Access Review Campaigns
Last updated
Was this helpful?
Last updated
Was this helpful?
Campaigns are a group of access reviews created for audit, compliance, or risk remediation purposes. Risk Managers can create access review campaigns to publish, track, and report on a group of access reviews. A campaign can have various states which are described below:
Draft - The campaign has not been published yet.
Overdue - The campaign has gone beyond the due date for it.
In Progress - The campaign has started and has some time before reaching the due date.
Completed - All the access reviews within the campaign have been approved/denied.
Aborted - The campaign has been prematurely stopped.
Note - For guidance on enabling provisioning and de-provisioning options, please refer to this article: .(Only Administrator can set Fulfillment Options)
Note: Only users with the “Risk Manager” role are able to create campaigns.
Navigate to the Campaigns page from the navigation sidebar.
Click on the "Create new campaign" button.
You will see a screen as shown in the below image. Configure your campaign according to your requirements on the right sidebar. Remember to enter the necessary components - Campaign name, start date and end date.
Once you have configured your campaign, you can either Save campaign as a draft to publish later OR you can Publish campaign. The description for both the operations are given below:
Saving Campaign as a draft BalkanID allows risk managers to create a campaign and save it to be published later. Select “Save as a draft” and your progress will be saved, and you can access the campaign later.
Publishing a campaign When a campaign is ready to be kicked off, you can "publish" the campaign. This will create access reviews and assign them to the appropriate reviewers in your organization along with sending the appropriate notifications (new reviews, overdue reviews, etc.)
The campaign details section required the following details about the campaign.
Field
Description
Example
Name
The title for the campaign. The name is displayed in campaign reporting.
Q4 2021 Audit
Description
A short description to provide context on why this campaign has been created.
Review of critical systems for Q4 2021
Start date
The intended start date of the campaign.
Nov 1 2021
End date
The target date a risk manager expects the campaign to be completed.
Dec 14 2021
Repetition
You can design a periodic schedule for the campaign to recur based on your requirement and convenience. Clicking on custom in the dropdown for this field will open a dialog box where you can enter the frequency of recurrence.
Every 1 month on the first day Monday.
Escalation
You can create an alert for the access reviews belonging to this campaign to be escalated if they haven't been completed for a certain duration before the due date.
1 week before due date.
Exclude Reviewers with Insight(s)
Segregation of Duties (SoD) - Insight
The filter criteria is used to select which identities and entitlements will be reviewed.
Filter
Description
Example
Display name
Name of the employee mapped to the identity
Evan Harper
Job Title
Job title of the employee mapped to the identity
Director of Product
Department
Department of the employee mapped to the identity
Product Management
Manager
Direct manager of the employee mapped to the identity
Marty Padilla
Employment type
Employment type of the employee mapped to the identity
Salaried, full-time
Username
Typically a unique identified like an Email address for the identity in question
evan.harper
Applications
Applications which the identity has access to
Amazon Web Services
Connection
Roles / Groups / Policies
Administrator Group
Resources
A resource is an entity you can work with
AWS S3 bucket or EC2 instance
Permissions
A type of access that is granted to a user or group for an object or object property
Read access to an AWS S3 bucket
Insights
A rule that was in place to detect and alert on SoD and Privileged access violations.
SoD Role to detect engineering access to prod environments
Identity Status
The status of the identity.
Inactive/Suspended
The filter criteria has two tabs: Include and Exclude.
Include filters add (or include) particular entitlements that match the filter conditions. For example, setting the Application: Jira include filter condition will add all identities and entitlements for the Jira application to the campaign to be reviewed.
Exclude filters remove (or exclude) entitlements that match the conditions from the campaign. For example, setting the Department: Operations exclude filter condition will remove all identities and entitlements for those employees whose department is operations from the list to be reviewed.
The include and exclude filter conditions are a combined query. Therefore, combining the two filters above, we would INCLUDE all identities that have access to the Jira application, EXCEPT Identities with employees that work in the Operations department.
You can re-assign reviewers for access reviews within a campaign. Follow the below steps to re-assign a campaign:
1. Click on the campaign you would like to delete. It will take you to the campaign main page as shown in the below image.
3. Click on Reassign reviewers.
4. You will see a dialog box as shown below. Choose the reviewer whose reviews you would like to reassign to another employee in Current Reviewer. Select the employee you would like to reassign those reviews to.
5. Click on Confirm
You can delete a campaign when it is not longer necessary. Follow the below steps to delete a campaign:
1. Click on the campaign you would like to delete. It will take you to the campaign main page as shown in the below image.
3. Click on Delete.
When a campaign needs to be closed out prematurely (for reasons like remaining reviews can no longer be completed due to management change etc.), it can be "aborted". Only "overdue" and "in-progress" campaigns can be aborted.
Follow the below steps to abort a campaign:
1. Click on the campaign you would like to delete. It will take you to the campaign main page as shown in the below image.
3. Click on Abort.
You to select specific insights that are applied to the identities of reviewers whose evaluations require escalation for an additional level of review from their line manager. To learn more please refer:
2. Click on "" to open a dropdown with actions.
2. Click on "" to open a dropdown with actions.
2. Click on "" to open a dropdown with actions.
