Access Review Campaign Settings

This document provides detailed information about all available Access Review campaign settings in Zilla.

Almost all campaign settings are available for the Supervisory and “Application Owner” campaign except the “Self Review” setting which is specifically used for “Application Owner” Access Review.

Setting

Default value(Y/N)

Impact

Setting

Default value(Y/N)

Impact

Enable Campaign Readiness

No - Applications have been synced recently and the campaign can start immediately

When this option is disabled, then Get Ready tab will not be available.

When this option is Enabled, set it to “Yes - Before the campaign starts, assign tasks to update application data and track data quality”, Get Ready Tab is visible and apps added in the campaign are listed with readiness steps.

Allow Requesting Permission Change

No - Reviewers can only Maintain or Revoke permissions

When this option is disabled, the change permission action on the review items is not available.

When this setting is enabled, the change permission to other permission action is available. Note there is a bug with this feature when a non-admin is trying to change a permission

 

Allow Bulk Resolving of Permissions

Yes - Allow reviewers to resolve multiple permissions at once (Maintain/Revoke)

When this option is disabled, reviewer has to take actions on individual item, bulk actions can not be taken.

When this option is enabled, the Bulk actions can be taken on review items.(e.g.maintain/revoke/change)

Allow Reviewers to Reassign Access Review Items

Yes - Allow reviewers to reassign review items

When this option disabled, set to “No - Do not allow reassignment by reviewers” then the reviewers cannot reassign the review items, the reassign options are not present in the UI (except that Admins and Monitors can reassign the review items even if the setting is disabled).

When this option is set to “Yes - Limit reassignment to reviewers' reporting organization”, reviewers may only reassign the review items to people above them in the organization’s reporting hierarchy, or to campaign creator and campaign monitors. Admins and monitors can still reassign to anyone.

When this option is set to “Yes - Allow reviewers to reassign review items”, the admin, monitors and reviewers can reassign the review items to other users/reviewers.

Allow Incomplete Reviews to be Submitted

No - Each item in the review must be completed (marked as Maintain/Revoke)

When this option is disabled, set to No then each and every review item from the review task should be completed then only the review task submission is allowed .and user can still complete the campaign by saving the task.(The submit task button is enabled only all review items are completed).

When this option is enabled, the review tasks can be submitted even if the reviewer has not completed the review items(by taking actions on the items)Submit button is still enabled.

 

Revoke Unreviewed Permissions

No

This setting will only appear if enabled in your tenant. Please contact Customer Support for assistance.

When this option is disabled, review items that are not yet completed with a resolution action when the campaign is closed will remain unresolved.

When this option is enabled, all review items that are not yet completed with a resolution action when the campaign is closed (whether or not they are in submitted tasks) will be automatically marked as revoked.

Limit Review to Privileged Permissions

No limit

When this option is set to “No limit", then all the permissions(privileged/non privileged) will be part of the campaign.

When the option is set to “Only privileged permissions“ ,then only privileged permissions will be the part of campaign.

When the option is set to “Only non-privileged permissions“ , then only non-privileged permissions will be the part of campaign.

Limit Review to Permissions with Segregation of Duties Violations

No limit

When this option is set to “No limit”, permissions will be in the campaign even if they do not have Segregation of Duties violations.

When this option is set to “Yes - Limit review to permissions with Segregation of Duties violations, the campaign will be limited to permissions that are flagged with a Segregation of Duties policy violation at the time of campaign population.

Limit Review to Orphan Accounts

No limit

When this option is set to “No limit”, permissions will be reviewed from active accounts regardless of whether their associated users are present and active.

When this option is set to “Yes - Limit campaign to accounts with missing or inactive users”, the campaign will be limited to orphan accounts, that is, accounts that are active, but either have no user mapped at all, or a user who is in an inactive or deleted state.

Limit Review to External Users

No - Include accounts with any domain

When this option is disabled, then the accounts with any domain will be part of the campaign(accounts that are mapped to external domain users will also be part of the campaign)

When this option is enabled set to “Yes - Include only accounts that have an external email domain“ then only accounts that have external domain emails(external to the organization domain) will be part of the campaign.

