Get the Guide to Modern IGA

ConductorOne Docs

Generate campaign reports

Generating user access review campaign reports for auditors helps to ensure that access to critical data and resources is appropriately granted and revoked.

Generate a report

Access review campaigns have built-in reports that show the progress and prove the outcomes of the campaign. Reports can be generated at any time after a campaign has started.

To generate a report:

  1. In the navigation panel, click Campaigns.

  2. Click the name of the campaign you’re interested in.

  3. Click Reports > Generate report and confirm your action.

  4. The report is compiled for you. Depending on the size of the campaign, this might take several minutes, so please be patient.

  5. When the report is ready, click Download to receive the report in Excel format.

How to read reports

The report is generated as a spreadsheet with two tabs. Read on to learn about the contents of each report tab.

Overview tab

CategoryDescription
Target Completion DateDate the Campaign Owner selected as the end date when preparing the campaign
Actual Completion DateDate the Campaign Owner actually ended the campaign
Total ReviewsThe number of reviews included in the campaign
Marked Out of ScopeThe number of reviews excluded from a campaign (often these are service accounts)
Selection CriteriaProvides the policies, entitlements, entitlement description, and number of reviews included

Access reviews tab

CategoryDescription
Review IDUnique ID assigned to each review [task] included in a Campaign
ApplicationThe Application included in this Campaign [the Application is determined when selecting Entitlements]

Ex: GitHub, AWS
App Identity[Local User Account] C1 maintains an optional mapping from the local account identity in the Application to a ConductorOne user account

This is also viewable under Applications >> find the App >> click Identities

Ex: smith.jane@gmail.com
User NameFull Name associated with an individual found within the associated Application

This is also viewable under Applications >> find the App >> click Identities

Ex: Jane Smith
Identity TypeUser or Service Account
Account OwnerThe account in your HR or IdP system that is associated with the user account in the app.

Ex: Jane Smith
Account Owner EmailEmail associated with the above account owner

Ex: smith.jane@acme.com
Entitlement NameThe name of the Entitlement in the specified Application. A row is created for each Entitlement

Ex: Repo Contributor T5 or AWS App Access
Entitlement ResourceThe subject Resources for an Entitlement

Ex: The Repository name in a GitHub
Entitlement TypeEx: Repository, Advanced Server Access, Application
Entitlement DescriptionDescribes the access rights of that Entitlement

Ex: access to AWS in Okta
In Scope[True or False] When preparing a Campaign, an ADMIN can determine if certain account types should be excluded.

This will confirm if that task was included [True] or excluded [False] from the Campaign
Review Started OnDate an ADMIN clicked "Start Campaign"
Due DateDate an ADMIN choses when creating a Campaign
ReviewersThe individuals required to action the review [task]
Reviewed ByThe individuals that actioned the review [task]. This will also include the name of the new Approver if a task is re-assigned
Review DecisionOptions Include: Approve, Approve with Comment [comment included in Audit Trail], Deny, Skipped

An ADMIN can chose to "Skip" review when ending a Campaign and a user has not yet actioned the review [task]
Audit TrailThe API representation of the audit event [Campaign]. This will contain all the raw data.
Tenant IDA unique internal identifier for the Campaign

Verify report hashes

If you need to verify the checksum of a downloaded report for auditing purposes, here’s what to do:

  1. In the navigation panel, click Campaigns.

  2. Click the name of the campaign you’re interested in.

  3. Click Reports. You’ll see the file hashes for each report you’ve generated.

  4. If necessary, download the report.

  5. On the command line, navigate to the directory where the downloaded report file is stored. Run the commands appropriate to your operating system, subbing in the name of the downloaded report for <FILENAME>.

    Windows

     CertUtil -hashfile <FILENAME> MD5
     CertUtil -hashfile <FILENAME> SHA256
    

    Linux

    md5sum <FILENAME> 
    sha256sum <FILENAME>
    

    MacOS

    md5 <FILENAME> 
    shasum -a 256 <FILENAME>
    
  6. Compare the output of the commands with the file hashes printed on the Reports page. The checksums will match if the downloaded file has not been altered.