From 5b40d90fb3100e5e760f07387dfec2daa62ea4ea Mon Sep 17 00:00:00 2001
From: "c1-dev-bot[bot]" <2740113+c1-dev-bot[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 20:27:18 +0000
Subject: [PATCH 1/3] Document access conflict scope type for campaigns
Add documentation for the new "By Access Conflicts" campaign review type,
which allows users to scope access review campaigns by conflict monitors
instead of entitlements. Updates include:
- New "Review type" field in campaign and template creation forms
- Tabbed scope configuration (Entitlements vs Access conflicts)
- Access conflict scope options (All monitors vs Specific monitors)
- Cross-reference from access conflicts page to campaign integration
- New FAQ entries about review type and conflict monitor behavior
---
product/admin/access-conflicts.mdx | 8 +-
product/admin/campaigns.mdx | 195 ++++++++++++++++++++---------
2 files changed, 141 insertions(+), 62 deletions(-)
diff --git a/product/admin/access-conflicts.mdx b/product/admin/access-conflicts.mdx
index 60633521..c2e69a07 100644
--- a/product/admin/access-conflicts.mdx
+++ b/product/admin/access-conflicts.mdx
@@ -4,7 +4,7 @@ og:title: Detect access conflicts - ConductorOne docs
og:description: Set up conflict monitors to automatically track and alert on combinations of access that violate separation of duties policies or regulations such as SOX, FDA 21 CFR Part 11, and ISO 27001.
description: Set up conflict monitors to automatically track and alert on combinations of access that violate policies or regulations.
---
-{/* Editor Refresh: 2026-01-07 */}
+{/* Editor Refresh: 2026-03-02 */}
## What's an access conflict?
@@ -120,6 +120,12 @@ To learn more about a conflict and see its log of past actions, click its ***...
+## Review access conflicts in a campaign
+
+You can use your conflict monitors to scope an [access review campaign](/product/admin/campaigns). When you create a campaign with the **Access conflicts** review type, ConductorOne generates review tasks for users who have active violations detected by your conflict monitors. This lets you systematically review and remediate separation of duties violations across your organization.
+
+To set up an access conflict campaign, see [Create an access review campaign](/product/admin/campaigns#step-3-choose-what-to-review).
+
## Generate reports
Generate a report of the conflict monitor's alerts, their current state, and all audit log entries by clicking the **Generate CSV** icon. Your report will be prepared for you and posted in the downloads center at the top of the page when ready.
diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx
index d4397d90..a5991c5e 100644
--- a/product/admin/campaigns.mdx
+++ b/product/admin/campaigns.mdx
@@ -1,11 +1,11 @@
---
title: Create an access review campaign
og:title: Create an access review campaign - ConductorOne docs
-og:description: Create one-time user access review (UAR) campaigns or reusable campaign templates that can be run on a schedule.
-description: Create one-time user access review (UAR) campaigns or reusable campaign templates that can be run on a schedule.
+og:description: Create one-time user access review (UAR) campaigns or reusable campaign templates that can be run on a schedule. Scope campaigns by entitlements or by access conflicts.
+description: Create one-time user access review (UAR) campaigns or reusable campaign templates. Scope campaigns by entitlements or by access conflicts from your conflict monitors.
sidebarTitle: Create a campaign
---
-{/* Editor Refresh: 2026-02-01 */}
+{/* Editor Refresh: 2026-03-02 */}
## Why run an access review campaign?
@@ -72,14 +72,16 @@ Fill out the form, providing the following information:
- **Description**: The description of what this campaign entails and any directions you want to deliver to reviewers.
- - **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign.
+ - **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign.
+
+ - **Review type**: Choose what kind of access the campaign will review. Select **Entitlements** to review apps and entitlements, or select **Access conflicts** to review access violations from your [conflict monitors](/product/admin/access-conflicts). The review type cannot be changed after the campaign is created.
- **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner. Each owner must have the Campaign Administrator or Super Administrator user role in ConductorOne.
- **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.
-Click **Continue**. The campaign is created.
+Click **Continue**. The campaign is created.
@@ -144,7 +146,20 @@ If you want to use a Slack channel for communication about this campaign, click
### Step 3: Choose what to review
-Next, build a list of the resources that your campaign will review.
+Next, build a list of the resources that your campaign will review. When you set up a campaign, you choose a **review type** that determines what kind of access the campaign covers:
+
+- **Entitlements** — Review apps and entitlements of users. This is the default review type.
+
+- **Access conflicts** — Review access violations associated with users, based on your configured [conflict monitors](/product/admin/access-conflicts). Use this option to run a targeted review of users who hold combinations of access that violate separation of duties (SoD) policies.
+
+
+**Reviewing access conflicts?** You must have at least one enabled [conflict monitor](/product/admin/access-conflicts) configured before you can scope a campaign by access conflicts.
+
+
+The review type is set when you first create the campaign. The steps below differ based on the review type you selected.
+
+
+
@@ -152,37 +167,37 @@ On the **Scope** tab of your campaign, find the **Apps and resources** section o
- To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**.
- **OR**
+ **OR**
- To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**.
- **OR**
+ **OR**
- To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**.
- **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
+ **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
-If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
+If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
-**Optional.** Find the **User selection** section of the page and click **Make selections**.
+**Optional.** Find the **User selection** section of the page and click **Make selections**.
- If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+ If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
- - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
+ - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
**OR**
- Click **Select users by criteria** to review users who match the criteria you set, then click **Save**.
- You can mix and match these options:
+ You can mix and match these options:
- User status in ConductorOne
@@ -190,47 +205,47 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r
- [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
- - Exclude users in specific groups from the campaign
+ - Exclude users in specific groups from the campaign
**OR**
- - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid.
+ - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid.
-**Optional.** Find the **Account parameters** section of the page and click **Make selections**.
+**Optional.** Find the **Account parameters** section of the page and click **Make selections**.
