Create Access Review Campaign

As a user with the Administrator or Campaign Administrator application role, you can create access review campaigns from the Oracle Access GovernanceConsole. You can define selection criteria for access reviews based on users (who has access), applications (what are they accessing), permissions (which permissions), and roles (which roles). You can also define the workflow for the review in terms of the number of review levels, duration, and who performs the review.

To create an access review campaign using Oracle Access Governance Console:

Login

  1. Log in to the Oracle Access Governance Console with a user assigned either the Administrator or Campaign Administrator application role.
  2. Click the Select button on the Let's create some work and define a new campaign tile.

    You will be navigated to the Create a new access review campaign workflow screen, from which you can define and configure your access review campaign.

Selection Criteria

By default, all identity data ingested from the connected system is available to the access review campaign. This may be a large amount of data, so selection criteria allows you to narrow the criteria available for the campaign:

Criteria can be filtered based on:
  • Who has access
  • What they are accessing
  • What permissions do they have
  • Which roles do they hold

These four dimensions can be chosen and edited in any order before moving on to the next step. If you do not need to update each dimension, you can select any number from the four and leave the remaining unchanged. If you do not need to narrow the criteria for your enterprise, then you can choose to move to the next step without adding any selection criteria.

Note

All criteria can be searched by name
Note

The following combinations are not supported and are mutually exclusive:
  • What permissions and Which roles
  1. Select the Who has access? tile to set criteria based on users.
    • On selecting this tile, you can select criteria for the following parameters:
      • Organization
      • Job code
      • Location

      Make your selections and when finished, click on Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

  2. Select the What are they accessing? tile to define criteria based on the resources users have access to.

    This allows you to narrow criteria based on the resources and applications users have access to.

    Make your selections and when finished, click on Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

  3. Select the Which permissions? tile to specify criteria based on permissions such as create, update, delete, approve, and so on. Actual values for permissions will depend on the connected system identity data.

    Make your selections and when finished, click on Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

  4. Select the Which roles? tile to specify criteria based on roles. Actual values for roles will depend on the connected system identity data.

    Make your selections and when finished, click on Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

    Note

    As you make selections of the various criteria, you can see the effect that your selections make and an estimate of the number of review items that your access review campaign will generate. This information is displayed in the section on the right-hand of the page.
    Note

    If you need to make changes to your selections before moving on to workflows, select the Modify button on the relevant tile and amend as described in the steps above.

    When you are happy with your selection criteria, click on the I'm good, go to workflows button to proceed to the Assign workflow guided workflow.

Assign Workflow

The Assign Workflow step is where the approval workflow for your access reviews is defined. Oracle Access Governance will provide a suggested optimal workflow based on your selection criteria.

If you wish to define your workflow, click the I'll choose my own workflow button.
  1. Select how many levels of approval you want for your reviews. Choose from the following values:
    • One-level approval workflow
    • Two-level approval workflow
    • Three-level approval workflow
  2. For each review level, select how you want the review level to be handled. Choose from the following values:
    Parameter Value
    Who is the first|second|third reviewer?
    • Owner
    • User manager
    • User
    • Custom reviewer
    Note

    You can only assign a reviewer type to a single review level. If you assign User to Level 1, you cannot then assign User to Level 2 or 3, and so on.
    How many days do they have to review? Number of days for each review
    Who gets the notification?
    • Only reviewer
    • Reviewer and manager
    Who do you want to send reminders to?
    • Only reviewer
    • Reviewer and manager
    How many days between reminders Number of days for the gap between reminders
  3. Select where review decisions require a justification. Choose from the following values:
    • Required for all review decisions
    • Required only for revoke decisions
    • Optional for all review decisions
  4. Select the completion rule for the review. This gives a default action for all un-reviewed tasks at the end of each approval workflow level. Choose from the following values:
    • Approve all un-reviewed tasks
    • Revoke all un-reviewed tasks
  5. Select Save to save your workflow definition or Cancel to discard your changes.
  6. When you are happy with your workflow definitions, select Save draft to save your campaign for work later on or select Next to proceed to the Add details page.

Add Details

With the Add Details step, you can define the frequency (one-time or periodic) of running the access review campaigns, give a meaningful name to your campaign, add a supporting description, and assign values to additional attributes, such as who owns it and when the campaign should start or end.

To add details :
  1. Add values for the following parameters for your campaign:
    • How often do you want this to run?: Select One time to run a single occurrence of this campaign, or select a recurring pattern like Quarterly, Monthly, Half-Yearly, or Yearly to run this access review campaign periodically.
    • What do you want to call this campaign?: Add a name for your campaign.
    • How do you want to describe this campaign?: Add a description for your campaign.
    • Who owns this campaign?: Add the name of the campaign owner.
    • How would you like to schedule your campaign?: You can view this field only if you have selected to run your campaign one time. Select either Run now or Schedule Later. By default, the campaign is set to begin at the top of the next hour, the following day of campaign creation.
    • When do you want to Begin?: If you have set a recurring pattern, then select the start date of when you want to begin the campaign series. By default, the campaign is set to begin at the top of the next hour, the following day of campaign creation. If you want to change this, select the Select Date Time icon and add a new date/time.
    • When do you want to End?: If you have set a recurring pattern, then select the end date of when you want to end the campaign series.
  2. Once you have set your preferences, select Next to go to the Review and submit step.
  3. Optional: You may select one of the additional actions:
    • Save Draft: To save your changes and later come back and edit the workflow or details.
    • Cancel: To cancel the current process.
    • Back: To go back to the previous step.

Review and Submit

The Review and submit step displays the information you have added in the previous steps.

To review and submit your campaign :
  1. Select Save draft to save your campaign for work later on or select Create to create the campaign.
    Note

    Oracle Access Governance supports permissions, accounts, and roles that are assigned through a request or direct provisioning mechanism. Some access assignments cannot have the Accept or Revoke operations performed on them and are not included in the access review campaign. These include:
    • permission or account assigned to a user by a role
    • role assigned to a user by a membership rule