Create User Access Review Campaigns

As an Administrator or Campaign Administrator, you can create one-time or periodic access review campaigns from the Oracle Access Governance Console. In this article we will look at how you can create on-demand user access reviews. You can define selection criteria based on users (who has access?), applications (what are they accessing?), permissions (which permissions?), and roles (which roles?). You can also define the approval workflow to select the number of review levels, review duration, and reviewer details.

Note:

Customers with existing campaigns created prior to the July 2023 release (legacy campaigns), should be aware of the following points regarding compatibility:

• All legacy campaigns that were in Draft or Scheduled state, will be amended to System Aborted state.
• Users will not be able to clone legacy campaigns. You will only be able to clone new campaigns, created with the July 2023 release and future releases.

To create a user access review campaign using Oracle Access Governance Console:

Navigate to Campaigns

1. Log in to the Oracle Access Governance Console with a user assigned either the Administrator or Campaign Administrator application role.
2. You can select one of the following options to navigate to the screen:
   1. On the Oracle Access Governance Console home page, select the Access Reviews tab, and click the Select button on the Define a new campaign tile. Click the Select button on one from the Review access to systems managed by Access Governance, Review access to Oracle Cloud Infrastructure, or Review access to systems managed by Oracle Identity Governance tiles.
   2. Click the icon, and select Access Reviews, and then Campaigns, then click the Create a campaign button. Click the Select button on one from the Review access to systems managed by Access Governance, Review access to Oracle Cloud Infrastructure, or Review access to systems managed by Oracle Identity Governance tiles.

   You will be navigated to the Create a new access review campaign workflow screen, from which you can define and configure your user access review campaign.

Selection Criteria

By default, all identity data ingested from the orchestrated system is available to the access review campaign. This may be a large amount of data, so selection criteria allow you to narrow the criteria available for the campaign:

Criteria for user access reviews can be filtered based on:

• Who has access: Selecting review criteria to filter users based on standard (Organization, Job, Location), or custom attributes.
• What they are accessing: Selecting review criteria to filter users based on resources they have access to
• Which permissions: Selecting review criteria to filter users based on individual permissions, such as create, update, terminate, or approve, or access bundles

  Note:

  Access bundles are identified with the icon. If you click on the icon, the Access bundle details pop-up displays, showing you what permissions are included in the access bundle.
  .
• Which roles: Selecting review criteria to filter users based on application roles.

Additionally, depending on the orchestrated system integrated with Oracle Access Governance, you can also add the following filter in combination with those listed above:

• Which cloud providers

Note:

• The selection criteria vary based on the ingested data from the orchestrated system and a few tiles listed above may not be available for selection. For example, if no roles are available in the orchestrated system schema definition, then you won't see the Which roles tile.
• If you select any of the identity parameters above, policy criteria selection (which policies?) is no longer applicable and is disabled.

These criteria can be chosen and edited in any order before moving on to the next step. If you do not need to update each dimension, you can select any number from those above, and leave the remaining unchanged. If you do not need to narrow the criteria for your enterprise, then you can choose to move to the next step without adding any selection criteria. All criteria can be searched by name

Note:

The following combinations are not supported and are mutually exclusive, that is you can select only one of the two while creating a campaign:

• Which permissions and Which roles

For example, you can create a campaign by selecting Who has access?, What are they accessing?, and Which roles? but you cannot create a campaign with the combination of Who has access?, Which roles?, and Which permissions?

1. Select the Who has access? tile to set criteria based on users.
   1. After selecting the tile, select criteria from the following standard parameters:
      1. Organization
      2. Job Code
      3. Location
   2. To add one or more additional parameters, from the Additional selection attributes drop-down list, select one or more custom attributes and then click Add. For example, you may want to add users specific to certain Cost Center or Project Code in your access reviews.

   Note:

   • Based on the number of selected custom attributes, you will see additional tabs to make your selection.
   • You can only select up to five (5) additional custom attributes
   • Contact Oracle Access Governance Administrator if you don't see the option for selecting custom attributes. You first need to enable it from the Administration settings within Oracle Access Governance Console. See View and Configure Custom Identity Attributes

   Make your selections and when finished, click on Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

2. Select the What are they accessing? tile to define criteria based on the resources users have access to.

   This allows you to narrow criteria based on the resources and applications users have access to.