- If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+ If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
- Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**.
- You can mix and match these options:
+ You can mix and match these options:
- - No account owner
+ - No account owner
- Account status
- - Account type
+ - Account type
- Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization)
**OR**
- - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the accounts you want to review. The expression must return a list of accounts to be valid.
+ - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the accounts you want to review. The expression must return a list of accounts to be valid.
-**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.
+**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.
- If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+ If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
- Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**.
- You can mix and match these options:
+ You can mix and match these options:
- New grants added within the time period you select or between two specific dates
- - Temporary (time-limited) or permanent grants
+ - Temporary (time-limited) or permanent grants
- Grants that have not been used in the time period you select (this information is not available for all applications)
@@ -239,7 +254,37 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r
- Grants sourced from access profiles (check the box to exclude these grants from your campaign)
-A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope.
+
+
+
+
+
+
+On the **Scope** tab of your campaign, find the **Access conflicts** section and click **Select monitors**.
+
+
+Choose how to scope the campaign:
+
+ - **All** — All entitlements in every enabled conflict monitor will be added to the scope for review. Choose this option to review all active access conflicts across your organization.
+
+ - **Specific** — Select individual conflict monitors whose violations you want to review. Choose this option to focus the campaign on specific separation of duties policies.
+
+
+
+If you selected **Specific**, use the table to select the conflict monitors you want to include. The table shows each monitor's name and description.
+
+ Click **Save** when you're finished.
+
+
+
+
+You can change your selection between **All** and **Specific** only when no monitors are actively selected. To switch, first clear your current selections.
+
+
+
+
+
+A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope.
Once you're satisfied with your selections, move on to the next step.
@@ -350,14 +395,16 @@ Fill out the form, providing the following information:
- **Description**: The description of what this campaign entails and any directions you want to deliver to reviewers.
- - **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run.
+ - **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run.
+
+ - **Review type**: Choose what kind of access campaigns created from this template will review. Select **Entitlements** to review apps and entitlements, or select **Access conflicts** to review access violations from your [conflict monitors](/product/admin/access-conflicts). The review type cannot be changed after the template is created.
- **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator user role in ConductorOne.
- **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.
-Click **Continue**. The template is created.
+Click **Continue**. The template is created.
@@ -449,91 +496,87 @@ If you want to use a Slack channel for communication about this campaign, click
### Step 3: Choose what to review
-Next, build a list of the resources that campaigns made from this template will review.
+Next, build a list of the resources that campaigns made from this template will review. The review type you chose when creating the template determines the options available on the **Scope** tab. See [Step 3 of Create a new campaign](/product/admin/campaigns#step-3-choose-what-to-review) for details on each review type.
+
+
+
On the **Scope** tab of your template, find the **Apps and resources** section of the page and click **Make selections**.
- To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**.
-
- **OR**
+
+ **OR**
- To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**.
- **OR**
+ **OR**
- To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**.
- **You cannot mix selections from the three tabs in a single campaign.**
-
- If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
-
-
-
-If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
+ **You cannot mix selections from the three tabs in a single campaign.**
-
- 
-
+ If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
+
-If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
+If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
-**Optional.** Find the **User selection** section of the page and click **Make selections**.
+**Optional.** Find the **User selection** section of the page and click **Make selections**.
- If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+ If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
- - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
+ - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
**OR**
- Click **Select users by criteria** to review users who match the criteria you set, then click **Save**.
- You can mix and match these options:
+ You can mix and match these options:
- User status in ConductorOne
- Direct reports of a manager
- - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
+ - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
-**Optional.** Find the **Account parameters** section of the page and click **Make selections**.
+**Optional.** Find the **Account parameters** section of the page and click **Make selections**.
- If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+ If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
- Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**.
- You can mix and match these options:
+ You can mix and match these options:
- - No account owner
+ - No account owner
- Account status
- - Account type
+ - Account type
- Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization)
-**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.
+**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.
- If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+ If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
- Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**.
- You can mix and match these options:
+ You can mix and match these options:
- New grants added within the time period you select or between two specific dates
- - Temporary (time-limited) or permanent grants
+ - Temporary (time-limited) or permanent grants
- Grants that have not been used in the time period you select (this information is not available for all applications)
@@ -542,7 +585,31 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r
- Grants sourced from access profiles (check the box to exclude these grants from your campaign)
-A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope.
+
+
+
+
+
+
+On the **Scope** tab of your template, find the **Access conflicts** section and click **Select monitors**.
+
+
+Choose how to scope campaigns created from this template:
+
+ - **All** — All entitlements in every enabled conflict monitor will be added to the scope for review.
+
+ - **Specific** — Select individual conflict monitors whose violations you want to review.
+
+
+
+If you selected **Specific**, use the table to select the conflict monitors you want to include. Click **Save** when you're finished.
+
+
+
+
+
+
+A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope.
Once you're satisfied with your selections, move on to the next step.
@@ -552,14 +619,20 @@ When a new campaign is created from the template, it is shown on the template's
Edit the campaign as needed, then follow Steps 3 through 5 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary).
-## Frequently asked questions about creating campaigns
+## Frequently asked questions about creating campaigns
In short, nothing. If you select a resource for your campaign that does not have any grants on any of its entitlements, no review tasks will be created for the resource, as there is nothing to review. You can add these resources to your campaign without impact, or leave them out: it's up to you.
-Yes, you can! Go to the running campaign's **Configuration** tab and add or edit the campaign instructions. Reviewers will see the new version of the instructions as soon as you click **Save**.
+Yes, you can! Go to the running campaign's **Configuration** tab and add or edit the campaign instructions. Reviewers will see the new version of the instructions as soon as you click **Save**.
+
+
+No. The review type (entitlements or access conflicts) is set when you create the campaign and cannot be changed afterward. If you need a different review type, create a new campaign.
