Skip to content

Starting a Manager or Source Owner Campaign

Managers use certifications to verify access requirements for their employees. When an administrator creates a certification campaign, it will automatically appear in their Certifications menu along with an email notification.

Source owners verify access only when requested and only review identities on sources they own. A source owner campaign can include one or multiple sources to provide a more focused review of access. Source owner campaigns are also convenient for limited-license applications and cases of restricted access or tightly controlled sources.

Note

Review Starting a Campaign From Search to start a campaign to certify identities, access items, and role compositions.

Before you create a manager or source owner certification campaign, review the following prerequisites.

Campaign Type Prerequisites
Manager Campaigns Validate that each identity has a manager defined in your tenant as identities without managers are excluded from manager certification campaigns. To view a list of these identities, select Admin > Global > Reports and download the Identities Without Managers report.

To include identities without managers in certifications, create a campaign using Search and choose Manager when selecting a reviewer.

Note: Campaigns are generated as a snapshot in time, so managers added after a campaign is generated will not display.
Source Owner Campaign Review the source's configuration and verify that the appropriate user is identified as the source owner.

Creating a Campaign

To manage and protect your company's data security, you can control what is contained in a certification and who is reviewing the campaign.

  1. Go to Admin > Certifications > Campaigns.

  2. Select Create New to create a new certification campaign.

  3. On the New Certification Campaign page, under Type, select Manager Campaign or Source Owner Campaign.

  4. Enter a name and description for the certification campaign.

  5. In the Deadline field, select a deadline for reviewers to complete their certification reviews. The default deadline is two weeks after the creation date.

  6. (Optional) Select a campaign filter. Campaign filters limit your certifications to include only a subset of your entitlements or users. For more information, refer to Using Campaign Filters.

  7. (Optional) Select Disable Email Notifications under Email Options to disable email notification reminders for reviewers. If not disabled, reviewers will receive the Certification Due Email Template every week until they complete their certification.

    Note

    SailPoint recommends testing the emails generated for certification campaigns before starting one. Refer to Testing Email Templates for more information.

  8. Decide how undecided certification items should be handled when an administrator completes the campaign. Undecided certification items may occur if a reviewer doesn’t review a certification before the campaign’s deadline. You can select from the following options:

    • Maintain access to undecided items - This is the default behavior. Any item that has not been approved or revoked is automatically approved.

    • Choose to maintain or revoke access to undecided items - This indicates that the administrator who completes the campaign has the option to choose which bulk action applies. They can choose to either approve all undecided items or they can decide to revoke all undecided items.

    Important

    Maintaining access to undecided items is the recommended option due to the difficulty of reinstating access once it is revoked.

    Review Completing a Campaign for more information about completing campaigns.

  9. Choose when reviewers are required to leave comments on their decisions.

  10. For source owner campaigns, select the sources you want to certify. Select the All Sources checkbox to certify all sources.

    Note

    Source owner campaigns will only generate if the included sources have assigned source owners. You can assign a source owner through the user interface or the Update Source (Partial) endpoint. For IdentityNow sources, you must use the endpoint to assign source owners.

  11. Choose your options and select Preview Campaign. You will be redirected to a list of campaigns.

    Note

    If you create a certification campaign that contains no identities or access items (possibly because of the campaign filter or search query used), no preview is created. The campaign will appear in the Completed tab, but it will be empty.

    Your new campaign will usually display a Preview Ready badge. If the campaign displays an error badge, select the badge to learn more information about the error.

  12. In Table view, select the campaign's row to display its preview. Alternatively in Cards view, select Details to view a preview of the campaign.

    The preview displays a list of reviewers in the campaign and the number of identities each reviewer will certify. You can also reassign the certifications to other reviewers or download campaign reports from this page.

    Important

    Always start your campaign within a day of generating its preview. Otherwise, you should plan on deleting it and recreating the campaign.

  13. If the campaign content appears correct, select Start Campaign to begin the certification campaign.

    Important

    The creation of a certification campaign is a critical governance process that should be double- and triple-checked before sending out to reviewers.

    If you want to start the campaign at a later time, you can return its preview. If the campaign's due date has passed, you will not be able to start the campaign.

Troubleshooting

The following conditions may cause issues with these types of campaigns:

Condition Resolution
An identity doesn’t have a manager relationship defined in Identity Security Cloud. This identity will not be included in a manager certification campaign. The administrator should validate that all identities have a manager defined before running a manager campaign.
A reviewer’s identity no longer exists in Identity Security Cloud. In these cases, an error will appear next to their certification. Please reassign that certification to an existing identity.
Access profiles granted through lifecycle states. These access profiles are not included in manager certification campaigns.
An identity has a set of entitlements that matches an access profile. The identity is automatically granted that access profile. As a result, these entitlements are no longer considered individual units and must be certified only as an access profile.

Preview errors

In some cases, when you generate a certification campaign preview, an error may occur. To start the campaign, you must delete the preview and correct any errors you may have found. The following table describes some known preview errors.

Error Description
Preview disappears after generating. It is possible to generate a campaign preview that has no content. For example, if a campaign inadvertently filters out all entitlements and your campaign has no content, the preview will appear to be generating. When it finishes, the campaign is automatically removed from the list and appears in the Completed tab as an empty campaign.
Error message says the campaign could not be generated. This is an infrequent error caused by a background task in Identity Security Cloud that may take 30 minutes to two hours to process. You must delete the campaign and start again.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.