Starting a Campaign
Managers use certifications to verify access requirements for their employees. When an administrator creates a certification campaign, it will automatically appear in their Certifications menu along with an email notification.
Source owners verify access only when requested and only review identities on sources they own. A source owner campaign can include one or multiple sources to provide a more focused review of access. Source owner campaigns are also convenient for limited-license applications and cases of restricted access or tightly controlled sources.
Before you get started creating manager or source owner certification campaigns, there are a few prerequisites and best practices to help you get the most out of your certification campaigns.
For manager campaigns, validate that all identities have a manager defined in IdentityNow before creating a manager certification campaign. Download the Identities Without Managers report to obtain a list of identities without managers. Note that campaigns are generated as a snapshot in time, so managers added after a campaign is generated will not apply.
For source owner campaigns, select a source for all sources you want to certify. Before beginning your certification campaign, review the source configuration to verify that the appropriate person is identified as the source owner.
Best Practice Recommendations
- The creation of a certification campaign is a critical governance process that should be double and triple checked before sending out to reviewers.
- Always start your campaign within a day of generating it. Otherwise, you should plan on deleting it and generating a new version. If a campaign's due date has already passed, you can't start the campaign.
- Test the emails generated for your certification campaign before you start it. See Testing Email Templates for more information.
- If you enable notifications for a certification, see Reminding Reviewers to Complete a Certification for more information about how and when emails are sent.
- If you are using campaign filters and you want to generate a report on filtered items, you might need to enable the Campaign Exclusion Report before you start your campaign. For instructions, see API to Enable or Disable Campaign Exclusion Reports for New Campaigns.
Creating a Campaign
To manage and protect your company's data security, you can control both what is contained in the certification and who is reviewing the campaign.
1. In the Admin interface, go to Certifications > Campaigns.
2. In the Certification Campaigns list, select New.
3. On the New Certification Campaign page, under Type, select Manager Campaign or Source Owner Campaign.
4. In the Certification Campaign page, type a name and description for the campaign.
5. In the Deadline field, select a deadline for reviewers to complete their certification reviews. The default deadline is two weeks after the creation date.
- Select a value in Campaign Filter for your certifications. This limits the scope of your certifications using the selected filter.
- Select the radio button for Disable Email Notifications under Email Options to keep your reviewers from receiving any emails reminding them to complete this campaign.
6. Decide how the person who completes the campaign will deal with any undecided certification items, which may occur due to unclear access items or situations when a reviewer could not meet the deadline. You have the following options:
Maintain access to undecided items - This is the default behavior. Any item that has not been approved or revoked is automatically approved.
Choose to maintain or revoke access to undecided items - This indicates that the person who completes the campaign has the option to choose which bulk action applies. They can choose to either approve all undecided items or they can decide to revoke all undecided items.
Maintaining access to undecided items is the recommended option due to the difficulty of reinstating access once it is revoked.
More details about campaign completion options are provided in the Completing a Campaign section below.
7. After you've made the necessary selections on this menu, select Preview Campaign. You will be redirected to a list of campaigns.
8. Select the name of your campaign to preview its details. The campaign status badge will usually say Preview or Preview Ready.
If you create a certification that has no entitlements in it, no preview is created. The campaign will appear in the Completed tab but it will be empty.
You can see a list of reviewers in the campaign and the number of identities each reviewer will certify. You can also reassign identities from this list.
9. When the campaign content appears correct, select Start to begin the certification campaign.
You can also select Delete to cancel the campaign.
If the campaign content appears correct and you want to start the campaign later, you can return to this page at a later time.
The following conditions might cause issues with these types of campaigns:
Uncorrelated accounts and identity exceptions are not included in any certification campaigns.
If an identity doesn't have a manager relationship defined in IdentityNow, the identity will not be part of the manager certification campaign. The admin should validate that all identities have a manager defined before running a manager campaign.
If a reviewer's identity no longer exists in IdentityNow, you'll see an error next to their certification. Please reassign that certification to an existing identity.
If access profiles that were granted to users through a role are included in manager certification campaigns for review only, you will receive an error because roles and their contents can be acknowledged.
Access profiles that were granted to users through a lifecycle state are not included in manager certification campaigns.
If an identity has a set of entitlements that exactly match an access profile, IdentityNow automatically grants them that access profile. As a result, these entitlements are no longer considered individual units and must be certified only as an access profile.
In some cases, when you generate a certification campaign preview, IdentityNow encounters an error. To start the campaign, you must delete the preview and correct any errors you have found. Here are some known preview issues you might encounter:
It is possible to generate a campaign preview that has no content. For example, if a campaign inadvertently filters out all entitlements and your campaign has no content, the preview will appear to be generatingWhen it finishes, the campaign is automatically removed from the list and appears in the Completed tab as an empty campaign.
When you select a campaign in the preview list, if you see an error message indicating that the campaign could not be generated, you'll need to delete the campaign and start again. This is an infrequent error caused by a background task in IdentityNow that might take 30 minutes to two hours to process.
From the list of campaigns, you can see an error status badge and an info icon. When you select the campaign, the banner at the top of the page is red. When you select the info icon, a dialog box displays more information about the error.