Starting a Campaign from Search
Use the flexibility of search to dynamically and accurately create certification campaigns for the users you have loaded into IdentityNow. Start your certification campaign from either the access items, identities, or roles your query returns.
Best Practice Recommendations
To ensure that the wizard includes meaningful results for your certification campaign, you should:
- Be familiar with all entitlements assigned to the identities returned by your search query. After launching your campaign, you can certify either the access of the identities returned or the access items returned.
- Be familiar with how those entitlements are used in access profiles and roles. Entitlements can be granted to identities on a standalone basis (that is, individually), or as part of a granted access profile or role.
- Create a very precise search query to limit the certification to a specific set of people. The more refined your query is, the more refined your results will be. How you refine the access items determines which identities are included in the certification campaign. You can refine by the following access items:
- Entitlements - Identities that were granted the individual entitlement you select as a standalone entitlement will be included in this campaign. If the selected entitlements were granted as part of an access profile or role, that access profile or role must be selected to include those identities in the campaign.
- Access Profiles - All identities that were granted the selected access profile will be included in the campaign.
- Roles - All identities that were granted the selected role will be included in the campaign.
- Be aware that each night, IdentityNow evaluates the access items that identities have access to and makes updates. If an identity has access to all of the individual entitlements that comprise an access profile, the identity is automatically granted that access profile and no longer has the individual entitlements.
- Be aware that protected users are allowed in search indexing. However, SPadmin and Cloudadmin are specifically excluded from search so they are never included in a campaign.
Configuring Certification Campaign Details
Before you can preview, start, or schedule a campaign, you'll need to enter your. campaign information.
1. In the vertical Search toolbar, select the Certification Campaigns icon.
2. Select the New Campaign button to start the certification campaign wizard.
3. Select what you want to certify in your campaign: Identities, Access Items, or Roles.
4. On the next page, select one of the two options to further refine your selection:
All Identities/Access Items/Roles Returned by a Query - Build a search query and certify all of the results returned by that query.
Specific Identities/Access Items/Roles that I Select - From your query results, individually add each one to your certification.
5. If you chose to certify all of your results, simply run your query and select Next. If you chose to add them individually, after you run your query, select the specific access you want to include in the campaign, and then select Next.
6. For Identity and Access item-based campaigns, you have the option to further refine the contents of your campaign at this point. If you choose to refine, use the checkboxes to select the specific access items or identities you want to include in the campaign, and then select Next. If you choose to include all, no additional action is needed and you can move on to the next step.
7. Enter a name and description for your campaign. Be specific. Use the toggle to choose whether reviewers will receive notification emails about this campaigns's progress.
8. Select who will review and remediate access, and choose what happens to undecided access when the campaign ends.
The undecided access selection determines what your options will be when you complete any open decisions at the end of the campaign. We strongly recommend that you choose to maintain access to undecided items due to the difficulty of reinstating access after it is revoked.
9. Select whether you want to generate a preview of the campaign now, schedule generation at another date and time, or save it for later. Select a due date for the campaign.
If you choose to schedule a campaign, select a time zone, an end date, and whether you want the campaign preview to run on a specific date or on a recurring cadence of weekly, monthly, or annually.
A campaign cannot be scheduled to start on the same day.
10. Select Continue.
11. Review the campaign details on the Summary page. The creation of a certification campaign is a critical governance process that should be double and triple-checked before it is sent to reviewers.
12. Select the blue button at the top of the page to Save, Schedule, or Generate your campaign (depending on what you chose in step 9).
You will see a green success banner and your campaign is now listed on the Certification Campaigns screen, either under Saved/Scheduled Campaigns or Previewed/Active campaigns.
- The larger the campaign, the longer it will take to generate.
- If your query returned more than 3,000 identities and/or access items and you wish to refine the access, you must edit your query so it returns 3,000 or fewer identities or access items. If you do not choose to further refine the access, there is no limitation on the number of identities to include in the campaign.
- Privileged entitlements are marked with a gold badge.
- Anything that you enter in the Filter Access Items field will persist across the Access Profiles and Roles pages and could cause some access items to not show up on those pages.
Previewing and Starting a Certification Campaign
After configuring your campaign details, you will leave the search interface to double check the contents and reviewers of your campaign,and then start it.
1. In the Search vertical toolbar, select the Certification Campaigns icon.
2. Select one of your saved campaigns under Saved/Scheduled.
3. On the Campaign Summary page, select Generate Preview.
4. Once your preview is generated, you still need to manually start it. Go to Admin > Certifications > Campaigns and find your campaign in the list. Select the campaign to preview it. The creation of a certification campaign is a critical governance process that should be double and triple-checked before it is sent to reviewers.
5. Select Start at the top of the page. Return to Search. Your campaign is now listed under Previewed/Active.
Scheduling a Saved Certification Campaign
If you have already configured and saved a campaign but would like to set up a schedule for it, you do so from the Certification Campaigns screen.
1. In the vertical Search toolbar, select the Certification Campaigns icon.
2. Select one of your saved campaigns under Saved/Scheduled Campaigns.
3. On the Preview page, select Schedule Campaign to start the scheduling process.
4. Select your time zone, and schedule your preview using the calendar.
To schedule quarterly campaigns, select Annually and check multiple boxes for each month you want to schedule.
5. Select Next. You will see a summary of your scheduled campaign information. Select Schedule. On the main search page, you will see a success message indicating your choice. Your campaign is now listed in the Scheduled Campaigns menu.
An email will be sent to the campaign owner one week before the scheduled campaign generation date to remind them to manually start the campaign.
Managing a Certification Campaign in Search
After you've started or scheduled a campaign, follow these tips to monitor, maintain, and manage the campaign:
- In the Search vertical toolbar, select the Certification Campaigns icon to access your certification campaigns.
Previewed/Active Campaigns - These campaigns have been both previewed and started from the Admin menu. Campaigns that only have a preview generated will not show up here until they are started.
Saved/Scheduled Campaigns - These campaigns have already been either configured and saved, or scheduled to run on a specific date or cadence.
You can select a campaign to see summary campaign information. From the summary, you have the following options based on what stage the campaign is in:
- For Scheduled campaigns, select Generate Preview to move the campaign into a preview state.
- For Saved campaigns, select Schedule to configure a schedule for the campaign or Generate Preview.
- For Previewed/Active campaigns, select View to open the certification campaign preview page.
You can also manage the campaign from the main menu by selecting Certifications > Campaigns, where you have several options to view and manage your various campaigns.
As a certification campaign deadline approaches, there are several things you can do to ensure that all decisions are made and that any undecided access items are resolved in a timely manner. See the Completing a Certification Campaign section for more information.