SupportDeveloper Docs

Creating campaigns

Create a new campaign:

  1. Navigate to the Campaigns page from the navigation sidebar.

  2. Click on the "Create new campaign" button.

  3. You will see a screen as shown in the below image. Configure your campaign according to your requirements on the right sidebar. Remember to enter the necessary components - Campaign name, start date and end date. Refer to the sub-section below to understand the filtering criterias for creating a campaign.

    Additionally, you can setup recurring campaigns and campaign escalations as well while creating a campaign.

  4. Once you have configured your campaign, you can either Save campaign as a draft to publish later OR you can Publish campaign. The description for both the operations are given below:

    • Saving Campaign as a draft BalkanID allows risk managers to create a campaign and save it to be published later. Select “Save as a draft” and your progress will be saved, and you can access the campaign later.

    • Publishing a campaign When a campaign is ready to be kicked off, you can "publish" the campaign. This will create access reviews and assign them to the appropriate reviewers in your organization along with sending the appropriate notifications (new reviews, overdue reviews, etc.)

      A dialog box will appear as shown in the below image, asking you to confirm publishing the campaign. This dialog box will also warn you if any integrations used in the campaign are out-of-sync, indicating that the data you are basing the campaign on might not be up to date.

      If there are no out-of-sync integrations, you will see a plain dialog box.

Note: Reviews for a campaign will only get created once the start date is past. If you have a campaign with a start date in the future, the notifications for the reviews will only be sent out past the start date.

Publish draft campaigns

Once your campaign is set up and ready, the Publish action makes it active and initiates the access review process. This means reviewers will begin receiving notifications and can start working on their assigned reviews. You can easily track the publishing status through a notification that appears (often called a "snackbar").

How to Publish:

  • From the Campaign Dashboard: Click the three dots on the top right to open the action's menu on the campaign card and select "Publish."

  • From the Edit Page: While editing a draft campaign, you'll find a "Publish" option to activate it directly.

Once you hit publish using either of the ways shown above, a dialog box will appear as shown in the below image, asking you to confirm publishing the campaign. This dialog box will also warn you if any integrations used in the campaign are out-of-sync, indicating that the data you are basing the campaign on might not be up to date.

If there are no out-of-sync integrations, you will see a plain dialog box.

Campaign details

The campaign details section required the following details about the campaign.

Field

Description

Example

Name

The title for the campaign. The name is displayed in campaign reporting.

Q4 2021 Audit

Description

A short description to provide context on why this campaign has been created.

Review of critical systems for Q4 2021

Start date

The intended start date of the campaign.

Nov 1 2021

Auto publish

This is used to automatically publish a campaign when the start date is reached. It is used when a campaign is setup to start at a future date.

Yes/No

End date

The target date a risk manager expects the campaign to be completed.

Dec 14 2021

Repetition

Design a periodic schedule for the campaign to recur based on your requirement and convenience. Clicking on custom in the dropdown for this field will open a dialog box where you can enter the frequency of recurrence.

Every 1 month on the first day Monday.

Escalation

Create an alert for the access reviews belonging to this campaign to be escalated if they haven't been completed for a certain duration before the due date.

1 week before due date.

Override Defaults

Choose to override the default integration settings during multi-level reviews. Understand configuring multi-level reviews at the integration level here and overriding defaults over here.

Yes/No

Exclude Reviewers with Insight(s)

Select specific insights that are applied to the identities of reviewers whose evaluations require escalation for an additional level of review from their line manager. To learn more please refer: Reviewer insight escalation for campaigns

Segregation of Duties (SoD) - Insight

Filter criteria

The filter criteria is used to select which identities and entitlements will be reviewed.

Understanding the "Has Access To" fields

The Has Access To fields are particularly useful in filtering based on how different entities are connected. An example of when these fields can be used:

  • To select resources that an identity has access to through a connection, you can simply choose an identity as the entity type and use the Has Access To field to specify the connection that you want to see which the identity has access to.

The Has Access To field allows you to filter based on these Entity to Entity relationships. You can use it to narrow down data based on whether an identity has access to a resource. The one specified above is just an example for using the having field. You could get innovative and try selecting data you desire accurately if these fields are used efficiently.

Explanation of Fields in the Entity Filter

  • Application: Select from the list of applications that have been integrated into your tenant. This helps filter entities based on specific apps. There can be multiple integrations of the same application but with different credentials.

