...
This document provides instructions on how to define and create an access reviewAccess Review. This function can be done by admin users.
...
Creating the access review
To create a new campaign, click Create Campaign on the Access Reviews
...
page that lists all the current and completed Access Review Campaigns.
...
Select the
Campaign Type-> Enter a
...
campaign name in
Name of Access Review Campaign→ Enter description inDescriptiontext area field → Select a due date inCampaign Due Date. These fields can be edited at a later date. → Click onCreate Campaignbutton.
...
A new campaign will be created.
...
User will land on
About Campaigntab of the campaign.
...
Selecting users, applications and permissions
A Campaign monitor can filter the list of users to be included in the access review. By default all directory users are included. A warning icon flags users without a defined manager.
...
.
...
You can filter users by Department, User Status (active/inactive/deleted), Tags, or Last Transfer Date. This last option allows you to select users who moved positions in the previous week (Sunday to Saturday), the calendar month preceding the current month, or the 3-month period preceding the current month.
...
Select the applications to be reviewed. You can filter the list to specific departments or regulations. A warning icon indicates applications that do not have any data or have out of date data. Use the Get Ready feature to collaborate with your company to update your data for your campaign.
...
You can limit the review to specific permissions, or you can exclude certain permissions from the review. Enter the permissions you want to include or exclude in the appropriate field; if you want to include/exclude multiple permissions you can specify a list separated by commas. The text is case-insensitive but needs to match the whole name of the permission. You can use an asterisk * as a wildcard: for example, “admin*” will match “Administrator”; “*reader* will match any phrase with “reader” or “Reader” in it. “default” matches Zilla’s default permission for users with no explicitly set permissions.
...
Limiting permission types in the review
...
Customizing campaign settings
Campaign settings are across three tabs ‘What to Review’, 'Who Reviews”, and “Campaign Options”.
What to Review tab
...
Who Reviews tab
...
Campaign Options tab
...
To customize your campaign for your specific requirements,
...
click
Editin Campaign Settings section.
...
...
...
Edit in “What to Review” tab
...
Edit in “Who Reviews” tab
Edit in “Campaign Options” tab
Note:
In “Campaign Options” tab, for “Allow Requesting Permission Change”, If you select “Yes - Reviewers get an additional option to request a Change to the existing permission” for “Allow Requesting Permission Change” , any review marked as Change will be tracked on the Report tab as a Revoke.
...
Generate Review Based on Pre-defined Business Roles: Automatically filtering access reviews using business roles
Designated Reviewers and Delegates: Fine-tuning review assignments with Designated Reviewers and Review Delegates
Assign Review to Resource Owner: Some permissions are resource permissions, having to do with access to or control of a particular application resource, such as a database. In some cases, these resources have a resource owner already defined. If “Assign Review to Resource Owner” is set to Yes, these review items will be automatically assigned to the resource owner. This setting takes precedence over Designated Reviewers, but not over delegation; that is, if the resource owner has a delegate, the delegate will be the reviewer.
Assign Review to Permission Owner: Some permissions (permissions, roles, groups, etc.) may have a permission owner already defined. (This can be set by editing the Available Permissions pane of the application’s Profile tab, as described in https://zilla.atlassian.net/wiki/spaces/ZILLASUP/pages/edit-v2/2352775169?draftShareId=ddaf37c2-6f29-4d65-9ab1-a8a213d1d509 ). If “Assign Review to Permission Owner” is set to Yes, these review items will be automatically assigned to the permission owner (or permission owners: see “Allow Shared Owner Reviews” below). This setting takes precedence over assignment to Designated Reviewers and Resource Owners, but not over delegation; that is, if the permission owner has a delegate, the delegate will be the reviewer.
Move Review Items Assigned to Inactive/Deleted Users to Unassigned: If set to Yes, review items that would have been automatically assigned to an inactive or deleted user (for instance, if the application owner is inactive/deleted in a shared owner review) will instead become unassigned. If No, inactive or deleted users can still be assigned review items.
Assign Review when Supervisor is Unknown: This setting exists for supervisory reviews only. If the item would be Unassigned because there is no known supervisor (or because the previous setting was enabled and the user was inactive/deleted), the item will go to the application business owner, much as in an application owner review.
Allow Shared Owner Reviews: By default, a permission in an access review can only have a single reviewer at a time. If this setting is enabled, a permission may have multiple reviewers. Currently, we support this for an application owner access review with a list of Additional Owners set, and also for the case of “Assign Review to Permission Owner” with multiple permission owners set. When a permission has multiple reviewers, any one of these reviewers may update the item to recommend an action, or add comments. Any reviewer may also reassign the item, which transfers only that reviewer’s assignment to the new reviewer. A task can be marked complete if all of its items have been reviewed by somebody (not necessarily the owner of the task).
...
You can customize the message sent out to reviewers when the campaign is launched. The campaign can be programmed to automatically send out email notifications to reviewers whose reviews are overdue, or to escalate them to the reviewer’s manager. To enable and control these features, click the Edit link for Email Notifications.
...
...
The custom message at the top will be incorporated into notifications sent to reviewers when the campaign launches, letting them know they have a review to do. The campaign can also send automated reminders some number of days after the campaign starts or some number of days before it is due to end. (Note that in the second case, if the campaign’s end date is less than this number of days in the future, the reminders will go out immediately!)
...
Finally, it is possible to specify that all campaign monitors will receive copies of all campaign notifications. You can also limit these notifications to the case where a review item becomes (or is created as) unassigned to a reviewer.
Navigate to the preview Preview Campaign tab to preview the campaign before it is run.
...