title: Automated & Scheduled Reviews category: Access Reviews tags: access-review, automated, scheduled, policy-triggered, recurring priority: Normal
Automated & Scheduled Reviews
While manual campaign creation works for ad-hoc reviews, most organizations need recurring, automated access reviews to meet compliance requirements. IdentityCenter supports scheduled campaigns, policy-triggered reviews, and event-triggered reviews to keep your access certification continuous and consistent.
Scheduled Reviews
Scheduled reviews are recurring campaigns that launch automatically at defined intervals using the Schedule Manager.
Setting Up a Recurring Campaign
- Navigate to Access Reviews > Campaigns
- Click New Campaign
- Configure the campaign as described in Creating an Access Review Campaign
- In the Schedule section, enable Recurring
- Select the recurrence pattern
Recurrence Patterns
| Pattern | Use Case | Example |
|---|---|---|
| Monthly | Privileged access reviews | Domain Admins reviewed on the 1st of every month |
| Quarterly | Standard access reviews | All user access reviewed January, April, July, October |
| Semi-Annually | Broad access sweeps | Full organization review in January and July |
| Annually | Low-risk or compliance-mandated reviews | Annual certification for all non-privileged access |
| Custom | Non-standard intervals | Every 6 weeks for a specific application |
Recommended Frequencies by Access Type
| Access Type | Recommended Frequency | Rationale |
|---|---|---|
| Domain Admins / Enterprise Admins | Monthly | Highest risk; any compromise could affect the entire environment |
| Application Admins | Quarterly | Elevated privileges that need regular validation |
| Sensitive Data Access | Quarterly | Regulatory requirements (HIPAA, PCI-DSS, SOX) |
| Standard Group Memberships | Semi-Annually | Moderate risk; balance between security and reviewer burden |
| Distribution Lists | Annually | Low risk; primarily an email hygiene concern |
The CampaignCompletionJob
The CampaignCompletionJob is a Quartz.NET scheduled job that manages the automatic campaign lifecycle:
| Responsibility | Description |
|---|---|
| Launch | Creates and activates a new campaign instance at the scheduled time |
| Monitor | Tracks progress and triggers reminders |
| Close | Closes the campaign at the hard deadline and applies default actions to pending items |
| Archive | Marks completed campaigns for archival and generates final reports |
The job runs on the configured schedule and requires no manual intervention once set up.
Policy-Triggered Reviews
Policy-triggered reviews are created automatically when a compliance policy detects a violation that warrants human review rather than automated remediation.
How Policy-Triggered Reviews Work
- A compliance policy evaluates objects on its configured schedule
- When a violation is detected with the action Flag for Review, the violating user's access is added to an upcoming or newly created review campaign
- The appropriate reviewer (typically the user's manager) is notified
- The reviewer evaluates the flagged access in the context of the policy violation
Example: Separation of Duties Violation
Policy: Finance SoD
Condition: User is in both AP-Requesters AND AP-Approvers
Action: Flag for Review
Result: The user's membership in both groups is added to an access review
for their manager to decide which membership to revoke.
Configuring Policy-Triggered Reviews
- Navigate to Governance > Policies
- Edit the policy (or create a new one)
- Under Actions, select Flag for Review
- Configure the review target:
- Next Scheduled Campaign -- adds the item to the next recurring campaign
- New On-Demand Campaign -- creates a standalone mini-campaign immediately
- Select the reviewer strategy (Manager, Resource Owner, or Specific User)
Event-Triggered Reviews
Event-triggered reviews are initiated by specific identity lifecycle events rather than on a fixed schedule.
Supported Trigger Events
| Event | What It Triggers | Rationale |
|---|---|---|
| New Privileged Group Membership | Review of the new membership | Privileged access should always be explicitly approved |
| Manager Change | Review of all inherited access | New manager should certify the employee's existing access |
| Role / Title Change | Review of current access | Job function change may make existing access inappropriate |
| Department Transfer | Review of department-specific access | Access tied to the old department may no longer be needed |
| Return from Leave | Review of access that was active during absence | Verify no unauthorized access was granted while the user was away |
| Account Re-enable | Review of all access | A previously disabled account should have its access validated |
Configuring Event Triggers
- Navigate to Workflows > Triggers
- Create a new workflow trigger
- Select the event type (e.g., "Group Membership Added")
- Add a condition to scope the trigger (e.g., "Group is a privileged group")
- Set the action to Create Access Review
- Configure the reviewer and deadline
For detailed workflow trigger configuration, see Workflow Triggers.