+
+
+If you scope a campaign by **All** conflict monitors, the campaign includes all violations from every enabled monitor at the time the campaign is prepared. Monitors enabled after the campaign is prepared are not included. To include new monitors, create a new campaign.
From 20ba6a9ec37e7c5dbbb5a6e736659dfc985c367f Mon Sep 17 00:00:00 2001
From: Russell Haering
Date: Thu, 5 Mar 2026 15:36:26 -0800
Subject: [PATCH 2/3] Address review feedback: restructure campaign creation
flow
- Swap Steps 2 and 3 so scope comes before configuration (matches in-app workflow)
- Remove Review type field from Step 1 (not in the setup form UI)
- Replace Entitlements/Access conflicts tabs with flat list of 4 scope types
- Move user/account/grant filtering outside the Steps component
- Simplify template Step 3 to reference single campaign flow instead of duplicating
- Add guidance on when to duplicate a campaign vs create a template
- Update cross-references and FAQ wording
---
product/admin/access-conflicts.mdx | 4 +-
product/admin/campaigns.mdx | 442 +++++++++--------------------
2 files changed, 136 insertions(+), 310 deletions(-)
diff --git a/product/admin/access-conflicts.mdx b/product/admin/access-conflicts.mdx
index c2e69a07..41a6a899 100644
--- a/product/admin/access-conflicts.mdx
+++ b/product/admin/access-conflicts.mdx
@@ -122,9 +122,9 @@ To learn more about a conflict and see its log of past actions, click its ***...
## Review access conflicts in a campaign
-You can use your conflict monitors to scope an [access review campaign](/product/admin/campaigns). When you create a campaign with the **Access conflicts** review type, ConductorOne generates review tasks for users who have active violations detected by your conflict monitors. This lets you systematically review and remediate separation of duties violations across your organization.
+You can use your conflict monitors to scope an [access review campaign](/product/admin/campaigns). When you create a campaign and select the **Review access conflicts** scope type, ConductorOne generates review tasks for users who have active violations detected by your conflict monitors. This lets you systematically review and remediate separation of duties violations across your organization.
-To set up an access conflict campaign, see [Create an access review campaign](/product/admin/campaigns#step-3-choose-what-to-review).
+To set up an access conflict campaign, see [Create an access review campaign](/product/admin/campaigns#step-2-choose-what-to-review).
## Generate reports
diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx
index a5991c5e..9bbf8d8e 100644
--- a/product/admin/campaigns.mdx
+++ b/product/admin/campaigns.mdx
@@ -13,7 +13,7 @@ Access review campaigns help Security and IT teams to securely control what soft
From a least privilege and security perspective, ensuring that users only have the access they need, for only as long as they need it, reduces the access footprint of your company for sensitive systems and data. Running regular access review campaigns also helps you to achieve compliance with security standards and audit requirements.
-## View all campaigns
+## View all campaigns
On the **Campaigns** page, campaigns are sorted by state and type:
@@ -29,9 +29,9 @@ On the **Campaigns** page, campaigns are sorted by state and type:
* **Templates** are saved campaign outlines used to create one-time or recurring scheduled campaigns.
-## How do campaign templates work?
+## How do campaign templates work?
-If there's a campaign pattern you use repeatedly, create a reusable campaign template instead of configuring the same campaign from scratch every time.
+If there's a campaign pattern you use repeatedly, create a reusable campaign template instead of configuring the same campaign from scratch every time.
@@ -45,24 +45,24 @@ Once a campaign template is set up, use it to create single campaigns whenever y
Duplicate any existing campaign from the **...** (more actions) menu on the **Running**, **Drafts**, or **Completed** tabs.
-## Create a new campaign
+## Create a new campaign
{/* header name used in links, change with caution */}
-Follow this process to create a single campaign. Jump to [Create a campaign template](/product/admin/campaigns#create-a-campaign-template) to set up a template that can be used to create many similar campaigns.
+Follow this process to create a single campaign. Jump to [Create a campaign template](/product/admin/campaigns#create-a-campaign-template) to set up a template that can be used to create many similar campaigns.
-Only users with the **Campaign Administrator** or **Super Administrator** [user roles](/product/admin/user-roles) in ConductorOne can create and manage campaigns. Campaign admins can only manage the campaigns that they also own.
+Only users with the **Campaign Administrator** or **Super Administrator** [user roles](/product/admin/user-roles) in ConductorOne can create and manage campaigns. Campaign admins can only manage the campaigns that they also own.
### Step 1: Set up the campaign
-Navigate to **Governance** > **Campaigns**.
+Navigate to **Governance** > **Campaigns**.
-Click **New campaign**.
+Click **New campaign**.
@@ -74,8 +74,6 @@ Fill out the form, providing the following information:
- **Campaign type**: Select **Single instance**, then set the **Target completion date** for the campaign.
- - **Review type**: Choose what kind of access the campaign will review. Select **Entitlements** to review apps and entitlements, or select **Access conflicts** to review access violations from your [conflict monitors](/product/admin/access-conflicts). The review type cannot be changed after the campaign is created.
-
- **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner. Each owner must have the Campaign Administrator or Super Administrator user role in ConductorOne.
- **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.
@@ -85,137 +83,53 @@ Click **Continue**. The campaign is created.
-### Step 2: Configure how the campaign will run
-
-
-On the new campaign's **Configuration** tab, review and update the details you've entered so far.
-
-
-If you want to provide any instructions to reviewers about how to complete access reviews in this campaign, click **Edit** and enter the instructions in the **Review instructions** field.
-
- The instructions you enter will be displayed to all reviewers at the top of the page where they complete their access reviews. You can format your instructions using Markdown to add emphasis, links, and structure.
-
-
-If you want all reviewers to receive their campaign tasks in the same format, select a **Default access review view**:
-
- - **By application:** review access to one application at a time
-
- - **By user:** review one user’s access at a time
-
- - **Unstructured:** all the assigned reviews together in one list
+### Step 2: Choose what to review
- If a default view is selected, each reviewer's access reviews will open in that view, but individual reviewers can switch to a different view if desired.
