Skip to content

Document access conflict scope type for campaigns #111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
c1-dev-bot wants to merge 1 commit into from
Closed

Document access conflict scope type for campaigns #111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion product/admin/access-conflicts.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ og:title: Detect access conflicts - ConductorOne docs
og:description: Set up conflict monitors to automatically track and alert on combinations of access that violate separation of duties policies or regulations such as SOX, FDA 21 CFR Part 11, and ISO 27001.
description: Set up conflict monitors to automatically track and alert on combinations of access that violate policies or regulations.
---
{/* Editor Refresh: 2026-01-07 */}
{/* Editor Refresh: 2026-03-02 */}

## What's an access conflict?

Expand Down Expand Up @@ -130,6 +130,14 @@ Generate a report of the conflict monitor's alerts, their current state, and all

If you use the search and filter tools to limit what's shown on the page, clicking **Generate CSV** will create a report of only the filtered list of alerts.

## Review access conflicts in a campaign

You can use conflict monitors as the scope for an [access review campaign](/product/admin/campaigns), allowing reviewers to evaluate and act on access violations as part of a structured review process.

When creating a campaign, select **Access conflicts** as the **Review type**, then choose which conflict monitors to include. The campaign will create review tasks for the active access violations detected by the selected monitors.

To learn more, see [Create an access review campaign](/product/admin/campaigns#step-3-choose-what-to-review).

## Frequently asked questions about access conflicts

<AccordionGroup>
Expand Down
155 changes: 113 additions & 42 deletions product/admin/campaigns.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ og:description: Create one-time user access review (UAR) campaigns or reusable c
description: Create one-time user access review (UAR) campaigns or reusable campaign templates that can be run on a schedule.
sidebarTitle: Create a campaign
---
{/* Editor Refresh: 2026-02-01 */}
{/* Editor Refresh: 2026-03-02 */}

## Why run an access review campaign?

Expand Down Expand Up @@ -72,14 +72,20 @@ Fill out the form, providing the following information:

- **Description**: The description of what this campaign entails and any directions you want to deliver to reviewers.

- **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign.
- **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign.

- **Review type**: Choose what the campaign will review:

- **Entitlements**: Review apps and entitlements of users. This is the default option.

- **Access conflicts**: Review access violations associated with users. Select this to scope the campaign by [conflict monitors](/product/admin/access-conflicts) instead of by entitlements.

- **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner. Each owner must have the Campaign Administrator or Super Administrator user role in ConductorOne.

- **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.
</Step>
<Step>
Click **Continue**. The campaign is created.
Click **Continue**. The campaign is created.
</Step>
</Steps>

Expand Down Expand Up @@ -144,28 +150,33 @@ If you want to use a Slack channel for communication about this campaign, click

### Step 3: Choose what to review

Next, build a list of the resources that your campaign will review.
Next, build a list of the resources that your campaign will review. The options on the **Scope** tab depend on the **Review type** you selected in Step 1.

<Tabs>
<Tab title="By entitlements">

If you chose **Entitlements** as the review type, follow these steps to select the apps and resources to review.

<Steps>
<Step>
On the **Scope** tab of your campaign, find the **Apps and resources** section of the page and click **Make selections**.

- To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**.

**OR**
**OR**

- To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**.

**OR**
**OR**

- To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**.

<Tip>
**You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
**You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
</Tip>
</Step>
<Step>
If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.

<Frame>
![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png)
Expand Down Expand Up @@ -239,10 +250,38 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r
- Grants sourced from access profiles (check the box to exclude these grants from your campaign)
</Step>
</Steps>
A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope.
A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope.

Once you're satisfied with your selections, move on to the next step.

</Tab>
<Tab title="By access conflicts">

If you chose **Access conflicts** as the review type, follow these steps to select the [conflict monitors](/product/admin/access-conflicts) whose access violations will be included in the campaign.

<Steps>
<Step>
On the **Scope** tab of your campaign, find the **Access conflicts** section of the page and click **Select monitors**.
</Step>
<Step>
Choose how to scope the campaign:

- **All**: Include all entitlements in every conflict monitor. All active access violations across all of your conflict monitors will be added to the campaign scope.

- **Specific**: Select individual conflict monitors to include in the campaign. Only access violations from the selected monitors will be reviewed.

</Step>
<Step>
If you chose **Specific**, select one or more conflict monitors from the list, then click **Save**.
</Step>
</Steps>
A summary of your selections is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope.

Once you're satisfied with your selections, move on to the next step.

</Tab>
</Tabs>

### Step 4: Check data accuracy

If any of your selections are sourced from connectors or file uploads that have not been updated recently, you'll see an indicator and a **Your campaign might have data accuracy issues** banner on the **Accuracy** tab.
Expand Down Expand Up @@ -350,14 +389,20 @@ Fill out the form, providing the following information:

- **Description**: The description of what this campaign entails and any directions you want to deliver to reviewers.

