Access Certification Campaign

An access certification campaign is a process used to review and validate the access rights and privileges granted to users. The goal of the campaign is to ensure that access rights are appropriate, up-to-date, and aligned with comply policies. During an access certification campaign, notifications and reminders are sent out to certifiers, requesting them to review and verify the access rights assigned to the users. There are options to choose either a default certifier to certify the access request or assign multiple technicians as a certifier using an assigning rule. The certifier can revoke the permissions if any access rights are found to be unnecessary.

The results of the campaign are used to update access rights and permissions, ensuring that the organization's systems and data remain secure and only accessible to authorized individuals. By regularly conducting access certification campaigns, organizations can maintain control over their access management processes, mitigate the risk of unauthorized access or data breaches, and comply with regulatory requirements related to data privacy and security.

Steps to configure Access Certification Campaign in ADManager Plus

1. Navigate to Automation → Access Certification → Access Certification Campaign.
2. The resulting page will show all the existing campaigns and their details. To create a new campaign, click on Create New Campaign on the top-right corner.
3. You will be redirected to a page with the tabs below:
   • Campaign Details: Describe the name and objective of the campaign.
   • Entitlements & Objects: Specify the entitlements and objects to be reviewed.
   • Certifier & Scheduler: Select certifiers and schedule the campaign.
   • Settings: Configure request expiration, campaign ending actions, and more.
   • Summary: View the summary of the campaign settings.

Campaign Details

The following steps will help you in configuring the general campaign details:

1. Describe the name, purpose and other information about the campaign with the following fields:
   • Certification Campaign Name: Name of the access certification campaign.
   • Description: Purpose of the campaign.
   • Priority: Priority with which the certifiers must process the request created by this campaign.
   • Select Domain: Domain in which the campaign must be run.
2. Once all the above details are entered, click Next.

Entitlements & Objects

The following steps will help you select the entitlements and objects to be reviewed in this campaign.

1. In the Entitlement Selection section, toggle the button beside entitlements that need to be reviewed. The entitlements are given below,
   • Active Directory
     • Group Membership: Select the AD group memberships that need to be reviewed.
     • NTFS Permission: Select the folders and corresponding NTFS permissions that need to be reviewed.
   • Microsoft 365
     • Group Membership: Select the Microsoft 365 group memberships that need to be reviewed.
     • Role Assignment: Select the Microsoft 365 roles and their assignment type that need to be reviewed.
     • Application Assignment: Select the Microsoft 365 application access that needs to be reviewed.
2. In the Object Selection section, select if the User or Group under the selected entitlement needs to be reviewed.
3. If you select User, you can choose any one of the filters below.
   • All Users: Reviews all users under the entitlement.
   • Select from Report: Reviews the users from the selected report
   • Select User(s): You can manually choose the users that need to be reviewed.
4. If you select Group, you can choose any one of the filters below.
   • All Groups: Reviews all groups under the entitlement.
   • Select from Report: Reviews the groups from the selected report
   • Select Group(s): You can manually choose the groups that need to be reviewed.
5. After completing all the above steps, click Next.
   • Certification Request Expiration: Specify the time after which the access request expires.
     • Send reminder to certifiers: Select this option to send expiration notification to certifiers.
   • Campaign Execution: You can select a default action to be performed when the certifier has not approved or revoked an access request. You can select to take no action, approve all or revoke all.

Certifier & Scheduler

This section will help you select a certifier for the campaign and schedule the process to run automatically.

1. In the Certifier section, you can select any one of the following options:
   • Default Certifier: You can select any one of the workflow executors as certifiers to review the access request and they will be assigned by default once the task is created.
   • Certifier Assigning Rule: Select the rule based on which a technician should be assigned as a certifier. You can click on the Create New Rule link to create a new certifier assigning rule. Click here to learn how to add a new rule.
2. In the Scheduler section, you can define the time and frequency at which the campaign should run. You can configure it with the following options:
   • Start Date: Specify the date from when the campaign should start.
   • Run at: Specify the frequency at which the campaign must be run.
   • End: Select Never to keep the campaign running indefinitely or specify an End Date.
3. Click Next.

Settings

This section will help you customize the access certification campaign.

1. You can select any one of the below customizations in the Configuration section:
   • Mandate adding comments on all approval operations: The certifier should add comments about the approval operation in the comments textbox.
   • Mandate adding comments on all revoke operations: The certifier should add comments about the revoke operation in the comments textbox.
   • Prevent self-certification: The certifier cannot review their own access permissions.
   • Allow bulk certifications: The certifier can perform bulk approval or revoke operations.
2. In Campaign Settings, you can define the actions to be taken on the certification requests that weren't reviewed when the campaign ends.
   • Certification Request Expiration: Specify the time after which the access request expires.
     • Send reminder to certifiers: Select this option to send expiration notification to certifiers.
   • Campaign Execution: You can select a default action to be performed when the certifier has not approved or revoked an access request. You can select to take no action, approve all or revoke all.

Summary

This page displays the summary of all the campaign settings configured in the prior steps.

1. Review all the configurations under the respective tabs and if any changes are needed, click on the respective tab and make the changes.
2. Once reviewed, click Save to create the campaign.