Fine-tuning review assignments with Designated Reviewers and Review Delegates

While previewing or running an access review, it’s possible to manually reassign review items to someone other than the automatically designated reviewer.

But suppose you want more control over the automatic assignment. You want all permissions for a given person to be reviewed by someone specific (who is not necessarily their manager, or the app owner). Or, you want all reviews that would be done by a specific reviewer to be done instead by somebody else. Instead of clicking through everything manually, you can automate this by setting Designated Reviewers and Review Delegates.

1 Viewing the user attributes
2 Uploading the user attributes via CSV
- 2.1 CSV format
- 2.2 Errors
3 Campaign settings
- 3.1 Order of operations

Viewing the user attributes

The Designated Reviewer and Review Delegate attributes are visible on the User Profile page. Expanding the user details tab will reveal these values in the right-hand column, if they are set. These are displayed as user links:

What do these mean?

The Designated Reviewer is a user who, in an access review, may be automatically assigned to review all permissions that belong to this user. In this case, Garnik Narahari would review all of Adel Perfilyeva’s permissions, instead of whoever would do it normally (Adel’s manager, or the app owner).
The Review Delegate is a user who, in an access review, may automatically substitute for this user as a reviewer. In this case, any permissions that Adel Perfilyeva would otherwise review will instead be reviewed by Jackson Kakkad, the delegate.

Either of these automatic behaviors may be activated or deactivated for any individual access review campaign (see below).

Uploading the user attributes via CSV

Currently, these attributes are not editable on the User Profile page. You can set them for your whole organization by uploading a CSV containing the values, expressed as primary email addresses. To upload a CSV file, navigate to the Settings page > “Discovery & Configuration” tab > “Upload Designated Reviewers and Delegates CSV” section:

[…]

The Browse widget will allow you to specify a file; then the Upload button will activate to upload it.

On successful upload, ALL pre-existing Designated Reviewer and Review Delegate user attributes will be removed and replaced by the new ones in your CSV file. This will allow you to correct any mistakes by uploading a revised CSV.

CSV format

The CSV file needs to be in a specific format, which you can generally create by exporting a CSV from your favorite spreadsheet software. You can download a sample CSV that demonstrates the correct format by clicking the Download sample file link. It’s a short file whose contents look like this:

Email,Designated Reviewer,Review Delegate
adel.perfilyeva@zsec.io,garnik.narahari@zsec.io,jackson.kakkad@zsec.io
jagoda.braunmuhl@zsec.io,khalid.erva@zsec.io,ortrud.murillo@zsec.io
ortrud.murillo@zsec.io,stella.hiroyama@zsec.io,
steen.escriba@zsec.io,,stepehn.hardjono@zsec.io

Or, if you open it in a spreadsheet program, it looks something like this:

Email	Designated Reviewer	Review Delegate
adel.perfilyeva@zsec.io	garnik.narahari@zsec.io	jackson.kakkad@zsec.io
jagoda.braunmuhl@zsec.io	khalid.erva@zsec.io	ortrud.murillo@zsec.io
ortrud.murillo@zsec.io	stella.hiroyama@zsec.io
steen.escriba@zsec.io		stepehn.hardjono@zsec.io

There are three comma-separated columns, with the headers “Email”, “Designated Reviewer”, and “Review Delegate”. The values in these columns are the primary email addresses of the respective people.

The user in the “Email” column is the user whose values are being set. “Designated Reviewer” is the designated reviewer for that user (if any), and “Review Delegate” is the delegate for that user (if any).

If you leave the Designated Reviewer or Review Delegate column blank, a value will not be set for that user attribute of that user.

Errors

All email addresses in the CSV MUST correspond to the primary email address of a user. If any email address is not found, the upload will fail with an error message. Expand details to see the first email address not found. If this happens, no user attributes will be changed; all Designated Reviewer and Review Delegate settings will remain as they were.

Campaign settings

Once the user attributes have been uploaded, you can use these features. In an access review campaign that is in the preview stage, you can activate the settings from the Campaign Settings edit dialog. By default, they are turned off.

Changing these settings will automatically regenerate the campaign’s review tasks (or you can manually regenerate them with the Regenerate Campaign button, as always). In this case, by clicking through to individual users' review items, we can see that as Adel Perfiyeva’s designated reviewer, Garnik Narahari has been assigned their permissions to review, and there’s a comment indicating that this happened:

A similar thing happens with review delegates. If I designate Jackson Kakkad in my uploaded CSV as Georgi Facello’s review delegate, then in a supervisory review, Jackson will be assigned as the reviewer for all of Georgi Facello’s reports, with a comment in the review item noting this:

Order of operations

These reassignments happen in a specific order that determines precedence if the various settings conflict.

Currently, designated-reviewer processing happens after business-role processing, so it will take precedence over automatic assignment that happen because of business roles.
Automatic assignment to resource owners takes precedence over designated reviewer assignments.
Review-delegate processing happens last of all. So if, for instance, a user’s designated reviewer has a review delegate, the review will go to the designated reviewer’s review delegate.
One exception to the above: if the review delegate happens to be the person whose permission is being reviewed, and the campaign has a setting forbidding self-review, that setting will be honored.