Campaigns

Access review campaigns help organizations maintain compliance and security by systematically reviewing who has access to what resources. Campaigns ensure the right people have the right access at the right time, while identifying and removing excessive, orphaned, or unnecessary access.

Overview

A campaign is a time-bounded access review process where designated reviewers evaluate accounts and make decisions to approve, reject, or flag access for further review. Campaigns can be configured with automation rules, policies, and AI recommendations to assist reviewers in making informed decisions.

Typical Campaign Workflow

Admin creates the campaign - Define scope, assign reviewers, set schedule, and configure automation
Campaign launches - Reviewers are notified and begin their reviews
Reviewers make decisions - Approve, reject, or flag accounts for review
Campaign completes - Results are finalized and available for export and audit

Role-Based Responsibilities

Role	Responsibilities
Admin	Create campaigns, configure automation rules and policies, assign reviewers, monitor progress, export results
Reviewer	Review assigned accounts, make approve/reject/flag decisions, add comments
Auditor	View campaign progress and results, access reports for compliance purposes

For Administrators: Creating a Campaign

Administrators create and configure access review campaigns using a step-by-step wizard. The wizard guides you through six steps to define all aspects of your campaign.

Prerequisites

Before creating a campaign:

Ensure data has been synchronized from your Hydden platform (Settings > Data Sync)
Optionally configure Campaign Rules for automation
Optionally configure Access Policies for policy-based decisions

Step 1: Campaign Basics

Start by providing foundational information about your campaign.

Navigate to Campaigns and click + New Campaign (or use a template from the welcome screen).
Enter a Campaign Name that identifies the review period or purpose (e.g., "Q1 2026 Access Review").
Optionally add a Description to explain the campaign's purpose and scope.
Select a Campaign Owner from the list of platform users. The owner is responsible for overseeing the campaign.
Choose a Campaign Type:

Type	Description	Use Case
Application Review	Review access by application	Validate who has access to specific applications
Group Review	Review access by group membership	Audit group memberships and validate purposes
Role-Based Review	Review access by role assignments	Validate role assignments and optimize definitions
Platform Review	Review all accounts on a platform	Comprehensive review across distributed systems
Query-Based Review	Dynamically select accounts using filter conditions	Target accounts by any combination of identity, organization, group, role, or classification attributes

Set the Priority Level (Low, Normal, High, Critical). Higher priority campaigns appear first in reviewer queues.

Step 2: Define Scope

Select the targets (applications, groups, roles, or platforms) to include in this review.

Browse or search the available targets based on your campaign type.
Use Filters to narrow results:
- Account Types: Filter by human, service, or machine accounts
- Minimum Risk Score: Only include targets above a risk threshold
- Include Inactive: Toggle whether to include inactive accounts
Select targets by clicking on them. Use Select All to include all filtered results.
Review the selection summary showing the number of targets and estimated accounts.

Scope Preview

As you make selections, the sidebar preview shows the total number of applications/groups/roles and accounts that will be included in the campaign.

Step 2b: Build Query (Query-Based campaigns only)

For Query-Based Review campaigns, this step replaces the standard scope selector. Use the query builder to define dynamic filter conditions.

How it works: The query builder evaluates your filters at campaign start. It finds all matching accounts and populates the campaign scope automatically.

Inclusion filters use AND logic — all conditions must match. Exclusion filters use OR logic — any matching condition removes the account.

Entity Types

Entity	What it filters on
Account	Account fields: name, email, domain, status, type, classification, MFA status, department, etc.
Owner	Owner attributes: name, title, department, risk score, etc.
Group	Group name, platform, type — resolves to member accounts
Role	Role name, platform, data source — resolves to accounts assigned to the role
Classification	Classification label — resolves to accounts with that classification

Available Operators

Operator	Description
`equals` / `does not equal`	Exact match
`contains` / `does not contain`	Substring match (case-insensitive)
`starts with` / `ends with`	Prefix or suffix match
`at least` / `at most`	Numeric comparison
`is empty` / `is not empty`	Null check

Build and Test a Query

Click + Add Condition under Include accounts where... to add an inclusion filter.
Select the Entity, Field, and Operator for the condition.
Enter a value (or leave blank for is empty/is not empty).
Add more inclusion conditions as needed. All must match (AND).
Optionally click + Add Exclusion to add accounts to exclude (OR logic).
Click Test Query to preview results.
- The result shows how many accounts match the current query.
- A sample table shows up to 5 matching accounts with name, email, status, and department.

