Creating an Access Review Campaign
This guide walks you through creating and launching an access review campaign to certify user access rights.
Prerequisites
Before creating a campaign, ensure you have:
Step 1: Navigate to Access Reviews
- Log in to IdentityCenter
- Navigate to Access Reviews > Campaigns
- Click New Campaign
| Field |
Description |
Example |
| Name |
Descriptive campaign name |
Q1 2025 User Access Review |
| Description |
Purpose and scope |
Quarterly review of all user access rights |
| Type |
Review type |
Manager-Based |
| Priority |
Campaign priority |
Normal |
Campaign Types
| Type |
Description |
Best For |
| Manager-Based |
Managers review their direct reports |
Regular periodic reviews |
| Resource Owner |
Owners review access to their resources |
Application-specific reviews |
| Group-Based |
Review membership in specific groups |
Privileged group audits |
| Custom |
Define your own scope and reviewers |
Complex requirements |
Step 3: Define the Scope
What to Review
Select what access rights will be included:
| Scope Option |
Description |
| All Users |
Review all active users |
| Department |
Users in specific departments |
| Location |
Users in specific locations |
| Group Members |
Members of specific groups |
| Custom Query |
Advanced filtering |
Example Scope Configurations
All Active Users:
Scope: All Users
Filter: Status = Active
Engineering Department:
Scope: Department
Department: Engineering
Privileged Groups Only:
Scope: Group Members
Groups:
- Domain Admins
- Enterprise Admins
- Server Operators
Custom Query:
Scope: Custom
Query: Department IN ('Finance', 'HR') AND JobTitle LIKE '%Manager%'
Reviewer Assignment Strategy
| Strategy |
How It Works |
| Manager |
Each user's manager reviews their access |
| Resource Owner |
The owner of each resource reviews who has access |
| Specific User |
A designated person reviews all items |
| Round Robin |
Items distributed among a pool of reviewers |
Manager-Based Configuration
Reviewer Strategy: Manager
Fallback Reviewer: IT Security Team
No Manager Action: Assign to Fallback
Handling Missing Managers
| Option |
Description |
| Assign to Fallback |
Use a designated backup reviewer |
| Skip User |
Exclude users without managers |
| Escalate |
Immediately escalate to campaign owner |
Step 5: Set the Timeline
| Field |
Description |
Recommendation |
| Start Date |
When reviewers can begin |
Allow prep time |
| Due Date |
Deadline for completion |
2-4 weeks from start |
| Grace Period |
Extra time before escalation |
2-3 days |
| Hard Close |
Campaign forcibly closes |
Due date + grace period |
Example Timeline
Campaign: Q1 2025 Access Review
Start Date: January 6, 2025
Due Date: January 24, 2025 (3 weeks)
Grace Period: 3 days
Hard Close: January 27, 2025
Email Notifications
| Notification |
When Sent |
To |
| Campaign Started |
At start date |
All reviewers |
| Review Assigned |
When items assigned |
Individual reviewer |
| Reminder |
X days before due |
Incomplete reviewers |
| Overdue Notice |
After due date |
Incomplete reviewers + managers |
| Campaign Complete |
At close |
Campaign owner |
Reminder Schedule
Reminders:
- 7 days before due date
- 3 days before due date
- 1 day before due date
- On due date (final warning)
Notification Template
Subject: Action Required: Access Review Due [Due Date]
Hello [Reviewer Name],
You have [X] access review items pending in the [Campaign Name] campaign.
Please complete your reviews by [Due Date].
[Link to Review Dashboard]
Items remaining:
- [User 1] - [Access Description]
- [User 2] - [Access Description]
...
Thank you,
IdentityCenter
Escalation Rules
| Trigger |
Action |
| 5 days overdue |
Notify reviewer's manager |
| 10 days overdue |
Reassign to backup reviewer |
| 15 days overdue |
Auto-approve or auto-revoke |
Escalation Actions
| Action |
Description |
| Notify Manager |
Send alert to reviewer's manager |
| Reassign |
Move items to backup reviewer |
| Auto-Approve |
Automatically approve remaining items |
| Auto-Revoke |
Automatically revoke remaining items |
| Lock Campaign |
Prevent further changes |
Step 8: Review and Launch
Pre-Launch Checklist
Preview the Campaign
Click Preview to see:
- Total review items to be generated
- Reviewer assignments
- Estimated workload per reviewer
Review the numbers:
- Are any reviewers overloaded?
- Are there unassigned items?
- Is the scope correct?
Launch the Campaign
- Click Launch Campaign
- Confirm the launch
- Campaign status changes to Active
- Initial notifications are sent
Post-Launch Management
Monitoring Progress
Track campaign progress on the dashboard:
| Metric |
Target |
| Overall Completion |
>50% at halfway point |
| Daily Response Rate |
Consistent activity |
| Overdue Items |
<10% |
Mid-Campaign Actions
| Action |
When to Use |
| Send Reminder |
Completion is lagging |
| Extend Deadline |
Valid business reasons |
| Reassign Items |
Reviewer unavailable |
| Add Reviewers |
Workload too high |
Example Campaigns
Quarterly All-User Review
Name: Q1 2025 User Access Review
Type: Manager-Based
Scope: All active users
Timeline: 3 weeks
Reviewers: Direct managers
Reminders: 7, 3, 1 day before due
Escalation: Manager notification at 5 days overdue
Monthly Privileged Access Review
Name: January 2025 Admin Review
Type: Group-Based
Scope: Domain Admins, Enterprise Admins
Timeline: 1 week
Reviewers: Security Team
Reminders: 3, 1 day before due
Escalation: Auto-revoke at 3 days overdue
Annual Application Review
Name: 2025 Finance App Access Review
Type: Resource Owner
Scope: Finance Application access
Timeline: 4 weeks
Reviewers: Finance App Owner
Reminders: 14, 7, 3, 1 day before due
Escalation: Escalate to CISO at 7 days overdue
Troubleshooting
No Review Items Generated
- Verify scope filters match existing users
- Check that synced data is current
- Ensure connection is working
Reviewers Not Receiving Notifications
- Verify email configuration
- Check reviewer email addresses
- Review email logs for errors
Wrong Reviewer Assigned
- Verify manager data is synced
- Check fallback reviewer settings
- Use bulk reassignment if needed
Next Steps