Example: Manager Change Review
Trigger: Manager Change Detected
Scope: All active user accounts
Action: Create Access Review
Reviewer: New Manager
Scope: All group memberships of the affected user
Deadline: 14 days
Reminder: 7 days, 3 days, 1 day
Escalation: Escalate to new manager's manager at 7 days overdue
Auto-Generation of Review Scope
For recurring campaigns, you can define dynamic scope rules that automatically determine which users and access rights to include each time the campaign runs.
Scope Rule Examples
| Rule | Description |
|---|---|
| All active users | Every enabled user account in the directory |
| Users in specific OUs | Only users in designated organizational units |
| Members of specific groups | Only review membership in selected groups |
| Users with risk score above threshold | Focus on high-risk users |
| Users who have not been reviewed in X months | Catch users missed in previous campaigns |
| New hires in the last 90 days | Ensure new employee access has been properly provisioned |
Dynamic Scope vs. Static Scope
| Scope Type | Behavior | Best For |
|---|---|---|
| Dynamic | Recalculated each time the campaign launches based on current directory data | Recurring campaigns that should always reflect the latest state |
| Static | Fixed set of users and access defined at campaign creation time | One-time campaigns targeting a specific known population |
Automated Reminder Schedules
The ReviewReminderJob runs on a configurable schedule and sends periodic reminders to reviewers with pending items.
Default Reminder Schedule
| Timing | Message Tone |
|---|---|
| Campaign launch | "You have been assigned X items to review" |
| 7 days before deadline | "Friendly reminder: X items remain" |
| 3 days before deadline | "Action needed: X items due in 3 days" |
| 1 day before deadline | "Urgent: X items due tomorrow" |
| On deadline day | "Final notice: X items due today" |
| 1 day overdue | "Overdue: X items require immediate attention" |
Customizing Reminders
You can customize the reminder schedule per campaign:
- Adjust the timing intervals
- Change which reminders are sent
- Modify the email template
- Add SMS or Teams notifications (if configured)
Auto-Escalation
If a reviewer does not respond within the SLA period, IdentityCenter can automatically escalate.
Escalation Chain
Reviewer --> Reviewer's Manager --> Campaign Owner --> Default Action
| Step | Trigger | Action |
|---|---|---|
| 1 | Reviewer is X days overdue | Send escalation notice to reviewer's manager |
| 2 | Manager does not act within Y days | Reassign items to campaign owner or backup reviewer |
| 3 | Campaign hard close reached | Apply default action (auto-approve, auto-deny, or leave open) |
Configuring Auto-Escalation
- Open the campaign (or campaign template for recurring campaigns)
- Navigate to Escalation Settings
- Define the escalation timeline and actions
- Designate backup reviewers for each escalation level
Best Practices
Quarterly reviews for privileged access, annual for standard access. This balances security with reviewer fatigue.
Use event-triggered reviews for high-risk changes. Do not wait for the next scheduled campaign when someone is added to Domain Admins.
Combine policy-triggered and scheduled reviews. Policies catch specific violations immediately; scheduled campaigns provide comprehensive periodic coverage.
Set realistic deadlines. Two to four weeks is typical for a standard campaign. One week is appropriate for targeted reviews of small populations.
Always configure escalation. Without escalation, overdue items stall indefinitely and your compliance posture degrades.
Review and tune reminder schedules. Too many reminders cause alert fatigue. Too few lead to forgotten reviews. Monitor your completion-before-deadline rate and adjust accordingly.
Test with a pilot group first. Before launching an organization-wide recurring campaign, run a pilot with a single department to validate scope, reviewer assignment, and timing.
Next Steps
- Access Reviews Overview -- Understand the access review framework
- Creating an Access Review Campaign -- Manual campaign creation
- The Review Process -- How reviewers conduct reviews
- Campaign Tracking & Reports -- Monitor campaigns and generate reports
- Lifecycle Management -- Automate identity lifecycle actions
- Workflow Triggers -- Configure event-based automation
- Scheduling -- Quartz.NET job scheduling in IdentityCenter