Versions Compared

Old Version 2

changes.mady.by.user Matt McIrvin

Saved on

compared with

New Version Current

changes.mady.by.user Sowmya Manian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

But suppose you want more control over the automatic assignment. You want all permissions for a given person to be reviewed by someone specific (who is not necessarily their manager, or the app owner). Or, you want all reviews that would be done by a specific reviewer to be done instead by somebody else. Instead of clicking through everything manually, you can automate this by setting Designated Reviewers and Review Delegates.

Table of Contents
minLevel1
maxLevel7

Viewing the user attributes

The Designated Reviewer and Review Delegate attributes are visible on the User Profile page. Expanding the user details tab will reveal these values in the right-hand column, if they are set. These are displayed as email addressesuser links:

...

What do these mean?

  • The Designated Reviewer is a user who, in an access review, may be automatically assigned to review all permissions that belong to this user. In this case, Garnik Narahari would review all of Adel Perfilyeva’s permissions, instead of whoever would do it normally (Adel’s manager, or the app owner).

  • The Review Delegate is a user who, in an access review, may automatically substitute for this user as a reviewer. In this case, any permissions that Adel Perfilyeva would otherwise review will instead be reviewed by Jackson Kakkad, the delegate.

...

Currently, these attributes are not editable on the User Profile page. You can set them for your whole organization by uploading a CSV containing the values, expressed as primary email addresses. This is on To upload a CSV file, navigate to the Settings page , under the Discovery & Configuration tab, in a section called > “Discovery & Configuration” tab > “Upload Designated Reviewers and Delegates CSV” section:

...

[…]

...

The “Browse” Browse widget will allow you to specify a file; then the “Upload” Upload button will activate to upload it.

...

The CSV file needs to be in a certain specific format, which you can generally create by exporting a CSV from your favorite spreadsheet software. You can download a sample CSV that demonstrates the correct format by clicking the “Download Download sample file” file link. It’s a short file whose contents look like this:

...

Or, if you open it in a spreadsheet program, it looks something like this:

Email

Designated Reviewer

Review Delegate

adel.perfilyeva@zsec.io

garnik.narahari@zsec.io

jackson.kakkad@zsec.io

jagoda.braunmuhl@zsec.io

khalid.erva@zsec.io

ortrud.murillo@zsec.io

ortrud.murillo@zsec.io

stella.hiroyama@zsec.io

steen.escriba@zsec.io

stepehn.hardjono@zsec.io

There are three comma-separated columns, with the headers “Email”, “Designated Reviewer”, and “Review Delegate”. The values in these columns are the primary email addresses of the respective people.

...

Once the user attributes have been uploaded, you can use these features. In an access review campaign that is in the preview stage, you can activate them the settings from the Campaign Settings edit dialog. By default, they are turned off.

...

These reassignments happen in a certain specific order that determines precedence if the various settings conflict.

  • Currently,

...

  • designated-reviewer processing happens after business-role processing, so it will take precedence over

...

  • automatic assignment that happen because of business roles.

  • Automatic assignment to resource owners takes precedence over designated reviewer assignments.

  • Review-delegate processing happens last of all. So if, for instance, a user’s designated reviewer has a review delegate, the review will go to the designated reviewer’s review delegate.

  • One exception to the above: if the review delegate happens to be the person whose permission is being reviewed, and the campaign has a setting forbidding self-review, that setting will be honored.