Skip to content

Starting a Campaign from Search

Use the flexibility of search to create certification campaigns for the users you have loaded into IdentityNow. When you start a campaign from search, you can create a certification campaign for access items, identities, or role composition based on your search query results.

To limit a campaign to a specific set of people, you can create a precise search query. The more refined your query is, the more refined your results will be. How you refine the access items determines which identities are included in the campaign. You can refine your search by the following access items:

  • Entitlements — Identities that were granted the individual entitlement you select will be included in the campaign. If the selected entitlements were granted as part of an access profile or role, that access profile or role must be selected to include those identities in the campaign.

  • Access Profiles — All identities that were granted the selected access profile will be included in the campaign.

  • Roles — All identities that were granted the selected role will be included in the campaign.

Before you create a certification campaign from search, review the following best practices.

Best Practices
  • Be familiar with all entitlements assigned to the identities returned by your search query. After launching your campaign, you can certify either the access of the identities returned or the access items returned.

  • Be familiar with how those entitlements are used in access profiles and roles. Entitlements can be granted to identities on a standalone basis (that is, individually), or as part of a granted access profile or role.

  • Be aware that each night, IdentityNow evaluates the access items that identities have access to and makes updates. If an identity has access to all of the individual entitlements that comprise an access profile, the identity is automatically granted that access profile and no longer has the individual entitlements.

  • Be aware that protected users are allowed in search indexing. However, SPadmin and Cloudadmin are specifically excluded from search, so they are never included in a campaign.

Configuring Certification Campaign Details

Before you can preview, start, or schedule a campaign, you'll need to enter your campaign information.

  1. Select Search from the navigation menu.
  2. From the vertical Search toolbar, select the Certification Campaigns icon.

  3. Select New Campaign to create a new certification campaign.

  4. Select what you want to certify in your campaign: Identities, Access Items, or Role Composition Certification.

    Note

    Role composition certification is available only when a certification campaign is initiated through search. Role certifications are typically assigned to role owners, who certify the composition of that role. Composition includes everything that makes up the role, such as membership criteria - (and if the membership criteria is an identity list, those identities are included), role title and description, and access available through the role. Certifying who has a role and what access that role grants is typically done through an identity or access certification task that is assigned to a manager.

  5. On the next page, select one of the two options to further refine your selection:

    • All Identities/Access Items/Roles Returned by a Query - Build a search query and certify all of the results returned by that query.

    • Specific Identities/Access Items/Roles that I Select - From your query results, individually add each one to your certification.

  6. If you chose to certify all of your results, run your query and select Next.

    If you chose to add them individually, run your query and then select the specific access you want to include in the campaign. Select Next when you’ve completed your selections.

  7. For Identity and Access item-based campaigns, you have the option to further refine the contents of your campaign. Select the checkboxes to add the access items or identities you want in the campaign and then select Next.

    Note

    If your query returned more than 3,000 access items and you wish to refine the access, you must edit your query, so it returns 3,000 or fewer access items. When you refine identities, the maximum number of identities that can appear based on your query is 10,000.

    If you choose to include all, no additional action is needed, and you can move on to the next step. If you do not choose to further refine the access, there is no limitation on the number of identities or access items you can include in a campaign.

  8. Enter a meaningful name and description for your campaign to help differentiate it from other certification campaigns.

  9. Use the toggle to choose whether reviewers will receive notification emails about this campaigns's progress.

    Note

    If your organization has the Recommendations service, you can add recommendations to your campaign by selecting the Include Recommendations in your campaign toggle.

  10. Select who will review and remediate access. You can select from the following reviewers:

    • Manager — The managers of the identities in the campaign review access.

    • Individual — A specific identity reviews access. Select an individual from the dropdown menu.

    • Governance Group — A governance group reviews access. Select a specific governance group from the dropdown menu. Any member in the governance group can perform the review.

  11. Choose what happens to undecided access when the campaign ends.

    Caution

    We strongly recommend that you choose to maintain access to undecided items due to the difficulty of reinstating access after it is revoked.

  12. Select when you want to generate a preview of the campaign. Select a due date for the campaign.

    If you choose to schedule a campaign, select a time zone, an end date, and whether you want the campaign preview to run on a specific date or on a recurring cadence of weekly, monthly, or annually.

    Note

    A campaign cannot be scheduled to start on the same day.

  13. Select Continue to review a summary of the campaign.

    Important

    The creation of a certification campaign is a critical governance process that should be carefully reviewed before it is sent to reviewers.

  14. After you’ve reviewed the campaign details, select the blue button at the top of the page to Save, Schedule, or Generate your campaign.

Your campaign is now listed within the Saved/Scheduled or Previewed/Active tabs on the Certification Campaigns page.

Notes

  • The larger the campaign, the longer it will take to generate.
  • Privileged entitlements are marked with a gold badge.
  • Anything that you enter in the Filter Access Items field will persist across the Access Profiles and Roles pages and could cause some access items to not show up on those pages.

Previewing and Starting a Certification Campaign

After you’ve configured your campaign, you’ll review the contents and reviewers of the campaign before starting it.

  1. Select Search from the navigation menu.
  2. From the Search vertical toolbar, select the Certification Campaigns icon.
  3. Select one of your saved campaigns in the Saved/Scheduled tab.
  4. Review the campaign’s details. Select Options > Edit to make any needed changes.

    Important

    The creation of a certification campaign is a critical governance process that should be carefully reviewed before it is sent to reviewers.

  5. Select Generate Preview to generate a preview of the campaign.

  6. Select View to preview the certification campaign.
  7. Select Start at the top of the page to start the certification campaign.

You can view or make changes to the campaign by selecting Certifications > Campaigns from the navigation menu.

Scheduling a Saved Certification Campaign

If you want to schedule a campaign that you’ve already configured and saved, you can do so from the Certification Campaigns page.

  1. Select Search from the navigation menu.
  2. In the vertical Search toolbar, select the Certification Campaigns icon.
  3. Select one of your saved campaigns under Saved/Scheduled Campaigns.
  4. On the Preview page, select Schedule Campaign to start the scheduling process.
  5. Select your time zone and schedule your preview using the calendar.

    Note

    To schedule quarterly campaigns, select Recurring > Annually and select multiple checkboxes for each month you want to schedule.

  6. Select Next to view a summary of your scheduled campaign information.

  7. Review the summary and then select Schedule to schedule the campaign.

Your campaign is now listed in the Saved/Scheduled tab.

An email will be sent to the campaign owner one week before the scheduled campaign generation date to remind them to manually start the campaign.