-
-
-By default, all campaign tasks will be created using the review policy you chose. If instead you want campaign tasks to use the review policies set on the entitlements or apps in the campaign, click **Edit** and click to turn on **Use preferred review policies**.
+Next, define the scope of resources that your campaign will review.
- If this option is enabled, ConductorOne will apply policies using this order of precedence: entitlement, application, campaign.
-
-
-By default, campaigns are started and ended manually. If you want to automatically start or end the campaign, find the **Schedule** section of the page and click **Edit**.
-
- - To automatically start the campaign on a specific date and time, click to turn on **Automatically start campaign**, then set the scheduled start date.
-
- - If the campaign is set to automatically start, choose whether to proceed with auto-start if there are unresolved campaign data accuracy issues. Campaign owners will be notified of any data accuracy issues when they are discovered.
-
- - To automatically end the campaign on a specific date, click to turn on **Automatically end campaign**, then set the date.
-
- - If the campaign is set to automatically end, choose whether incomplete reviews will be revoked or skipped when the campaign ends.
-
+
-In the **Notifications and reporting** section, you can configure what notifications the campaign will automatically generate:
+On the **Scope** tab of your campaign, click the **Apps and resources** section to make initial scoping selections. Available scope types:
- * Notify all reviewers with assigned review tasks when the campaign begins
-
- * Notify all campaign owners and reviewers when the campaign ends
+ - **Review specific resources** — Use this option to review access to specific permissions. If you use this option, you can edit the scope to remove entitlements from the review or update the policy used to review specific entitlements.
- * When the campaign is complete, enerate a campaign report and notify all campaign owners when it's ready for download
+ - **Review application access** — Use this option to review access to specific applications.
- If you do not pre-configure these options here, you'll have another chance to send out notifications and generate a report when ending the campaign.
-
-
-If you want to use a Slack channel for communication about this campaign, click **Add Slack channel**. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create.
+ - **Review resource types** — Use this option to review all resources of a given type within a specific application (such as all groups within Slack).
- All campaign owners and users assigned access reviews will be automatically added to this channel when the campaign starts.
+ - **Review access conflicts** — Review access violations associated with users, based on your configured [conflict monitors](/product/admin/access-conflicts). Use this option to run a targeted review of users who hold combinations of access that violate separation of duties (SoD) policies.
- **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you confiugre it here, or the notifications won't be delivered.
+ **Reviewing access conflicts?** You must have at least one enabled [conflict monitor](/product/admin/access-conflicts) configured before you can scope a campaign by access conflicts.
-### Step 3: Choose what to review
-
-Next, build a list of the resources that your campaign will review. When you set up a campaign, you choose a **review type** that determines what kind of access the campaign covers:
-
-- **Entitlements** — Review apps and entitlements of users. This is the default review type.
-
-- **Access conflicts** — Review access violations associated with users, based on your configured [conflict monitors](/product/admin/access-conflicts). Use this option to run a targeted review of users who hold combinations of access that violate separation of duties (SoD) policies.
-
-
-**Reviewing access conflicts?** You must have at least one enabled [conflict monitor](/product/admin/access-conflicts) configured before you can scope a campaign by access conflicts.
-
-
-The review type is set when you first create the campaign. The steps below differ based on the review type you selected.
-
-
-
+To further refine the scope of your campaign, you can filter by user, account, and/or grant criteria. If you do not make any selections here, all users with access to the apps or resources you selected above will be added to the campaign.
-
-
-On the **Scope** tab of your campaign, find the **Apps and resources** section of the page and click **Make selections**.
+**User selection:** Find the **User selection** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
- - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**.
-
- **OR**
-
- - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**.
+ - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
**OR**
- - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**.
-
-
- **You cannot mix selections from the three tabs in a single campaign.** If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
-
-
-
-If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
-
-
- 
-
-
-
-**Optional.** Find the **User selection** section of the page and click **Make selections**.
-
- If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
-
- - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
-
- **OR**
-
- - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**.
-
- You can mix and match these options:
+ - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**.
- - User status in ConductorOne
+ You can mix and match these options:
- - Direct reports of a manager
+ - User status in ConductorOne
- - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
+ - Direct reports of a manager
- - Exclude users in specific groups from the campaign
+ - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
- **OR**
+ - Exclude users in specific groups from the campaign
- - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid.
+ **OR**
-
-
-**Optional.** Find the **Account parameters** section of the page and click **Make selections**.
+ - Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid.
- If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+**Account parameters:** Find the **Account parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
- Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**.
@@ -233,11 +147,7 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r
- Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the accounts you want to review. The expression must return a list of accounts to be valid.
-
-
-**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.
-
- If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
+**Grant parameters:** Find the **Grant parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
- Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**.
@@ -252,64 +162,92 @@ If you're building a UAR reviewing specific resources, click **Edit scope** to r
- Direct grants (permissions assigned directly to users) or inherited grants (permissions assigned to a group or role, which are "inherited" by users assigned to that group or role)
- Grants sourced from access profiles (check the box to exclude these grants from your campaign)
-
-
-
-
+A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope.
+
+Once you're satisfied with your selections, move on to the next step.
+### Step 3: Configure how the campaign will run
-On the **Scope** tab of your campaign, find the **Access conflicts** section and click **Select monitors**.
+On the new campaign's **Configuration** tab, review and update the details you've entered so far.
-Choose how to scope the campaign:
+If you want to provide any instructions to reviewers about how to complete access reviews in this campaign, click **Edit** and enter the instructions in the **Review instructions** field.
- - **All** — All entitlements in every enabled conflict monitor will be added to the scope for review. Choose this option to review all active access conflicts across your organization.
+ The instructions you enter will be displayed to all reviewers at the top of the page where they complete their access reviews. You can format your instructions using Markdown to add emphasis, links, and structure.
