step - Fix missing closing tag (broken accordion nesting) - Fix step reference: "Steps 3 through 5" → "Steps 5 through 7" to match renumbered single-campaign steps Co-Authored-By: Claude Sonnet 4.6 --- product/admin/campaigns.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx index b0a2519..fcb7105 100644 --- a/product/admin/campaigns.mdx +++ b/product/admin/campaigns.mdx @@ -365,7 +365,7 @@ No. This information is presented for your awareness and to help you ensure that -When you're ready, click **Prepare campaign**. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Please be patient: depending on the size of the campaign, preparing it might take several minutes. +When you're ready, click **Prepare campaign**. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Depending on the size of the campaign, preparing it might take several minutes. **Your campaign is a snapshot of access data as it exists the moment you click this button.** Any access changes or updates to data sources that take place after you prepare the campaign will not be reflected in the campaign. @@ -669,7 +669,7 @@ Tag-based scope filtering applies only to [entitlement attribute values](/produc When a new campaign is created from the template, it is shown on the template's **Campaigns** tab and also added to the **Drafts** tab. -Edit the campaign as needed, then follow Steps 3 through 5 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary). +Edit the campaign as needed, then follow Steps 5 through 7 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary). ## Frequently asked questions about creating campaigns @@ -688,6 +688,7 @@ Tag-based filtering is used to narrow the list of entitlements shown when select You can filter entitlements by **risk level** and **compliance framework** — these are the built-in entitlement attribute types in ConductorOne. To use these filters, first create attribute values in **Settings** > **Tags** and assign them to your entitlements. See [Setting entitlement attributes](/product/admin/managing-entitlements#setting-entitlement-attributes) for setup instructions. + No. The scope type you choose when creating a campaign cannot be changed afterward. If you need a different scope type, create a new campaign. From 56ca7f86319a6d93c267335623c9cfe2c3469cb9 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 10 Mar 2026 13:28:36 -0700 Subject: [PATCH 3/4] docs: remove redundancy and fix structure from merge conflict MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove the old-style "Step 2: Choose what to review" prose block from the single campaign flow that was left over after the merge conflict; the new Step 3 (formerly Step 4) contains the same content in the proper structure with tag-filter documentation added - Renumber single campaign steps to be sequential: Steps 2–7 → Steps 2–6 - Remove the thin template "Step 2: Choose what to review" stub that cross-referenced the now-removed single campaign section; the full scope content is covered in the template's own Step 3 - Renumber template steps to be sequential: Steps 2–4 remain Steps 2–4 (Configure moves from Step 3 to Step 2; Choose what to review from Step 3 to Step 3; Review and start remains Step 4) - Update the cross-reference in template Step 4 from "Steps 5 through 7" to "Steps 4 through 6" to match the corrected single campaign numbering Co-Authored-By: Claude Sonnet 4.6 --- product/admin/campaigns.mdx | 116 +++--------------------------------- 1 file changed, 9 insertions(+), 107 deletions(-) diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx index fcb7105..50b1118 100644 --- a/product/admin/campaigns.mdx +++ b/product/admin/campaigns.mdx @@ -83,95 +83,7 @@ Click **Continue**. The campaign is created. -### Step 2: Choose what to review - -Next, define the scope of resources that your campaign will review. - - - -On the **Scope** tab of your campaign, click the **Apps and resources** section to make initial scoping selections. Available scope types: - - - **Review specific resources** — Use this option to review access to specific permissions. If you use this option, you can edit the scope to remove entitlements from the review or update the policy used to review specific entitlements. - - - **Review application access** — Use this option to review access to specific applications. - - - **Review resource types** — Use this option to review all resources of a given type within a specific application (such as all groups within Slack). - - - **Review access conflicts** — Review access violations associated with users, based on your configured [conflict monitors](/product/admin/access-conflicts). Use this option to run a targeted review of users who hold combinations of access that violate separation of duties (SoD) policies. - - - **Reviewing access conflicts?** You must have at least one enabled [conflict monitor](/product/admin/access-conflicts) configured before you can scope a campaign by access conflicts. - - - - **You can only use one scope type per campaign.** If you want to review both application access and specific resources in a single campaign, select **Review specific resources** and add the relevant entitlements. - - - - -To further refine the scope of your campaign, you can filter by user, account, and/or grant criteria. If you do not make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. - -**Optional. User selection:** Find the **User selection** section of the page and click **Make selections**. If you want to narrow the focus of the UAR: - - - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. - - **OR** - - - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**. - - You can mix and match these options: - - - User status in ConductorOne - - - Direct reports of a manager - - - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. - - - Exclude users in specific groups from the campaign - - **OR** - - - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid. - -**Optional. Account parameters:** Find the **Account parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR: - - - Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**. - - You can mix and match these options: - - - No account owner - - - Account status - - - Account type - - - Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization) - - **OR** - - - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the accounts you want to review. The expression must return a list of accounts to be valid. - -**Optional. Grant parameters:** Find the **Grant parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR: - - - Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**. - - You can mix and match these options: - - - New grants added within the time period you select or between two specific dates - - - Temporary (time-limited) or permanent grants - - - Grants that have not been used in the time period you select (this information is not available for all applications) - - - Direct grants (permissions assigned directly to users) or inherited grants (permissions assigned to