From a6d1e9c17d94c1150fa002bb565758d8eff853e6 Mon Sep 17 00:00:00 2001 From: "c1-dev-bot[bot]" <2740113+c1-dev-bot[bot]@users.noreply.github.com> Date: Mon, 2 Mar 2026 20:24:55 +0000 Subject: [PATCH] Document access conflict scope type for campaigns Add documentation for the new "By Access Conflicts" review type that allows campaigns to be scoped by conflict monitors instead of entitlements. - Update campaigns.mdx with Review type field and tabbed scope instructions - Add campaign cross-reference to access-conflicts.mdx - Add release notes entry for the feature --- product/admin/access-conflicts.mdx | 10 +- product/admin/campaigns.mdx | 155 +++++++++++++++++++++-------- product/release-notes.mdx | 14 ++- 3 files changed, 135 insertions(+), 44 deletions(-) diff --git a/product/admin/access-conflicts.mdx b/product/admin/access-conflicts.mdx index 60633521..4bfed7dc 100644 --- a/product/admin/access-conflicts.mdx +++ b/product/admin/access-conflicts.mdx @@ -4,7 +4,7 @@ og:title: Detect access conflicts - ConductorOne docs og:description: Set up conflict monitors to automatically track and alert on combinations of access that violate separation of duties policies or regulations such as SOX, FDA 21 CFR Part 11, and ISO 27001. description: Set up conflict monitors to automatically track and alert on combinations of access that violate policies or regulations. --- -{/* Editor Refresh: 2026-01-07 */} +{/* Editor Refresh: 2026-03-02 */} ## What's an access conflict? @@ -130,6 +130,14 @@ Generate a report of the conflict monitor's alerts, their current state, and all If you use the search and filter tools to limit what's shown on the page, clicking **Generate CSV** will create a report of only the filtered list of alerts. +## Review access conflicts in a campaign + +You can use conflict monitors as the scope for an [access review campaign](/product/admin/campaigns), allowing reviewers to evaluate and act on access violations as part of a structured review process. + +When creating a campaign, select **Access conflicts** as the **Review type**, then choose which conflict monitors to include. The campaign will create review tasks for the active access violations detected by the selected monitors. + +To learn more, see [Create an access review campaign](/product/admin/campaigns#step-3-choose-what-to-review). + ## Frequently asked questions about access conflicts diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx index d4397d90..606f612e 100644 --- a/product/admin/campaigns.mdx +++ b/product/admin/campaigns.mdx @@ -5,7 +5,7 @@ og:description: Create one-time user access review (UAR) campaigns or reusable c description: Create one-time user access review (UAR) campaigns or reusable campaign templates that can be run on a schedule. sidebarTitle: Create a campaign --- -{/* Editor Refresh: 2026-02-01 */} +{/* Editor Refresh: 2026-03-02 */} ## Why run an access review campaign? @@ -72,14 +72,20 @@ Fill out the form, providing the following information: - **Description**: The description of what this campaign entails and any directions you want to deliver to reviewers. - - **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign. + - **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign. + + - **Review type**: Choose what the campaign will review: + + - **Entitlements**: Review apps and entitlements of users. This is the default option. + + - **Access conflicts**: Review access violations associated with users. Select this to scope the campaign by [conflict monitors](/product/admin/access-conflicts) instead of by entitlements. - **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner. Each owner must have the Campaign Administrator or Super Administrator user role in ConductorOne. - **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process. -Click **Continue**. The campaign is created. +Click **Continue**. The campaign is created. @@ -144,7 +150,12 @@ If you want to use a Slack channel for communication about this campaign, click ### Step 3: Choose what to review -Next, build a list of the resources that your campaign will review. +Next, build a list of the resources that your campaign will review. The options on the **Scope** tab depend on the **Review type** you selected in Step 1. + + + + +If you chose **Entitlements** as the review type, follow these steps to select the apps and resources to review. @@ -152,20 +163,20 @@ On the **Scope** tab of your campaign, find the **Apps and resources** section o - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**. - **OR** + **OR** - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**. - **OR** + **OR** - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. - **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. -If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. +If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) @@ -239,10 +250,38 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r - Grants sourced from access profiles (check the box to exclude these grants from your campaign) -A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope. +A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope. Once you're satisfied with your selections, move on to the next step. + + + +If you chose **Access conflicts** as the review type, follow these steps to select the [conflict monitors](/product/admin/access-conflicts) whose access violations will be included in the campaign. + + + +On the **Scope** tab of your campaign, find the **Access conflicts** section of the page and click **Select monitors**. + + +Choose how to scope the campaign: + + - **All**: Include all entitlements in every conflict monitor. All active access violations across all of your conflict monitors will be added to the campaign scope. + + - **Specific**: Select individual conflict monitors to include in the campaign. Only access violations from the selected monitors will be reviewed. + + + +If you chose **Specific**, select one or more conflict monitors from the list, then click **Save**. + + +A summary of your selections is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope. + +Once you're satisfied with your selections, move on to the next step. + + + + ### Step 4: Check data accuracy If any of your selections are sourced from connectors or file uploads that have not been updated recently, you'll see an indicator and a **Your campaign might have data accuracy issues** banner on the **Accuracy** tab. @@ -350,14 +389,20 @@ Fill out the form, providing the following information: - **Description**: The description of what this campaign entails and any directions you