+
+
+If you want all reviewers to receive their campaign tasks in the same format, select a **Default access review view**:
+
+ - **By application:** review access to one application at a time
+
+ - **By user:** review one user's access at a time
- - **Specific** — Select individual conflict monitors whose violations you want to review. Choose this option to focus the campaign on specific separation of duties policies.
+ - **Unstructured:** all the assigned reviews together in one list
+ If a default view is selected, each reviewer's access reviews will open in that view, but individual reviewers can switch to a different view if desired.
-If you selected **Specific**, use the table to select the conflict monitors you want to include. The table shows each monitor's name and description.
+By default, all campaign tasks will be created using the review policy you chose. If instead you want campaign tasks to use the review policies set on the entitlements or apps in the campaign, click **Edit** and click to turn on **Use preferred review policies**.
- Click **Save** when you're finished.
+ If this option is enabled, ConductorOne will apply policies using this order of precedence: entitlement, application, campaign.
-
+
+By default, campaigns are started and ended manually. If you want to automatically start or end the campaign, find the **Schedule** section of the page and click **Edit**.
-
-You can change your selection between **All** and **Specific** only when no monitors are actively selected. To switch, first clear your current selections.
-
+ - To automatically start the campaign on a specific date and time, click to turn on **Automatically start campaign**, then set the scheduled start date.
-
-
+ - If the campaign is set to automatically start, choose whether to proceed with auto-start if there are unresolved campaign data accuracy issues. Campaign owners will be notified of any data accuracy issues when they are discovered.
-A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of the campaign based on the current scope.
+ - To automatically end the campaign on a specific date, click to turn on **Automatically end campaign**, then set the date.
-Once you're satisfied with your selections, move on to the next step.
+ - If the campaign is set to automatically end, choose whether incomplete reviews will be revoked or skipped when the campaign ends.
+
+
+In the **Notifications and reporting** section, you can configure what notifications the campaign will automatically generate:
+
+ * Notify all reviewers with assigned review tasks when the campaign begins
+
+ * Notify all campaign owners and reviewers when the campaign ends
+
+ * When the campaign is complete, enerate a campaign report and notify all campaign owners when it's ready for download
+
+ If you do not pre-configure these options here, you'll have another chance to send out notifications and generate a report when ending the campaign.
+
+
+If you want to use a Slack channel for communication about this campaign, click **Add Slack channel**. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create.
+
+ All campaign owners and users assigned access reviews will be automatically added to this channel when the campaign starts.
+
+
+ **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you confiugre it here, or the notifications won't be delivered.
+
+
+
### Step 4: Check data accuracy
-If any of your selections are sourced from connectors or file uploads that have not been updated recently, you'll see an indicator and a **Your campaign might have data accuracy issues** banner on the **Accuracy** tab.
+If any of your selections are sourced from connectors or file uploads that have not been updated recently, you'll see an indicator and a **Your campaign might have data accuracy issues** banner on the **Accuracy** tab.
-All data sources for your campaign are shown in the **Data sources** table. ConductorOne flags data sources when:
+All data sources for your campaign are shown in the **Data sources** table. ConductorOne flags data sources when:
* A connector hasn't synced for more than two days
* A file source hasn't been updated in more than seven days
* A connector errored during the most recent sync
-Click the eye icon next to a **Last sync** timestamp to view details about the most recent connector sync or file upload.
+Click the eye icon next to a **Last sync** timestamp to view details about the most recent connector sync or file upload.
+
+Click **Sync now** (for connectors) or **Replace file** (for file sources) to update the data source and ensure your campaign is using up-to-date information.
-Click **Sync now** (for connectors) or **Replace file** (for file sources) to update the data source and ensure your campaign is using up-to-date information.
-
**Do I have to resolve all data accuracy issues before I can prepare the campaign?**
-No. This information is presented for your awareness and to help you ensure that your campaign's data is up to date. Resolving data accuracy warnings before proceeding is strongly recommended, but not required.
+No. This information is presented for your awareness and to help you ensure that your campaign's data is up to date. Resolving data accuracy warnings before proceeding is strongly recommended, but not required.
### Step 5: Prepare the campaign
@@ -319,7 +257,7 @@ No. This information is presented for your awareness and to help you ensure that
When you're ready, click **Prepare campaign**. Preparing a campaign generates the individual access review tasks, but does not launch the campaign. Please be patient: depending on the size of the campaign, preparing it might take several minutes.
- **Your campaign is a snapshot of access data as it exists the moment you click this button.** Any access changes or updates to data sources that take place after you prepare the campaign will not be reflected in the campaign.
+ **Your campaign is a snapshot of access data as it exists the moment you click this button.** Any access changes or updates to data sources that take place after you prepare the campaign will not be reflected in the campaign.
@@ -340,52 +278,52 @@ Click **Start campaign**. Again, depending on the size of the campaign, starting
-**That's it!** Your access review campaign is underway. Check out [Manage active campaigns](/product/admin/manage-campaigns) to learn about campaign reminders, reports, and revoking access denied during the campaign.
+**That's it!** Your access review campaign is underway. Check out [Manage active campaigns](/product/admin/manage-campaigns) to learn about campaign reminders, reports, and revoking access denied during the campaign.
## Duplicate a past campaign
{/* header name used in links, change with caution */}
-Only users with the **Campaign Administrator** or **Super Administrator** [user roles](/product/admin/user-roles) in ConductorOne can create and manage campaigns.
+Only users with the **Campaign Administrator** or **Super Administrator** [user roles](/product/admin/user-roles) in ConductorOne can create and manage campaigns.
-Instead of creating a campaign from scratch, you can save time and effort by duplicating a past campaign and tailoring it to your current needs.
+Instead of creating a campaign from scratch, you can save time and effort by duplicating a past campaign and tailoring it to your current needs. Duplicating a campaign is a quick way to reuse a past campaign's settings for a one-off review. If you need to run similar campaigns on a regular schedule, [create a campaign template](/product/admin/campaigns#create-a-campaign-template) instead.
