Skip to content

Starting a Campaign from Search

Use the flexibility of search to create certification campaigns for the identities and accounts you have loaded into Identity Security Cloud. When you start a campaign from search, you can create a certification campaign for access items, identities, or roles based on your search query results.

You can create a precise search query to limit a campaign to a specific set of identities and access items. The more refined your query is, the more refined your results will be.

Configuring Certification Campaign Contents

You can certify the following items when you create certification campaigns from search:

  • Identities - Review access items for specific identities.
  • Access Items - Review a set of roles, access profiles, or entitlements for the identities that have them.
  • Roles - Review a role’s composition, including its title, description, membership criteria, and the access included in the role.
  • Uncorrelated Accounts - Review access items for uncorrelated accounts, source accounts that are not linked to an authoritative identity.
  • Machine Accounts - Review access items for machine identities. These identities represent a business application or process that machine accounts, like service accounts, bots, or other types of non-human accounts, are grouped within.

Creating an Identity Certification Campaign

With identity certification campaigns, you can define campaigns based on the identities you want to certify.

  1. Select Search from the navigation menu.
  2. From the vertical Search toolbar, select the Certification Campaigns icon.
  3. Select New Campaign to create a new certification campaign.
  4. Select the Identities tile.
  5. Choose how you want to select identities:

    If you choose All Identities Returned by a Query, all identities returned by your query will be added to the certification campaign. Complete the following steps:

    • Run a search query to find the identities you want to include in the certification campaign.
    • Select Certify These Identities to add all identities to your certification campaign.

    If you choose Specific Identities that I Select, you can select the identities you want to include from your query results. Complete the following steps:

    • Run a search query to find the identities you want to include in the certification campaign.

      Note

      When you refine identities, the maximum number of identities that can appear based on your query is 10,000.

    • Select the identities you want to include from the query results.

    • Select + Add To Campaign to add these identities to your certification campaign.
    • (Optional) Review your selections in the Added to campaign tab.
    • Select Certify Selected Identities when you’ve completed your selections.
  6. Choose whether you want to certify all access items or only specific access items for the identities in your campaign.

    If you choose to Certify All Access, all access items associated with the identities in your certification campaign will be included. You can now configure the details of your certification campaign.

    If you choose to Refine Access, you can filter which access items you want to include in the certification campaign. Complete the following steps:

    • Select which access items you want to include in the certification campaign.

      Note

      When you refine access, a maximum number of 10,000 total access items can be displayed.

    • Select + Add to Campaign to save your selections for each access type.

    • (Optional) Review your selections in the Added to campaign tab.
    • Select Continue to configure the details of your certification campaign.

Creating an Access Item Certification Campaign

Access item certification campaigns allow you to define campaigns with a focus on the access you want included.

  1. Select Search from the navigation menu.
  2. From the vertical Search toolbar, select the Certification Campaigns icon.
  3. Select New Campaign to create a new certification campaign.
  4. Select Access Items tile.
  5. Choose how you want to select access items:

    If you choose All Access Items Returned by a Query, all the access items returned by that query will be added to your campaign. Complete the following steps:

    • Run a search query to search for the entitlements, access profiles, or roles you want to include in your certification campaign.
    • Select Certify This Access to add these access items to your certification campaign.

    If you choose Specific Access Items that I Select, you can select the access items you want to include in the campaign. Complete the following steps:

    • Run a search query to search for the entitlements, access profiles, or roles you want to include in your certification campaign.

      Note

      When you refine access, a maximum number of 10,000 total access items can be displayed.

    • Select the access items you want to include from the query results.

      Notes about entitlements and access profiles

      Entitlements

      • Identities that have the entitlement you select as a standalone entitlement will be included in the campaign.
      • If the selected entitlements were granted as part of a role or access profile, that role or access profile must be selected for certification to include those identities in the campaign.
      • If an identity has access to all the standalone entitlements that comprise an access profile, they will be granted that access profile and are no longer considered to have the entitlement as standalone.