want to deliver to reviewers. - - **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run. + - **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run. + + - **Review type**: Choose what the campaign will review: + + - **Entitlements**: Review apps and entitlements of users. This is the default option. + + - **Access conflicts**: Review access violations associated with users. Select this to scope the campaign by [conflict monitors](/product/admin/access-conflicts) instead of by entitlements. - **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator user role in ConductorOne. - **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process. -Click **Continue**. The template is created. +Click **Continue**. The template is created. @@ -449,91 +494,89 @@ If you want to use a Slack channel for communication about this campaign, click ### Step 3: Choose what to review -Next, build a list of the resources that campaigns made from this template will review. +Next, build a list of the resources that campaigns made from this template will review. The options on the **Scope** tab depend on the **Review type** you selected in Step 1. + + + + +If you chose **Entitlements** as the review type, follow these steps to select the apps and resources to review. On the **Scope** tab of your template, find the **Apps and resources** section of the page and click **Make selections**. - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**. - - **OR** + + **OR** - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**. - **OR** + **OR** - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**. - **You cannot mix selections from the three tabs in a single campaign.** - - If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. - - - -If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. + **You cannot mix selections from the three tabs in a single campaign.** - - ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) - + If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign. + -If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. +If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished. ![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png) -**Optional.** Find the **User selection** section of the page and click **Make selections**. +**Optional.** Find the **User selection** section of the page and click **Make selections**. - If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. + - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**. **OR** - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**. - You can mix and match these options: + You can mix and match these options: - User status in ConductorOne - Direct reports of a manager - - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. + - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**. -**Optional.** Find the **Account parameters** section of the page and click **Make selections**. +**Optional.** Find the **Account parameters** section of the page and click **Make selections**. - If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**. - You can mix and match these options: + You can mix and match these options: - - No account owner + - No account owner - Account status - - Account type + - Account type - Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization) -**Optional.** Find the **Grant parameters** section of the page and click **Make selections**. +**Optional.** Find the **Grant parameters** section of the page and click **Make selections**. - If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: + If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR: - Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**. - You can mix and match these options: + You can mix and match these options: - New grants added within the time period you select or between two specific dates - - Temporary (time-limited) or permanent grants + - Temporary (time-limited) or permanent grants - Grants that have not been used in the time period you select (this information is not available for all applications) @@ -542,9 +585,37 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r - Grants sourced from access profiles (check the box to exclude these grants from your campaign) -A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. +A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. + +Once you're satisfied with your selections, move on to the next step. + + + + +If you chose **Access conflicts** as the review type, follow these steps to select the [conflict monitors](/product/admin/access-conflicts) whose access violations will be included in campaigns created from this template. + + + +On the **Scope** tab of your template, find the **Access conflicts** section of the page and click **Select monitors**. + + +Choose how to scope the campaign: + + - **All**: Include all entitlements in every conflict monitor. All active access violations across all of your conflict monitors will be added to the campaign scope. + + - **Specific**: Select individual conflict monitors to include in the campaign. Only access violations from the selected monitors will be reviewed. + + + +If you chose **Specific**, select one or more conflict monitors from the list, then click **Save**. + + +A summary of your selections is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope. + +Once you're satisfied with your selections, move on to the next step. -Once you're satisfied with your selections, move on to the next step. + + ### Step 4: Review and start a campaign created from a template diff --git a/product/release-notes.mdx b/product/release-notes.mdx index 74dac6f8..d8eef844 100644 --- a/product/release-notes.mdx +++ b/product/release-notes.mdx @@ -6,7 +6,19 @@ description: Here are the latest new features, enhancements, and resolved issues rss: true sidebarTitle: Release notes --- -{/* Editor Refresh: 2026-03-01 */} +{/* Editor Refresh: 2026-03-02 */} + + + +### Scope campaigns by access conflicts + +Access review campaigns can now be scoped by [access conflicts](/product/admin/access-conflicts) in addition to entitlements. When creating a campaign or campaign template, select **Access conflicts** as the **Review type** to build a campaign around the access violations detected by your conflict monitors. You can include all conflict monitors or choose specific ones. + +This lets you run targeted access reviews focused on separation of duties (SoD) violations, so reviewers can evaluate and remediate conflicting access as part of a structured campaign workflow. + +To learn more, see [Create an access review campaign](/product/admin/campaigns). + +