Manage identity certification campaigns

This topic describes how to create and manage campaigns to audit users' access to your organization's resources.

What is an identity certification campaign?

An identity certification campaign enables you to define and run a periodic discovery to review the access a group of users has to various resources. For example, you can add a monthly campaign to discover and review users' access to finance applications, as well as to privileged accounts stored in selected Safes.

A campaign consists of one or more cycles. A cycle is a period of time during which certifiers may review user access. If a campaign ends before the certifier has reviewed all items, you can decide whether to continue or revoke users' access for the unreviewed items.

As an administrator, it is important that you understand how certifiers' actions affect each user in the campaign.

Certifier actions

Action

Impact

Certify

Certifying confirms that a user is permitted to access associated resources.

Certifiers can only certify or revoke access to resources that the user was manually given access to by an administrator or as part of an access request.

Revoke

Revoking removes a user's permission to access associated resources. An administrator may configure Identity Compliance to revoke user access when any of the following events take place:

  • The certifier saves a campaign cycle.

  • The certifier signs off on the campaign cycle.
Acknowledge

Certifiers see the Acknowledge option only if a user has access due to role or group membership. Clicking Acknowledge indicates that the certifier reviewed a specific resource for a user, but does not modify user access.

Save

The certifier saves all decisions entered in the current campaign cycle session. After saving, the certifier can return to review access as many times as necessary until the cycle is completed. Saving does not complete the campaign cycle.

Sign off

The certifier signs off to complete the campaign cycle. After signoff, all decisions that have not yet taken effect become operative. Decisions cannot be changed after signoff.

Before you begin

Before you define a campaign, make sure you do the following:

  • Add the users and roles that you want to include in the campaign.

    See Set up CyberArk Identity for more information.

  • Add any users who will be certifiers to a role with the Campaign Management Administrative Right.

  • If you want to discover and review access to Privileged Access Management Safes, integrate CyberArk Identity with Privileged Access Management

    See CyberArk Identity documentation for details.

    To include PAM - Self-Hosted Safes in your campaign, you must joinCyberArk Identity to the same Active Directory (AD) domain as your PAM - Self-Hosted installation. See Add Active Directory as a directory service for details.

    In addition, you must add the service user identity-privilege-integration-user$ as a Safe member with all Safe permissions (a Safe owner) to all of the Safes that Identity Compliance is trying to access. See Add Safe member for details.

Add an identity certification campaign

To add a certification campaign, select CyberArk Identity Compliance from the service picker.

Step 1: Define campaign settings

  1. Go to Identity Certification, then click Add campaign

  2. In the Settings tab, define the following:

    Campaign settings
    Setting Description

    Name

    Required

    Name of the campaign. For example, HR application access.

    Description

    Optional

    A description of the campaign. For example, certify user access to HR applications.

    Set campaign to active

    Optional

    The campaign must be activated before a campaign cycle can start. You can inactivate a campaign at any time.

    Review your settings carefully before activating the campaign. You can't edit an active campaign after it starts.

    Start date and frequency

    Required

    Enter the date and time for the first campaign cycle to start.

    Identity Compliance automatically starts a cycle every six hours, four times a day. The first cycle begins within six hours after the date and time you specify.

    For example, suppose you enter January 3, 2023, at 2:00 p.m. The cycle begins no later than six hours after that date and time.

    To override the start date and start a campaign cycle immediately, see Manually start a campaign cycle

    Configure recurring campaign cycles

    Optional

    Schedule recurring campaign cycles to regularly review access.

    Set the interval between campaign cycles

    Required if you select Configure recurring campaign cycles.

    This is the interval between the start of campaign cycles, in days. For example, you can set a campaign cycle to start every 90 days.

    End by

    Optional if you select Configure recurring campaign cycles.

    Choose when to end the campaign. Select from one of the following:

    • A calendar date

    • A number of occurrences

    • No end date

    Certification and sign-off

    Certifier

    Optional

    Select a user to certify or revoke user access for resources in the campaign, then sign off on the campaign cycle. The certifier can be each user's manager (default), or another designated certifier for all users.

    Time allowed to complete approval cycle

    Required

    Set the time allowed for certifiers to finish the campaign cycle. Use the Automatically sign off campaign at the end of the cycle option to determine what happens with unfinished decisions.

    Send email reminders

    Optional

    Select the number of email reminders and how often to send them. The first reminder is sent when the campaign cycle starts. The frequency and number of additional reminders must not exceed the time allowed to complete the campaign cycle.