-Navigate to **Governance** > **Campaigns**.
+Navigate to **Governance** > **Campaigns**.
-Locate and click on the name of the campaign that you want to duplicate.
+Locate and click on the name of the campaign that you want to duplicate.
-From the more actions (…) menu, select **Duplicate**.
+From the more actions (…) menu, select **Duplicate**.
Review the campaign's details and update the information as necessary.
-Follow the instructions above to validate, prepare, and start the duplicate campaign.
+Follow the instructions above to validate, prepare, and start the duplicate campaign.
**That's it!** Your duplicated access review campaign is underway.
-## Create a campaign template
+## Create a campaign template
-Only users with the **Campaign Administrator** or **Super Administrator** [user roles](/product/admin/user-roles) in ConductorOne can create and manage campaign templates.
+Only users with the **Campaign Administrator** or **Super Administrator** [user roles](/product/admin/user-roles) in ConductorOne can create and manage campaign templates.
### Step 1: Set up the template
-Navigate to **Governance** > **Campaigns**.
+Navigate to **Governance** > **Campaigns**.
-Click **New campaign**.
+Click **New campaign**.
@@ -397,8 +335,6 @@ Fill out the form, providing the following information:
- **Campaign type**: Select **Template**, then set the **Campaign duration**, or how long each campaign created from the template will run.
- - **Review type**: Choose what kind of access campaigns created from this template will review. Select **Entitlements** to review apps and entitlements, or select **Access conflicts** to review access violations from your [conflict monitors](/product/admin/access-conflicts). The review type cannot be changed after the template is created.
-
- **Owner**: The campaign's owner, who will manage the campaign while it is in progress. You can set more than one campaign owner, just be sure anyone you add has the Campaign Administrator or Super Administrator user role in ConductorOne.
- **Review policy**: The campaign's default [review policy](/product/admin/policies). If needed, you'll be able to adjust the policy to be used for the review of individual entitlements later in the campaign creation process.
@@ -408,14 +344,24 @@ Click **Continue**. The template is created.
-### Step 2: Configure how campaigns created from this template will run
+### Step 2: Choose what to review
+
+The scope options for templates are the same as for single campaigns. On the **Scope** tab of your template, configure the apps, resources, and filtering criteria for campaigns created from this template.
+
+See [Step 2: Choose what to review](/product/admin/campaigns#step-2-choose-what-to-review) above for details on each scope type and filtering option.
+
+A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope.
+
+Once you're satisfied with your selections, move on to the next step.
+
+### Step 3: Configure how campaigns created from this template will run
-You can set the template to create instances of the campaign on a date in the future or on a recurring schedule. You can also create an on-demand instance of the campaign at any time.
+You can set the template to create instances of the campaign on a date in the future or on a recurring schedule. You can also create an on-demand instance of the campaign at any time.
-**Want to create a campaign from this template right now?**
+**Want to create a campaign from this template right now?**
-On the **Campaigns** tab, click **Create campaign** to create an on-demand draft campaign from the template.
+On the **Campaigns** tab, click **Create campaign** to create an on-demand draft campaign from the template.
@@ -423,50 +369,50 @@ On the **Campaigns** tab, click **Create campaign** to create an on-demand draft
On the new template's **Configuration** tab, review and update the details you've entered so far.
-If you want to provide any instructions to reviewers about how to complete access reviews in campaigns created from this template, click **Edit** and enter the instructions in the **Review instructions** field.
+If you want to provide any instructions to reviewers about how to complete access reviews in campaigns created from this template, click **Edit** and enter the instructions in the **Review instructions** field.
- The instructions you enter will be displayed to all reviewers at the top of the page where they complete their access reviews. You can format your instructions using Markdown to add emphasis, links, and structure.
+ The instructions you enter will be displayed to all reviewers at the top of the page where they complete their access reviews. You can format your instructions using Markdown to add emphasis, links, and structure.
-If you want all reviewers to receive their campaign tasks in the same format, select a **Default access review view**:
+If you want all reviewers to receive their campaign tasks in the same format, select a **Default access review view**:
- **By application:** review access to one application at a time
- - **By user:** review one user’s access at a time
+ - **By user:** review one user's access at a time
- - **Unstructured:** all the assigned reviews together in one list
+ - **Unstructured:** all the assigned reviews together in one list
- If a default view is selected, each reviewer's access reviews will open in that view, but individual reviewers can switch to a different view if desired.
+ If a default view is selected, each reviewer's access reviews will open in that view, but individual reviewers can switch to a different view if desired.
-By default, all campaign tasks will be created using the review policy you chose. If instead you want campaign tasks to use the review policies set on the entitlements or apps in the campaign, click **Edit** and click to turn on **Use preferred review policies**.
+By default, all campaign tasks will be created using the review policy you chose. If instead you want campaign tasks to use the review policies set on the entitlements or apps in the campaign, click **Edit** and click to turn on **Use preferred review policies**.
- If this option is enabled, ConductorOne will apply policies using this order of precedence: entitlement, application, campaign.
+ If this option is enabled, ConductorOne will apply policies using this order of precedence: entitlement, application, campaign.
-**Optional.** If you'd like to automatically create draft instances of this campaign, either once on a date in the future or regularly on a set schedule, go to the **Schedule** area of the page and click **Edit**.
+**Optional.** If you'd like to automatically create draft instances of this campaign, either once on a date in the future or regularly on a set schedule, go to the **Schedule** area of the page and click **Edit**.
- Click to turn on **Schedule**.
+ Click to turn on **Schedule**.
- Choose the date you want a draft instance of this campaign to be created.
+ Choose the date you want a draft instance of this campaign to be created.
- Using the **Frequency** selector, choose a frequency option to automatically create recurring instances of the campaign, beginning on the date you chose and recurring at the frequency you set.
