Saviynt Forums

Saviynt provides the capability to launch campaign (certification) based on changes to user attributes. For example, when the company, city department or any other user metadata value of the user is modified or changed the Campaign defined is launched. Following steps need to be followed to trigger event based certification.

Perform the following steps, to launch a Campaign from User Update Rule:

1. Go to Admin> Provisioning Rules> User Update Rules. 

2. Configure a user update rule by providing the name, condition which needs to be checked when a user attribute is modified, and choose the action as “Launch Certification” which opens a pop up to enter campaign configuration. Enter the necessary configuration and click on SAVE to create the rule.

   Parameter Description

   Rule Details
   Rule Name	Specify a relevant rule name for the user update rule which is created to launch a Campaign.
   Detective	Select the Detective checkbox, if you want to trigger the rule when the user is updated using Import User option.
   Select Type	If you select Detective checkbox, by default the type is selected as 'Trigger when the user is updated from Import'. If Detective checkbox is not selected the following different types of rule type can be selected.  Triggered when User is updated from UI - Selecting this rule type, will trigger the user update rule when the user is updated from the IGA UI. Triggered when User is created from UI - Selecting this rule type, will trigger the user update rule when the user is created from IGA UI. Triggered when User is removed from UI - Selecting this rule type, will trigger the user update rule when the user is removed from the IGAUI.
   Rule Description	Specify detailed description for the user update rule.
   Rule Owner	Allows you to add a rule owner for the respective user update rule. Click Add Rule Owner to add an owner for the respective user update rule.
   Condition
   Advanced Config	By default, the Advanced Config is disabled (OFF). If you want to specify a query as a condition to be matched for triggering the user update rule, you need to turn the Advanced Config ON.
   Object	Select the attribute as User(s) for which you want to trigger the user update rule.
   Attribute	Select the user attribute to which you want to map the condition. For example, you can select the attribute as city, department, statuskey, manager, and so on based on the criteria you can trigger the user update rule. Sample: For example, you want to launch a campaign when the user's job function is changed.
   Condition	Specify the Condition based to be matched for the select attribute. Possible condition values are: is update, Equals, greater than, less than, contains, starts with, does not contain, not equals, not null, is Null, is updated, in, and not in.  Sample: For example, you want to configure the condition for when the user's job function, manager, or city attribute 'is updated' then select the condition as 'is updated'.
   Value	Allows you to specify a specific value to which the object attribute should map. Sample: For example, for the City name is Bangalore condition, you can specify the value as 'Bangalore'.
   Next Condition	Optionally, you can specify more than 1 condition. Both the conditions or more than 1 conditions, you can specify whether all conditions should be mapped using AND in Next Condition. For any 1 of the condition, to be mapped, specify OR.
   Add Condition	Click Add Condition to add multiple conditions to the user update rule.
   Action
   Organization Name	Used to specify the organization name to which the user belongs.
   Launch Certification	Select Launch Certification from the drop-down list. Select Manager, to launch the certification for User Manager.
   Campaign Configuration	Click Campaign Configuration to create a campaign for the user update rule. Campaign screen dialog will be displayed. Refer this step for more details about configuring the Campaign to be launched, when the user update rule is triggered after the condition specified is met.

3. Once you click on Campaign Configuration, the following screen is displayed. Provide the campaign related parameter values in Campaign Configuration.

   Parameter Description

   Campaign Name	Provide a logical campaign name, to easily identity the campaign.
   Campaign Owner	Select the campaign owner for the campaign. The Campaign owner can additionally add other certifiers to the respective Campaign.
   Launch Type	Select whether you want to launch the campaign in active mode or in preview mode. Campaign in preview mode are read only and not yet launched. From preview mode, you can activate the campaign.
   Number of days to expire campaign	Specify the number of days from the campaign active mode after which you want to expire the campaign. For campaigns in preview mode, only when the campaign is active the days to expire campaign are counted from the activation date.
   Campaign Type	You can select either User Manager or Service Account as the campaign type. Only for these two campaign types, you can launch a campaign.
   Default Configuration	Specifying ON as the Default Configuration enables applying the Admin > Configure > Attestation configuration parameters specified to the newly defined campaign. You can turn the Default Configuration OFF and specify attestation and campaign configuration specifically for the newly defined campaign. This will override the default configuration set from Admin > Configure > Attestation.
   Application	You can select all the application for which you want to apply the Campaign. Alternatively, you can select a specific target application only for which you want to launch the campaign.
   Items to be included	This option allows you to perform certification for: BASE_ACCOUNT of user, Entitlements, and Roles assigned to user. The certification for only the selected identity objects can be launched inside the campaign. For example, if you only select Roles only the Roles attestation can be done. The attestation for BASE_ACCOUNT and Entitlements will not be available if Roles is selected. Additionally, if you specify BASE_ACCOUNT, Roles and Entitlements, you will get 2 Step attestation. The first step is used to perform Employment verification, while the second step is used to perform role and entitlement verification.

4. (Optional) Scroll down and provide parameter values based on which you want to filter the users, accounts, or entitlements and click Submit.

   Parameter Description

   Users Query	Allows you to specify a user query based on which you want to filter the users.
   Accounts Query	Allows you to specify account names based on which you want to filter the accounts.
   Entitlements Query	Allows you to specify entitlement attributes (such as risk >1 and sox_critical >0) based on which you want to filter the entitlements.
   Account Entitlements1 Query	Allows you to specify a combination of accounts and entitlement attributes based on which you want to filter the account entitlements.
   reassign.users	Certifications inside a campaign can be reassigned to other user(s). Using the reassign.users setting, you can specify a query to filter the specific user(s) only which you want to populated when you click on Reassign. For example, you can provide a query to filter the manager and it will only fetch the manager list, when you click on Reassign.
   Include Users with type	Allows you to select employee type, which is Employee or Contractor. The Employee Type field in Users is used to set the employee type.
   Include Access assigned through	Enables you to include the access type, which is assigned to a user. The access types are assigned to a user can be: Direct - Direct access is the access assigned to a user account for a particular entitlement using user update rule, technical rule, ARS request, or using Role.  Indirect - There might be certain entitlements, which act as Parent entitlements and have further child entitlements inside it. The access given to a child entitlement automatically, when a user is having access to a parent entitlement is termed as Indirect access. This option allows you to include child entitlements too as part of campaign. Both - Allows you to include direct and indirect access.
   Include Accounts of type	Allows you to select the account type(s), which you want to include as part of Campaign. Privileged Account System Account Service Account User Account

5. When the user attribute mentioned in the rule is modified in Saviynt Access Manager and matches the condition, then user certification will be saved to be launched later in Saviynt.
6. Go to Admin>Job Control Panel>Attestation and schedule LAUNCHCERTIFICATIONFROMRULEJOB to launch campaign for all the users modified and matching the rule.

https://docs.saviyntcloud.com/bundle/SSM-Admin-v55x/page/Content/Chapter15-Campaigns-and-Certificati...