      Access Profiles

      • Identities that have the access profile you select as a standalone access profile will be included in the campaign.
      • If the selected access profiles were granted as part of a role, that role must be selected to include those identities in the campaign.
    • Select + Add To Campaign to save your selections for each access type.

    • (Optional) Review your selections in the Added to campaign tab.
    • Select Certify This Access when you’ve completed your selections.
  6. Choose whether you want to certify all identities or only specific identities in your campaign:

    If you choose Certify All Identities, all identities associated with the access items in your certification campaign will be included. You can now configure the details of your certification campaign.

    If you choose Refine Identities, you can filter which identities you want to include in the certification campaign. Complete the following steps:

    • Select which identities you want to include in the certification campaign.

      Note

      When you refine identities, the maximum number of identities that can appear based on your query is 10,000.

    • Select + Add To Campaign to save your selections.

    • (Optional) Review your selections in the Added to campaign tab.
    • Select Continue to configure the details of your certification campaign.

Creating a Role Composition Certification Campaign

Role certifications are typically assigned to role owners, who certify the composition of that role. Revoked decisions in these campaigns will generate manual tasks for the users responsible for remediation.

  1. Select Search from the navigation menu.
  2. From the vertical Search toolbar, select the Certification Campaigns icon.
  3. Select New Campaign to create a new certification campaign.
  4. Select the Role Composition tile.
  5. Choose how you want to select roles:

    If you choose All Roles Returned by a Query, all roles returned by your query will be added to the certification campaign. Complete the following steps:

    • Run a search query to return a list of roles.
    • Select Certify These Roles to add these roles to your certification campaign.

    If you choose Specific Roles that I Select, you can search for roles you want to certify and add each one individually to your certification. Complete the following steps:

    • Run a search query to return a list of roles.
    • Select which roles you want to include in the certification campaign
    • Select + Add To Campaign to add these roles to your certification campaign.
    • Select Certify Selected Roles when you’ve completed your selections.

You can now configure the details of your certification campaign.

Creating Uncorrelated Accounts Certification Campaigns

Uncorrelated accounts certification campaigns allow you to certify source accounts that are not linked to an authoritative identity.

  1. Select Search from the navigation menu.
  2. From the vertical Search toolbar, select the Certification Campaigns icon.
  3. Select New Campaign to create a new certification campaign.
  4. Select the Uncorrelated Accounts tile.
  5. Choose accounts to certify by selecting sources from the list. If a selected source has uncorrelated accounts, they will appear in the accounts list below.
  6. Select Certify These Accounts.

You can now configure the details of your certification campaign.

Creating a Machine Accounts Certification Campaign

Machine account certification campaigns allow users to review a machine identity's access.

  1. Select Search from the navigation menu.
  2. From the vertical Search toolbar, select the Certification Campaigns icon.
  3. Select New Campaign to create a new certification campaign.
  4. Select the Machine Accounts tile.
  5. Choose machine accounts to certify by selecting sources from the list. If a selected source has machine accounts, they will appear in the accounts list below.

    Important

    Machine account certification campaigns must contain less than 100,000 accounts. Campaigns with more than 100,000 accounts should be split into smaller, separate campaigns.

  6. Select Certify These Accounts.

You can now configure the details of your certification campaign.

Configuring Certification Campaign Details

Before you can preview, start, or schedule a campaign, you'll need to enter your campaign information.

  1. Enter a meaningful name and description for your campaign to differentiate it from other certification campaigns.
  2. Choose whether reviewers will receive notification emails about this campaign’s progress.

    If your organization has the Recommendations feature, you can select the Include Recommendations toggle to add recommendations to your identity and access items certification campaigns.

    For uncorrelated and machine accounts certification campaigns, you can select a campaign filter from the Campaign Filters dropdown list.

  3. Select who will review and remediate access. You can select from the following reviewers, depending on the certification type:

    • Manager - The managers of the identities in the campaign review access.

      Note

      When an identity does not have a defined manager, the certification is reassigned to the creator of the campaign.