+ Using the **Frequency** selector, choose a frequency option to automatically create recurring instances of the campaign, beginning on the date you chose and recurring at the frequency you set.
Choose **None** if you only want to create a single scheduled instance of the campaign on the date you chose.
- New campaign drafts will be created on the scheduled dates, at around 8:30 AM Pacific time. The template's owners will be notified by email that a new draft campaign has been set up.
+ New campaign drafts will be created on the scheduled dates, at around 8:30 AM Pacific time. The template's owners will be notified by email that a new draft campaign has been set up.
-By default, campaigns created from this template are started and ended manually. If you want to automatically start or end campaigns created from this template, configure these settings:
+By default, campaigns created from this template are started and ended manually. If you want to automatically start or end campaigns created from this template, configure these settings:
- - To automatically start each campaign, click to turn on **Automatically start campaign**. Campaigns will auto-start two days after they are created from this template.
+ - To automatically start each campaign, click to turn on **Automatically start campaign**. Campaigns will auto-start two days after they are created from this template.
- If the campaign is set to automatically start, choose whether to proceed with auto-start if there are unresolved campaign data accuracy issues. Campaign owners will be notified of any data accuracy issues when they are discovered.
- - To automatically end each campaign on the scheduled end date calculated from the campaign duration you set, click to turn on **Automatically end campaign**.
+ - To automatically end each campaign on the scheduled end date calculated from the campaign duration you set, click to turn on **Automatically end campaign**.
- If the campaign is set to automatically end, choose whether incomplete reviews will be revoked or skipped when the campaign ends.
@@ -474,150 +420,31 @@ By default, campaigns created from this template are started and ended manually.
In the **Notifications and reporting** section, configure whether to automatically send out notifications about the campaigns generated from this template:
* Notify all reviewers with assigned review tasks when a campaign begins
-
- * Notify all campaign owners and reviewers when a campaign ends
+
+ * Notify all campaign owners and reviewers when a campaign ends
* When a campaign is complete, generate a campaign report and notify all campaign owners when it's ready for download
- If you do not pre-configure these options here, you'll have another chance to send out notifications and generate a report when ending the campaign.
+ If you do not pre-configure these options here, you'll have another chance to send out notifications and generate a report when ending the campaign.
-If you want to use a Slack channel for communication about this campaign, click **Add Slack channel**. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create.
+If you want to use a Slack channel for communication about this campaign, click **Add Slack channel**. Enter a Slack channel name, either an existing channel in your workspace or the name for a new channel you want to create.
- When a new campaign made from this template starts, all campaign owners and users assigned access reviews will be automatically added to this channel.
+ When a new campaign made from this template starts, all campaign owners and users assigned access reviews will be automatically added to this channel.
When new campaign instances are created from this template, you'll have a chance to change the Slack channel before starting the campaign.
- **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you confiugre it here, or the notifications won't be delivered.
+ **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you confiugre it here, or the notifications won't be delivered.
-### Step 3: Choose what to review
-
-Next, build a list of the resources that campaigns made from this template will review. The review type you chose when creating the template determines the options available on the **Scope** tab. See [Step 3 of Create a new campaign](/product/admin/campaigns#step-3-choose-what-to-review) for details on each review type.
-
-
-
-
-
-
-On the **Scope** tab of your template, find the **Apps and resources** section of the page and click **Make selections**.
-
- - To run a UAR on user access to specific permissions, click **Review specific resources** and select resources, then click **Save**.
-
- **OR**
-
- - To run a UAR on user access to applications, click **Review application access** and select apps, then click **Save**.
-
- **OR**
-
- - To run a UAR on all of the resources of a given resource type within a specific app (such as all the groups within Google Workspace), click **Review resources by type** and select the resource types for each applicable application, then click **Save**.
-
-
- **You cannot mix selections from the three tabs in a single campaign.**
-
- If you want to review both application access and non-access resources in a single campaign, select **Review specific resources** or **Review resources by type** and add the **Credential** resource type to the campaign.
-
-
-
-If you're building a UAR reviewing specific resources, click **Edit scope** to remove entitlements from the review or update the policy used to review specific entitlements. Click **Apply changes** when you're finished.
-
-
- 
-
-
-
-**Optional.** Find the **User selection** section of the page and click **Make selections**.
-
- If you don't make any selections here, all users with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
-
- - Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
-
- **OR**
-
- - Click **Select users by criteria** to review users who match the criteria you set, then click **Save**.
-
- You can mix and match these options:
-
- - User status in ConductorOne
-
- - Direct reports of a manager
-
- - [User profile attributes](/product/admin/attributes). For example, to run an access review campaign on all the AcmeApp users in your company with the job title "Engineer", create the parameter **User AcmeJob is Engineer**.
-
-
-**Optional.** Find the **Account parameters** section of the page and click **Make selections**.
-
- If you don't make any selections here, all accounts with access to the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
-
- - Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**.
-
- You can mix and match these options:
-
- - No account owner
-
- - Account status
-
- - Account type
-
- - Account domain (specifically, whether the email address associated with the account has been [marked trusted](/product/admin/global-settings#set-trusted-domains) by a C1 admin at your organization)
-
-
-
-**Optional.** Find the **Grant parameters** section of the page and click **Make selections**.
-
- If you don't make any selections here, all access grants of the apps or resources you selected above will be added to the campaign. If you want to narrow the focus of the UAR:
-
- - Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**.
-
- You can mix and match these options:
-
- - New grants added within the time period you select or between two specific dates
-
- - Temporary (time-limited) or permanent grants
-
- - Grants that have not been used in the time period you select (this information is not available for all applications)
-
- - Direct grants (permissions assigned directly to users) or inherited grants (permissions assigned to a group or role, which are "inherited" by users assigned to that group or role)
-
- - Grants sourced from access profiles (check the box to exclude these grants from your campaign)
-
-
-
-
-
-
-
-
-On the **Scope** tab of your template, find the **Access conflicts** section and click **Select monitors**.