a group or role, which are "inherited" by users assigned to that group or role) - - - Grants sourced from access profiles (check the box to exclude these grants from your campaign) - -A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope. - -Once you're satisfied with your selections, move on to the next step. - -### Step 3: Configure how the campaign will run +### Step 2: Configure how the campaign will run On the new campaign's **Configuration** tab, review and update the details you've entered so far. @@ -230,9 +142,9 @@ If you want to use a Slack channel for communication about this campaign, click -### Step 4: Choose what to review +### Step 3: Choose what to review -Next, build a list of the resources that your campaign will review. +Next, build a list of the resources that your campaign will review. @@ -337,7 +249,7 @@ A summary of your choices is shown on the **Scope** tab. Click **Validate scope* Once you're satisfied with your selections, move on to the next step. -### Step 5: Check data accuracy +### Step 4: Check data accuracy If any of your selections are sourced from connectors or file uploads that have not been updated recently, you'll see an indicator and a **Your campaign might have data accuracy issues** banner on the **Accuracy** tab. @@ -361,7 +273,7 @@ Click **Sync now** (for connectors) or **Replace file** (for file sources) to up No. This information is presented for your awareness and to help you ensure that your campaign's data is up to date. Resolving data accuracy warnings before proceeding is strongly recommended, but not required. -### Step 6: Prepare the campaign +### Step 5: Prepare the campaign @@ -376,7 +288,7 @@ Review the draft campaign's details. If necessary, you can make changes on the * -### Step 7: Start the campaign +### Step 6: Start the campaign If you've set up the campaign to automatically start, it will launch on the scheduled date. If not (or if you need to start the campaign sooner than the scheduled start date), follow these steps to start the campaign when you're ready: @@ -455,17 +367,7 @@ Click **Continue**. The template is created. -### Step 2: Choose what to review - -The scope options for templates are the same as for single campaigns. On the **Scope** tab of your template, configure the apps, resources, and filtering criteria for campaigns created from this template. - -See [Step 2: Choose what to review](/product/admin/campaigns#step-2-choose-what-to-review) above for details on each scope type and filtering option. - -A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. - -Once you're satisfied with your selections, move on to the next step. - -### Step 3: Configure how campaigns created from this template will run +### Step 2: Configure how campaigns created from this template will run You can set the template to create instances of the campaign on a date in the future or on a recurring schedule. You can also create an on-demand instance of the campaign at any time. @@ -553,7 +455,7 @@ If you want to use a Slack channel for communication about this campaign, click ### Step 3: Choose what to review -Next, build a list of the resources that campaigns made from this template will review. +Next, build a list of the resources that campaigns made from this template will review. @@ -669,7 +571,7 @@ Tag-based scope filtering applies only to [entitlement attribute values](/produc When a new campaign is created from the template, it is shown on the template's **Campaigns** tab and also added to the **Drafts** tab. -Edit the campaign as needed, then follow Steps 5 through 7 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary). +Edit the campaign as needed, then follow Steps 4 through 6 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary). ## Frequently asked questions about creating campaigns From 0c47eb1d9f2c7ca41dc1f8bc02802a4cffc89656 Mon Sep 17 00:00:00 2001 From: Mindy Moreland Date: Tue, 10 Mar 2026 15:22:02 -0700 Subject: [PATCH 4/4] last edits --- product/admin/campaigns.mdx | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx index 50b1118..f536b1f 100644 --- a/product/admin/campaigns.mdx +++ b/product/admin/campaigns.mdx @@ -74,6 +74,12 @@ Fill out the form, providing the following information: - **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign. + - **Review type:** Select the type of access review campaign you want to run: + + - **Entitlements**: Review user access to specific entitlements or applications. This is the most common type of campaign. + + - **Access conflicts**: Review user access that has triggered a violation in one of your enabled conflict monitors. This is a great option for quickly remediating high-risk access issues identified by your conflict monitors. + - **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner. Each owner must have the Campaign Administrator or Super Administrator user role in ConductorOne. - **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process. @@ -162,8 +168,12 @@ On the **Scope** tab of your campaign, find the **Apps and resources** section o - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. + **OR** + + - To run a UAR on all entitlements that match a certain risk level or compliance framework, click **By criteria** and select the relevant risk levels and compliance frameworks, then click **Save**. The campaign will include all entitlements that match the criteria you select when you prepare the campaign. + - **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + **You cannot mix selections from the four tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. @@ -358,6 +368,12 @@ Fill out the form, providing the following information: - **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run. + - **Review type:** Select the type of access review template you want to create: + + - **Entitlements**: Review user access to specific entitlements or applications. This is the most common type of campaign. + + - **Access conflicts**: Review user access that has triggered a violation in one of your enabled conflict monitors. This is a great option for quickly remediating high-risk access issues identified by your conflict monitors. + - **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator user role in ConductorOne. - **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process. @@ -473,10 +489,12 @@ On the **Scope** tab of your template, find the **Apps and resources** section o - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. - - **You cannot mix selections from the three tabs in a single campaign.** + **OR** + + - To run a UAR on all entitlements that match a certain risk level or compliance framework, click **By criteria** and select the relevant risk levels and compliance frameworks, then click **Save**. The campaign will include all entitlements that match the criteria you select when you prepare the campaign. - If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + + **You cannot mix selections from the four tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.