- **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run.
- **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run.

- **Review type**: Choose what the campaign will review:

- **Entitlements**: Review apps and entitlements of users. This is the default option.

- **Access conflicts**: Review access violations associated with users. Select this to scope the campaign by [conflict monitors](/product/admin/access-conflicts) instead of by entitlements.

- **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator user role in ConductorOne.

- **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.
</Step>
<Step>
Click **Continue**. The template is created.
Click **Continue**. The template is created.
</Step>
</Steps>

Expand Down Expand Up @@ -449,91 +494,89 @@ If you want to use a Slack channel for communication about this campaign, click

### Step 3: Choose what to review

Next, build a list of the resources that campaigns made from this template will review.
Next, build a list of the resources that campaigns made from this template will review. The options on the **Scope** tab depend on the **Review type** you selected in Step 1.

<Tabs>
<Tab title="By entitlements">

If you chose **Entitlements** as the review type, follow these steps to select the apps and resources to review.

<Steps>
<Step>
On the **Scope** tab of your template, find the **Apps and resources** section of the page and click **Make selections**.

- To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**.
**OR**

**OR**

- To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**.

**OR**
**OR**

- To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**.

<Tip>
**You cannot mix selections from the three tabs in a single campaign.**

If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
</Tip>
</Step>
<Step>
If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
**You cannot mix selections from the three tabs in a single campaign.**

<Frame>
![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png)
</Frame>
If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
</Tip>
</Step>
<Step>
If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.

<Frame>
![A screenshot of the Scope tab of a campaign in ConductorOne, showing the Edit scope button and the Apply changes button.](/images/product/assets/campaigns-v2-3.png)
</Frame>
</Step>
<Step>
**Optional.** Find the **User selection** section of the page and click **Make selections**.
**Optional.** Find the **User selection** section of the page and click **Make selections**.

If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

- Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
- Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.

**OR**

- Click **Select users by criteria** to review users who match the criteria you set, then click **Save**.

You can mix and match these options:
You can mix and match these options:

- User status in ConductorOne

- Direct reports of a manager

- [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
- [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
</Step>
<Step>
**Optional.** Find the **Account parameters** section of the page and click **Make selections**.
**Optional.** Find the **Account parameters** section of the page and click **Make selections**.

If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

- Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**.

You can mix and match these options:
You can mix and match these options:

- No account owner
- No account owner

- Account status

- Account type
- Account type

- Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization)

</Step>
<Step>
**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.
**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.

If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:

- Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**.

You can mix and match these options:
You can mix and match these options:

- New grants added within the time period you select or between two specific dates

- Temporary (time-limited) or permanent grants
- Temporary (time-limited) or permanent grants

- Grants that have not been used in the time period you select (this information is not available for all applications)

Expand All @@ -542,9 +585,37 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r
- Grants sourced from access profiles (check the box to exclude these grants from your campaign)
</Step>
</Steps>
A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope.
A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope.

Once you're satisfied with your selections, move on to the next step.

</Tab>
<Tab title="By access conflicts">

If you chose **Access conflicts** as the review type, follow these steps to select the [conflict monitors](/product/admin/access-conflicts) whose access violations will be included in campaigns created from this template.

<Steps>
<Step>
On the **Scope** tab of your template, find the **Access conflicts** section of the page and click **Select monitors**.
</Step>
<Step>
Choose how to scope the campaign:

- **All**: Include all entitlements in every conflict monitor. All active access violations across all of your conflict monitors will be added to the campaign scope.

- **Specific**: Select individual conflict monitors to include in the campaign. Only access violations from the selected monitors will be reviewed.

</Step>
<Step>
If you chose **Specific**, select one or more conflict monitors from the list, then click **Save**.
</Step>
</Steps>
A summary of your selections is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope.

Once you're satisfied with your selections, move on to the next step.

Once you're satisfied with your selections, move on to the next step.
</Tab>
</Tabs>

### Step 4: Review and start a campaign created from a template

Expand Down
14 changes: 13 additions & 1 deletion product/release-notes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,19 @@ description: Here are the latest new features, enhancements, and resolved issues
rss: true
sidebarTitle: Release notes
---
{/* Editor Refresh: 2026-03-01 */}
{/* Editor Refresh: 2026-03-02 */}

<Update label="March 6, 2026">

### Scope campaigns by access conflicts

Access review campaigns can now be scoped by [access conflicts](/product/admin/access-conflicts) in addition to entitlements. When creating a campaign or campaign template, select **Access conflicts** as the **Review type** to build a campaign around the access violations detected by your conflict monitors. You can include all conflict monitors or choose specific ones.

This lets you run targeted access reviews focused on separation of duties (SoD) violations, so reviewers can evaluate and remediate conflicting access as part of a structured campaign workflow.

To learn more, see [Create an access review campaign](/product/admin/campaigns).

</Update>

<Update label="February 27, 2026">

Expand Down