Revoke Accounts of Inactive Users

No - Do not automatically mark inactive user accounts as revoked

When this option is disabled set to “No", then the accounts mapped to inactive users, permissions of those accounts will not be automatically marked as revoked.

When this option is enabled set to “Yes - Mark all inactive user accounts as revoked", then the accounts mapped to inactive users, permissions of those accounts will be automatically marked as revoked.

Allow Self Review

Yes - Allow self review

When this option is set to “Yes - Allow self review “then the reviewer can review his/her own permissions.

When this option is set to “No - Reassign self reviews to the application Technical Owner “then the reviewer 's own permissions are assigned to the application technical owner if present ,otherwise assigned to the campaign monitor if present, otherwise unassigned.

When this option is set to “No - Reassign self reviews to the Monitor “then the reviewer 's own permissions are assigned to the campaign monitor if present, otherwise assigned to the Application technical owner if present, otherwise unassigned.

Require Comments

No

When this option is set to “No “then the addition of comments on the actions taken on the review items is not mandatory

When this option is set to “Yes - Require comments on Maintain actions “then the addition of comments on the maintain action taken on the review items is mandatory

When this option is set to “Yes - Require comments on Revoke actions “then the addition of comments, on the revoke action taken on the review items is mandatory

When this setting is set to “Yes - Require comments on all actions “then the addition of comments, on the maintain/revoke action taken on the review items is mandatory

Require Comments on Flagged Items / Violations

Yes - Require comments on Maintain actions for flagged items / violations

When this option is disabled and set to “No” then the addition of comments is not mandatory while maintaining the sod violated/flagged review items.

when this option is set to “Yes - Require comments on Maintain actions for flagged items / violations“ then the addition of comments is mandatory while maintaining the sod violated/flagged review items.

Limit Review to Unreviewed Permissions

No - Include all previously reviewed permissions

When this option is disabled then all review items/permissions will be part of the campaign. whether those are part of previous campaigns or not.

When this option is enabled set to “Yes - Limit to permissions not reviewed within the last X days", then only review items/permissions, those are not reviewed within last X days, will be part of the campaign. for example, permissions that are not reviewed within last 90 days.

Limit Review to Privileged Accounts

No limit

When this option is set to “No limit”, review items will be included regardless of whether the account is privileged.

When this option is set to “Only privileged accounts”, the campaign will include only accounts that are privileged (that is, contain a privileged permission).

When this option is set to “Only non-privileged accounts”, the campaign will include only accounts that are non privileged (do not contain a privileged permission).

Limit Review by Account Types

No - Review permissions of all account types

When this option is disabled then review items of all types of accounts will be part of the campaign. for example, User, Guest, Bot,Service

When this setting is set to “Yes - Limit review to account types:“ then review items of given account types only, will be part of the campaign. we can provide comma-separated account type values.

Generate Review Based on Pre-defined Business Roles

No

When this option is set to No then irrespective of business roles all permissions from the selected apps will be the part of campaign.

When this option is set to “Yes - Only review permissions that are exceptions to pre-defined business roles” the permissions matching to the pre-defined business roles are excluded from the review and the permissions not matching to business roles will be part of the review.

When this option is set to “Yes - Permissions matching pre-defined business roles are assigned to the application business owner” then the matching pre-defined roles will be assigned to the business owner and pre-marked as maintained.

 

Assign Review to Designated Reviewer

No

When this option is set to No then review items will not be assigned to Designated reviewer. Review items will be assigned to supervisor if the campaign is Supervisory campaign and application owner if the campaign is an application owner campaign.(if supervisor and app owners are not present then review items will be unassigned.)

When this option is set to “Yes - Items will be assigned to the user's designated reviewer “then the items will be assigned to the designated reviewer.