    Require a comment when certifying or revoking access

    Optional

    You can reduce the risk of certification mistakes by requiring comments explaining decisions. Certifiers might need more time to complete the campaign if you use this option.

    Require certifiers to sign off on a campaign cycle with MFA

    Optional

    Use a policy to select the authentication profile to use for certification signoff. The policy setting is in User Security Policies > User Account Settings.

    To select an authentication profile for certification signoff:
    Make sure you use a policy that applies to any user who could be a certifier.

    1. Go to Core Services > Policies, then select an existing policy set or create a new one.

    2. Go to User Security Policies > User Account Settings, then under Access Certification Sign-off, select an authentication profile and click Save.

    When should access revoke take effect

    Optional

    Choose when to revoke a user's access:

    • As soon as the certifier decides revokes access when the certifier saves the revocation.

    • At cycle signoff (default)

    Automatically sign off campaign at end of cycle

    Optional

    Choose whether to continue or revoke a user's access on unfinished items if the campaign cycle ends before the certifier finishes all decisions.

Step 2: Assign users or roles to the campaign

In the User tab, provide the following information.

User selection
Setting Description

Include users who have access to specified resources because of role or group membership.

Certifiers need to acknowledge the access these users have due to their role or group membership, but they can’t revoke access granted through role or group membership.

You can choose to exclude these users and only review access granted to users outside of a policy.

Organization

Required

Select users in one of the following categories:

  • Users in a specific organization

  • Users in any organization

  • Users in any organization and unassigned users

  • Unassigned users

Users

Required

Choose all users or specific users. If you specify users, you can add either individual users, roles, or groups.

Step 3: Select resources for the campaign

You can select the following resource types for certifiers to review in a campaign.

Resource Types

Resource Type

Description

Applications

Web applications deployed to the user through CyberArk Identity.

Safes

Privilege Cloud or PAM Safes and all of the permissions in each Safe.

Your organization uses Safes to store and organize authorized user accounts. For example, your organization can create a Safe for each department such as Finance or HR, and store the accounts for that department in the relevant Safe.

Roles

A user's role and its associated resources, including applications, Safe permissions (Privilege Cloud only), and groups linked to the role.

To select resources for certifiers to review:

  1. Expand Resources and select the Applications tab, then select one of the following options.

    Application selection
    Option Description

    None

    You can omit applications from the campaign if the purpose is to certify access to different resources (for example, Safes).

    All applications

    Includes all deployed applications in the campaign.

    Specific applications

    Includes only deployed applications that you select in the campaign.

  2. Select the Safes tab. then select one of the following options.

    Safe selection
    Option Description

    None

    You can omit Safes from the campaign if the purpose is to certify access to a different resource.

    All Safes

    Includes all Safes in the campaign.

    Specific Safes

    Includes only Safes that you select in the campaign.

  3. Select the Roles tab, then select one of the following options.

    Role selection

    Option

    Description
    None You can omit roles from the campaign if the purpose is to certify access to a different resource.
    All Roles Includes all roles in the campaign.
    Specific Roles Include only roles that you select in the campaign.
  4. Click Save after you finish adding resources to the campaign.

    This completes the procedure for adding an identity certification campaign.

    You can't edit campaign details after the campaign starts, so review the campaign settings carefully before you activate the campaign.

    For administrators, campaigns display on the Identity Certification Campaigns page in the Identity Compliance portal.

    For certifiers, campaigns display on the Identity Certification Campaigns page in the User Portal. Each campaign cycle displays with a suffix on the campaign name indicating which cycle in the campaign it is. If you manually trigger a campaign cycle, the suffix is the start time for the cycle. For example:

Manually start a campaign cycle

You can manually trigger a campaign cycle to start immediately, before it is scheduled.

Before you begin

Make sure the campaign is set to Active.

To manually start a campaign cycle:

  1. Select CyberArk Identity Compliance from the service picker, then select Identity Certification.

  2. Select the campaign you want to run from the list of campaigns.

  3. Click Action > Run campaign cycle.

If email reminders are configured, certifiers receive notification emails to proceed after the manual trigger to run.

Delete a campaign

You can delete a campaign only before the first campaign cycle is triggered.

To delete a campaign:

  1. Select CyberArk Identity Compliance from the service picker, then select Identity Certification.

  2. Select the campaign you want to delete from the list of campaigns.

  3. Select Action > Delete.