-
-
-Choose how to scope campaigns created from this template:
-
- - **All** — All entitlements in every enabled conflict monitor will be added to the scope for review.
-
- - **Specific** — Select individual conflict monitors whose violations you want to review.
-
-
-
-If you selected **Specific**, use the table to select the conflict monitors you want to include. Click **Save** when you're finished.
-
-
-
-
-
-
-A summary of your choices is shown on the **Scope** tab. Click **Validate scope** at any time to generate a report showing a preview of a campaign made from the template based on the current scope.
-
-Once you're satisfied with your selections, move on to the next step.
-
### Step 4: Review and start a campaign created from a template
-When a new campaign is created from the template, it is shown on the template's **Campaigns** tab and also added to the **Drafts** tab.
+When a new campaign is created from the template, it is shown on the template's **Campaigns** tab and also added to the **Drafts** tab.
-Edit the campaign as needed, then follow Steps 3 through 5 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary).
+Edit the campaign as needed, then follow Steps 4 through 6 in [Create a new campaign](/product/admin/campaigns#create-a-new-campaign) to review current data accuracy, prepare the campaign, and start the campaign (if necessary).
## Frequently asked questions about creating campaigns
@@ -628,8 +455,8 @@ In short, nothing. If you select a resource for your campaign that does not have
Yes, you can! Go to the running campaign's **Configuration** tab and add or edit the campaign instructions. Reviewers will see the new version of the instructions as soon as you click **Save**.
-
-No. The review type (entitlements or access conflicts) is set when you create the campaign and cannot be changed afterward. If you need a different review type, create a new campaign.
+
+No. The scope type you choose when creating a campaign cannot be changed afterward. If you need a different scope type, create a new campaign.
If you scope a campaign by **All** conflict monitors, the campaign includes all violations from every enabled monitor at the time the campaign is prepared. Monitors enabled after the campaign is prepared are not included. To include new monitors, create a new campaign.
@@ -637,4 +464,3 @@ If you scope a campaign by **All** conflict monitors, the campaign includes all
-
From c7e1dd98f72bc4c3ad61e69cf2d02ae60c99fcd4 Mon Sep 17 00:00:00 2001
From: Mindy Moreland
Date: Fri, 6 Mar 2026 15:26:05 -0800
Subject: [PATCH 3/3] fix: restore cannot-mix tip, mark filtering as optional,
fix typos
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- Add tip that only one scope type can be used per campaign (updated
from original three-option tip to reflect four scope types)
- Mark User selection, Account parameters, and Grant parameters as
Optional per docs style guide
- Fix "enerate" → "generate" typo in notifications step
- Fix "confiugre" → "configure" typo in Slack channel tip (both
single campaign and template sections)
Co-Authored-By: Claude Sonnet 4.6
---
product/admin/campaigns.mdx | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/product/admin/campaigns.mdx b/product/admin/campaigns.mdx
index 9bbf8d8e..5e0211b0 100644
--- a/product/admin/campaigns.mdx
+++ b/product/admin/campaigns.mdx
@@ -102,12 +102,16 @@ On the **Scope** tab of your campaign, click the **Apps and resources** section
**Reviewing access conflicts?** You must have at least one enabled [conflict monitor](/product/admin/access-conflicts) configured before you can scope a campaign by access conflicts.
+
+
+ **You can only use one scope type per campaign.** If you want to review both application access and specific resources in a single campaign, select **Review specific resources** and add the relevant entitlements.
+
To further refine the scope of your campaign, you can filter by user, account, and/or grant criteria. If you do not make any selections here, all users with access to the apps or resources you selected above will be added to the campaign.
-**User selection:** Find the **User selection** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
+**Optional. User selection:** Find the **User selection** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
- Click **Select specific users** to build a list of users whose access will be reviewed, then click **Save**.
@@ -129,7 +133,7 @@ To further refine the scope of your campaign, you can filter by user, account, a
- Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the users you want to review. The expression must return a list of users to be valid.
-**Account parameters:** Find the **Account parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
+**Optional. Account parameters:** Find the **Account parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
- Click **Select accounts by criteria** to review app accounts that match the criteria you set, then click **Save**.
@@ -147,7 +151,7 @@ To further refine the scope of your campaign, you can filter by user, account, a
- Click **CEL expression** to enter a [CEL expression](/product/admin/expressions) that describes the accounts you want to review. The expression must return a list of accounts to be valid.
-**Grant parameters:** Find the **Grant parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
+**Optional. Grant parameters:** Find the **Grant parameters** section of the page and click **Make selections**. If you want to narrow the focus of the UAR:
- Click **Select grants by criteria** to review only the access grants that match the criteria you set, then click **Save**.
@@ -211,7 +215,7 @@ In the **Notifications and reporting** section, you can configure what notificat
* Notify all campaign owners and reviewers when the campaign ends
- * When the campaign is complete, enerate a campaign report and notify all campaign owners when it's ready for download
+ * When the campaign is complete, generate a campaign report and notify all campaign owners when it's ready for download
If you do not pre-configure these options here, you'll have another chance to send out notifications and generate a report when ending the campaign.
@@ -221,7 +225,7 @@ If you want to use a Slack channel for communication about this campaign, click
All campaign owners and users assigned access reviews will be automatically added to this channel when the campaign starts.
- **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you confiugre it here, or the notifications won't be delivered.
+ **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you configure it here, or the notifications won't be delivered.
@@ -435,7 +439,7 @@ If you want to use a Slack channel for communication about this campaign, click
When new campaign instances are created from this template, you'll have a chance to change the Slack channel before starting the campaign.
- **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you confiugre it here, or the notifications won't be delivered.
+ **Sending campaign notifications to a private Slack channel?** Make sure the [ConductorOne Slack app](/product/admin/slack-application) is added to the channel before you configure it here, or the notifications won't be delivered.