Assign Review to Delegate

No

When this option is set to No then review tasks will not be assigned to reviewer’s delegate. Review items will be assigned to supervisor if the campaign is Supervisory campaign and application owner if the campaign is an application owner campaign.(if supervisor and app owners are not present then review items will be unassigned.)

When this option is set to “Yes - Items will be assigned to the reviewer's delegate” the review task will be assigned to the reviewer’s delegate user.

Assign Review to Resource Owner

No

When this option is set to No then review items will not be assigned to Resource owners. Review items will be assigned to the supervisor if the campaign is Supervisory campaign and application owner if the campaign is application owner campaign.(if supervisor and app owners are not present then review items will be unassigned.)

When this option is set to “Yes - Reviews of resource permissions will be assigned to the resource owner “the resource permissions will be assigned to resource owner if available. Otherwise remained unassigned.

Assign Review to Permission Owner

No

When this option is set to No then review items will not be assigned to Permission owner. Review items will be assigned to supervisor if the campaign is Supervisory campaign and application owner if the campaign is an application owner campaign.(if supervisor and app owners are not present then review items will be unassigned.)

When this option is set to “Yes - Reviews of permissions with owners will be assigned to the permission owner” the review items(permissions having owners) will be assigned to permissions owner if available. Otherwise remained unassigned.

Move Review Items Assigned to Inactive/Deleted Users to Unassigned

Yes - Move to Unassigned - to be reassigned by the campaign monitor

When this option is set to “Yes - Move to Unassigned - to be reassigned by the campaign monitor”, review items that would be assigned to inactive/deleted users will instead become unassigned.

When this option is set to “No”, these items will remain assigned to the inactive/deleted users.

Assign Review When Supervisor is Unknown

Automatically assign review to the application business owner

This option only exists for supervisory reviews.

When this option is set to “Automatically assign review to the application business owner”, review items with no reviewer will be assigned to the application business owner.

When this option is set to “Leave as Unassigned - to be reassigned by the campaign monitor”, these review items will remain Unassigned.

Allow Shared Owner Reviews

No - Reviews of permissions are assigned to a single reviewer

When this option is set to No then review items will be assigned to the single reviewer.

When this setting is set to “Yes - Reviews of permissions can be assigned and shared among multiple reviewers” then in case of

  • Application owner campaign :

the review tasks are shared among the application’s Business owner and the Additional owners assigned to the app and permissions owners if assigned to the permissions of the app involved in the campaign

  • for the Supervisory campaign :

The review tasks will be assigned to the reviewers and the permissions owners assigned to the permissions of the apps involved in the campaign.

 

Settings precedence :

Move Review Items Assigned to Inactive/Deleted Users to Unassigned

This setting has highest precedence, but currently only applies at campaign population time.

Assign Review when Supervisor is Unknown

This setting exists only for supervisory reviews, and if it is set to assign to app business owner, it will have higher precedence than the settings below.

(If both this and “Move Review Items Assigned to Inactive/Deleted Users to Unassigned” are set, items assigned to inactive/deleted users will go to the app business owner--unless the app business owner is inactive/deleted, in which case the item will be unassigned.)

Assign Review to Delegate

This setting has lower precedence than “Move Review Items Assigned to Inactive/Deleted Users to Unassigned”

Assign Review to Permission Owner

This setting has lower precedence than the “Assign Review to Delegate“

Assign Review to Resource Owner

This setting has lower precedence than the “Assign Review to Permission Owner“

Assign Review to Designated Reviewer

This setting has lower precedence than the “Assign Review to Resource Owner”

If we have the review setting enabled, permission owner setting enabled

The Permission Owner setting takes higher precedence

If we have the self-review setting enabled, permission owner setting enabled and resource owner setting enabled

The Permission Owner setting takes higher precedence.

The Resource owner takes precedence over the self review setting.

if we have the self-review setting enabled, delegate review setting enabled.

The delegate review setting takes higher precedence.

if we have the self-review setting enabled, delegate review setting enabled and designated reviewer setting enabled

Self-review prohibition takes precedence over designated reviewer.