  • Application Integration: Choose an application integration that has been set up in your tenant. This allows you to filter based on the specific integration you want to focus on.

  • Entity Name: Select the specific name of the entity you want to filter. For example, you can filter by the name of a resource/identity/connection.

  • Entity Type: Choose the type of entity you want to filter. You can filter by identity, resource or connection.

  • Source Type: This field refers to the terminology used in the applications that provide the data (e.g., in GitHub as the source system, a "organization-role" and a "team" are mapped as connection entities in our model. Here the terms "organization-role" and "team" are referred to as source types).

  • Entity Status: This field filters based on the activity of the entity within the application. For example, it allows you to filter reviews based on an identity being inactive within the application or if the identity was suspended.

  • Entity Insights: This filter shows entities tied to specific insights set up in your tenant. You can filter based on the insights you’ve created for analysis.

  • Has Access To - Name: This field is used to look for entities which have access to a particular entity with the name mentioned under this field. For instance, you can filter by the name of a resource/connection which another entity has access to.

  • Has Access To - Type: This field specifies the type of the related entity in a "Has Access To" relationship. For example, if you're filtering to find entities that have access to a particular resource, you would select 'resource' here. Similarly, if you want to find entities that are accessed through a specific connection, you would select 'connection'.

  • Has Access To - Source Type: This field allows you to filter based on the source-specific terminology of the related entity in a "Has Access To" relationship. For instance, if you're looking for identities that have access through a connection whose original source type was "team" (from GitHub), you'd use this field.

  • Has Access To - Status: This filter allows you to specify the activity status of the related entity in a "Has Access To" relationship. For example, you could filter for identities that have access to resources that are currently 'inactive'.

  • Has Access To - Insights: This filter allows you to narrow down results based on insights tied to the related entity in a "Has Access To" relationship. For instance, you could find connections that have access to resources flagged with a specific "SoD" insight.

  • User: Filter entities based on the user selected. This is useful if you want to see data mapped to a specific user.

  • Job Title: Filter based on the job title of users. For example, you can filter for all data associated with users who have the job title "Engineer."

  • Department: Use this filter to select entities tied to a department users belongs to. You can filter data based on the department.

  • Manager: Filter by a manager. This helps you select data tied to users managed by the person you select.

  • Employment Type: Filter entities based on the employment type (e.g., full-time, part-time) of users.

Include versus Exclude

The filter criteria has two tabs: Include and Exclude.

  • Include filters add (or include) particular entitlements that match the filter conditions. For example, setting the Application: Jira include filter condition will add all identities and entitlements for the Jira application to the campaign to be reviewed.

  • Exclude filters remove (or exclude) entitlements that match the conditions from the campaign. For example, setting the Department: Operations exclude filter condition will remove all identities and entitlements for those employees whose department is operations from the list to be reviewed.

Examples: Using Include and Exclude Together

Here are a couple of simple scenarios to illustrate how "Include" and "Exclude" filters work together:

Scenario 1: Reviewing Non-Intern Engineers

Imagine you want to review access for all engineers in your organization, but you specifically want to exclude any engineers who are interns.

Here's how you would set up your filters:

  • Include Tab:

    • Add a filter: Job Title is Engineer

    • (This brings in all identities and entitlements associated with anyone whose job title is Engineer.)

  • Exclude Tab:

    • Add a filter: Employment Type is Intern

    • (From the set of engineers you just included, this then removes any that have an 'Intern' employment type.)

Your review campaign will now focus only on non-intern engineers, demonstrating how "Include" casts a broad net, and "Exclude" precisely refines the selection.

Scenario 2: Jira Access Excluding Operations Department

Consider a case where you want to review all identities that have access to your Jira application, but you need to exclude any identities belonging to employees in the Operations department.

Here's how you would set up your filters:

  • Include Tab:

    • Add a filter: Application is Jira

    • (This brings in all identities and entitlements related to the Jira application.)

  • Exclude Tab:

    • Add a filter: Department is Operations

    • (From the Jira-related identities you just included, this then removes any whose associated employee works in the Operations department.)

The combined query ensures that your review campaign will now focus only on identities with Jira access, except for those employees in the Operations department.

PreviousConfiguring access reviews and campaignsNextConfiguring integration specific multi-level review settings

Last updated

Was this helpful?