   Make your selections and when finished, click on Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

3. Select the Which permissions? tile to specify criteria based on permissions such as create, update, terminate, approve, and so on. Actual values for permissions will depend on the orchestrated system identity data.

   Make your selections and when finished, click on Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

4. Select the Which roles? tile to specify criteria based on roles. Actual values for roles will depend on the orchestrated system identity data.

   Make your selections and when finished, click Apply my selections or Cancel as appropriate. You are returned to the Create a new access review campaign step.

   If you want to restrict the values further, click the Actions menu icon, and select Refine further. In the Cloud provider pop-up, you can further refine your criteria by specifying one or more compartments, and/or one or more domains from the cloud provider you have selected in the main step.

   As you make selections of the various criteria, you can see the effect that your selections make and an estimate of the number of review items that your access review campaign will generate. This information is displayed in the section on the right-hand of the page.

   Note:

   If you need to make changes to your selections before moving on to workflows, select the Modify button on the relevant tile and amend as described in the steps above.

   When you are happy with your selection criteria, click I'm good, go to workflows button to proceed to the Assign workflow dimension to select the guided workflow.

5. Select the Which cloud providers? tile to specify criteria based on a specific cloud provider. Actual values for this parameter will depend on the orchestrated system integrated with Oracle Access Governance.

Assign Workflow

The Assign Workflow step is where the approval workflow for your access review is selected.

1. Select which approval workflow you want to assign to this access review campaign. A list of the available workflows shows all approval workflows defined in your system. For details on how to create and manage approval workflows see Create Approval Workflow and Manage Approval Workflow.
   Once you have selected your workflow the View approval workflow link is displayed. Click on this to see a diagram of the selected workflow.
2. Select the scope of justification required for access review devisions from the following values:
   • Required for all review decisions
   • Required only for revoke decisions
   • Optional for all review decisions
3. When you are happy with your workflow selection, select Save draft to save your campaign for work later on or select Next to proceed to the Add details page.

Add Details

With the Add Details step, you can define the frequency (one-time or periodic) at which to run an access review campaign, give a meaningful name to your campaign, add a supporting description, and assign values to additional attributes, such as who owns it and when the campaign should start or end.

To add details :

1. Add values for the following parameters for your campaign:
   • How often do you want this to run?: Select One time to run a single occurrence of this campaign, or select a recurring pattern like Quarterly, Monthly, Half-Yearly, or Yearly to run this access review campaign periodically.
   • What do you want to call this campaign?: Add a name for your campaign.
   • How do you want to describe this campaign?: Add a description for your campaign.
   • Who owns this campaign?: Add the name of the campaign owner.
   • How would you like to schedule your campaign?: You can view this field only if you have selected to run your campaign one time. Select either Run now or Schedule Later. By default, the campaign is set to begin at the top of the next hour, the following day of campaign creation.
   • When do you want to Begin?: If you have set a recurring pattern, then select the start date of when you want to begin the campaign series. By default, the campaign is set to begin at the top of the next hour, the following day of campaign creation. If you want to change this, select the Select Date Time icon and add a new date/time.
   • When do you want to End?: If you have set a recurring pattern, then select the end date of when you want to end the campaign series.
2. Once you have set your preferences, select Next to go to the Review and submit step.
3. Optional: You may select one of the additional actions:
   • Save Draft: To save your changes and later come back and edit the workflow or details.
   • Cancel: To cancel the current process.
   • Back: To go back to the previous step.

Review and Submit

The Review and submit step displays the information you have added in the previous steps.

To review and submit your campaign :

1. Select Save draft to save your campaign for work later on or select Create to create the campaign.

   Note:

   Oracle Access Governance supports permissions, accounts, and roles that are assigned through a request or direct provisioning mechanism. Some access assignments cannot have the Accept or Revoke operations performed on them and are not included in the access review campaign. These include:

   • permission or account assigned to a user by a role
   • role assigned to a user by a membership rule

---

Title and Copyright Information

Create User Access Review Campaigns

Copyright ©2023,

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.