Skip to content

Starting a Manager or Source Owner Campaign

Managers use certifications to verify access requirements for their employees. When an administrator creates a certification campaign, it will automatically appear in their Certifications menu along with an email notification.

Source owners verify access only when requested and only review identities on sources they own. A source owner campaign can include one or multiple sources to provide a more focused review of access. Source owner campaigns are also convenient for limited-license applications and cases of restricted access or tightly controlled sources.

Note

Review Starting a Campaign From Search to start a campaign to certify identities, access items, and role compositions.

Before you create a manager or source owner certification campaign, review the following prerequisites and best practices to get the most out of your certification campaigns.

Prerequisites

  • For manager campaigns, validate that all identities have a manager defined in your tenant before creating a manager certification campaign. Select Admin > Global > Reports to download the Identities Without Managers report to view a list of identities without managers. Note that campaigns are generated as a snapshot in time, so managers added after a campaign is generated will not display.

  • Before beginning a source owner campaign, review the source's configuration to verify that the appropriate person is identified as the source owner.

Best Practices

  • The creation of a certification campaign is a critical governance process that should be double- and triple-checked before sending out to reviewers.
  • Always start your campaign within a day of generating it. Otherwise, you should plan on deleting it and recreating the campaign. If a campaign's due date has already passed, you can't start the campaign.
  • Test the emails generated for your certification campaign before you start it. Refer to Testing Email Templates for more information.

Creating a Campaign

To manage and protect your company's data security, you can control what is contained in a certification and who is reviewing the campaign.

  1. Go to Admin > Certifications > Campaigns.

  2. Select Create New to create a new certification campaign.

  3. On the New Certification Campaign page, under Type, select Manager Campaign or Source Owner Campaign.

  4. Enter a name and description for the certification campaign.

  5. In the Deadline field, select a deadline for reviewers to complete their certification reviews. The default deadline is two weeks after the creation date.

  6. (Optional) Select a campaign filter. Campaign filters limit your certifications to include only a subset of your entitlements or users. For more information, refer to Using Campaign Filters.

  7. (Optional) Select Disable Email Notifications under Email Options to disable email notification reminders for reviewers. If not disabled, reviewers will receive the Certification Due Email Template every week until they complete their certification.

  8. Decide how undecided certification items should be handled when an administrator completes the campaign. Undecided certification items may occur if a reviewer doesn’t review a certification before the campaign’s deadline. You can select from the following options:

    • Maintain access to undecided items - This is the default behavior. Any item that has not been approved or revoked is automatically approved.

    • Choose to maintain or revoke access to undecided items - This indicates that the administrator who completes the campaign has the option to choose which bulk action applies. They can choose to either approve all undecided items or they can decide to revoke all undecided items.

    Important

    Maintaining access to undecided items is the recommended option due to the difficulty of reinstating access once it is revoked.

    Review Completing a Campaign for more information about completing campaigns.

  9. Choose when reviewers are required to leave comments on their decisions.

  10. For source owner campaigns, select the sources you want to certify. Select the All Sources checkbox to certify all sources.

    Note

    Source owner campaigns will only generate if the included sources have assigned source owners. You can assign a source owner through the user interface or the Update Source (Partial) endpoint. For IdentityNow sources, you must use the endpoint to assign source owners.

  11. Choose your options and select Preview Campaign. You will be redirected to a list of campaigns.

    Note

    If you create a certification campaign that contains no identities or access items (possibly because of the campaign filter or search query used), no preview is created. The campaign will appear in the Completed tab, but it will be empty.

    Your new campaign will usually display a Preview Ready badge. If the campaign displays an error badge, select the badge to learn more information about the error.

  12. In Table view, select the campaign's row to display its preview. Alternatively in Cards view, select Details to view a preview of the campaign.

    The preview displays a list of reviewers in the campaign and the number of identities each reviewer will certify. You can also reassign the certifications to other reviewers or download campaign reports from this page.

  13. If the campaign content appears correct, select Start Campaign to begin the certification campaign. You can also select Delete to delete the campaign.

If the campaign content appears correct and you want to start the campaign later, you can return to this page at a later time.

Troubleshooting

The following conditions may cause issues with these types of campaigns:

Condition Resolution
An identity doesn’t have a manager relationship defined in Identity Security Cloud. This identity will not be included in a manager certification campaign. The administrator should validate that all identities have a manager defined before running a manager campaign.
A reviewer’s identity no longer exists in Identity Security Cloud. In these cases, an error will appear next to their certification. Please reassign that certification to an existing identity.
Access profiles granted through lifecycle states. These access profiles are not included in manager certification campaigns.
An identity has a set of entitlements that matches an access profile. The identity is automatically granted that access profile. As a result, these entitlements are no longer considered individual units and must be certified only as an access profile.

Preview errors

In some cases, when you generate a certification campaign preview, an error may occur. To start the campaign, you must delete the preview and correct any errors you may have found. The following table describes some known preview errors.

Error Description
Preview disappears after generating. It is possible to generate a campaign preview that has no content. For example, if a campaign inadvertently filters out all entitlements and your campaign has no content, the preview will appear to be generating. When it finishes, the campaign is automatically removed from the list and appears in the Completed tab as an empty campaign.
Error message says the campaign could not be generated. This is an infrequent error caused by a background task in Identity Security Cloud that may take 30 minutes to two hours to process. You must delete the campaign and start again.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.