    • Individual - A specific identity reviews access. Select an individual from the dropdown list.

    • Role Owner - The role owner reviews access. Role certifications are typically assigned to role owners, who certify the composition of that role.
    • Source Owner - The source owner reviews access. Uncorrelated account certifications are typically assigned to source owners.
    • Governance Group - A governance group reviews access. Select a governance group from the dropdown list. Any member of the governance group can perform the review.
    • Account Owner - The account owner reviews access. If an account owner has not been configured, the certification review will be assigned to the source owner.
  4. Choose what happens to undecided access when the campaign ends.

    Caution

    SailPoint strongly recommends that you choose to maintain access to undecided items due to the difficulty of reinstating access after it is revoked.

  5. Choose when reviewers are required to leave comments on their decisions.

    Best Practice

    SailPoint recommends requiring comments when a decision is revoked in role composition certification campaigns. These comments are sent to the role owner as a task and dictate what changes they should make to the associated role.

  6. For role composition campaigns, select an org or role admin to be the remediation owner. This user is responsible for manually updating the role when reviewers revoke items in role composition certifications. The revoked items in this campaign will become tasks in the remediation owner's Task Manager.

  7. Choose whether to save this campaign for later, generate a preview now, or schedule the preview to generate at a later time.

    If you choose to schedule a campaign preview, select a time zone, an end date, and whether you want the preview to generate on a specific date or a recurring cadence of weekly, monthly, or annually.

    Notes

    • When you schedule a campaign preview, you’re scheduling the generation of the preview. An admin must still manually start the campaign.
    • A campaign cannot be scheduled to start the same day it was created. If you need to start a campaign that same day, select Generate Now in the Campaign Generation section.
    • An email will be sent to the campaign owner one week before the scheduled campaign preview generation to remind them to manually start the campaign.
  8. Select the duration of the campaign. You can also choose to set the duration of the campaign when you start the campaign.

  9. Select Review Campaign to review a summary of the campaign.

    Important

    The creation of a certification campaign is a critical governance process that should be carefully reviewed before it is sent to reviewers.

  10. After you’ve reviewed the campaign details, select the blue button at the top of the page to save your campaign to return to later, schedule the campaign, or generate the campaign preview.

    If you chose to generate your campaign preview, select View to display your campaign preview where you can start your campaign.

    Note

    The campaign preview may take a while to generate, depending on the size of the campaign.

    If you chose to save your campaign or schedule your campaign preview, you can find your campaign within the Saved/Scheduled tab on the Certification Campaigns page.

Scheduling a Saved Certification Campaign

If you want to schedule a campaign that you’ve saved, you can do so from the Certification Campaigns page.

  1. Select Search from the navigation menu.
  2. In the vertical Search toolbar, select the Certification Campaigns icon.
  3. Select one of your saved campaigns under Saved/Scheduled Campaigns.
  4. On the Preview page, select Schedule Campaign to start the scheduling process.

    Note

    If you need to make any changes to the campaign, select Options > Edit.

  5. Select your time zone and schedule your campaign preview using the calendar.

    Note

    To schedule quarterly campaigns, select Recurring > Annually and select multiple checkboxes for each month you want to schedule.

  6. Select Next to view a summary of your scheduled campaign information.

  7. Review the summary and then select Schedule to schedule the campaign preview.

You can view your campaign in the Saved/Scheduled tab.

An email will be sent to the campaign owner one week before the scheduled campaign preview generation to remind them to manually start the campaign.

Note

If you generate a scheduled campaign preview early, a preview will still generate at the time and date you originally selected.

Starting a Certification Campaign

After your campaign preview has been generated, you can start your campaign.

  1. Select Search from the navigation menu.
  2. From the Search vertical toolbar, select the Certification Campaigns icon.
  3. Select a campaign from the Previewed/Active tab.
  4. Select View to preview the certification campaign.
  5. Select Start at the top of the page to start the certification campaign.

You can also view the campaign by selecting Admin > Certifications > Campaigns from the navigation menu.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.