Result: When you launch the campaign, the query runs again and produces the final account scope.

Preview before launch

Always test your query before advancing. A query with no inclusion filters returns no accounts.

Step 3: Assign Reviewers

Define who will review the accounts in this campaign.

Choose a Reviewer Assignment Method:

Method	Description
Manager Review (Recommended)	Each user's direct manager reviews their access
Application Owner	App owners review all access to their applications
Custom Reviewers	Manually assign specific reviewers from the platform users list
Hybrid Approach	Combine multiple reviewer strategies

If using Custom or Hybrid, search and select reviewers from the available platform users list.
Configure Reviewer Settings:
- Allow Delegation: Reviewers can delegate reviews to others
- Require Comments: Comments required for rejections
- Allow Bulk Actions: Reviewers can approve/reject multiple items at once
Optionally configure an Escalation Path to notify specific users if reviews are not completed in time:
- Add escalation levels (e.g., Level 1: Manager after 7 days, Level 2: Director after 14 days)
- Select the escalation contact and the number of days after which to escalate

Step 4: Set Schedule

Define when the campaign runs and how reviewers are reminded.

Select a Start Date for the campaign.
Set the Duration using quick presets (14, 30, 45, 60, or 90 days) or enter a custom number.
Choose the Timezone for all deadlines and reminders.
Configure Reminder Schedule:
- Initial Notification: Send when campaign starts
- Weekly Digest: Summary of pending reviews each week
- Final Warning: Urgent reminder before deadline (configure how many days before end)

Step 5: Automation & Rules

Configure automation to assist reviewers with decisions.

Select Automation Rules to automatically approve or reject access based on defined conditions:
- Browse available rules and select those applicable to this campaign
- Rules show their decision type (approve, reject, flag for review)
- Selected rules will be evaluated during the campaign
Note
Create rules under Settings | Campaign Rules.
Select Access Policies to apply policy-based controls:
- Browse available policies and select those to enforce
- Policies with "Auto-Approve" will automatically approve matching access
Note
Create Policies under Policies.
Configure AI Recommendations:
- Enable AI Recommendations: AI analyzes each account's risk factors, owner context, and entitlements to suggest actions
- Auto-flag Anomalies: Automatically flag accounts with unusual access patterns
- Risk-based Prioritization: Sort accounts by AI-assessed risk level, showing highest risk first

Processing Time

When AI recommendations are enabled, each account is analyzed during campaign activation. This may add processing time when launching large campaigns.

Step 6: Review & Launch

Review your campaign configuration before launching.

Review the summary showing all configured settings:
- Campaign basics (name, type, owner, priority)
- Scope (targets and estimated accounts)
- Reviewers and settings
- Schedule and reminders
- Automation rules and policies
Click Edit on any section to make changes.
Optionally check Save as Template to reuse this configuration for future campaigns.
Click Launch Campaign to start the campaign.

Using Templates

Save time by using campaign templates:

Load Template: Click Load Template in the wizard header to load a previously saved template
Save as Template: Click Save as Template to save the current configuration for reuse
Templates store all configuration including scope, reviewers, rules, and policies

For Reviewers: Reviewing Accounts

Reviewers are responsible for evaluating accounts and making access decisions. When a campaign starts, reviewers receive notifications and can access their assigned reviews.

Accessing Your Reviews

Navigate to Campaigns from the left sidebar.
Find campaigns where you are assigned as a reviewer.
Click View on the campaign to open the review interface.

The Review Interface

The review interface provides a streamlined workflow for reviewing accounts:

Area	Description
KPI Cards (Top)	Clickable status cards showing Pending, Approved, Rejected, and total progress. Click a card to filter the list
Account List (Left)	Scrollable list of accounts with search, filters, and column controls
Review Panel (Right)	Detailed information about the selected account with action buttons
Batch Action Bar	Appears when multiple accounts are selected for bulk operations

Account List Features

Search: Find accounts by name or email
Status Filter: Show All, Pending, Approved, Rejected, or Flagged accounts
Risk Filter: Filter by Critical, High, Medium, or Low risk
Sort Options: Sort by Risk (high to low), Name, or Application
AI Indicators: Visual indicators showing AI recommendations (checkmark for approve, X for revoke, ? for review)

Review Panel Tabs

When you select an account, the Review Panel displays detailed information across four tabs:

Tab	Information
Risk Factors	Risk score (0-100), risk level (critical/high/medium/low), triggered risk factors with severity weights, passing checks, and policy check results (pass/fail/warn) with messages
Account Details	Department, status, data source, application information, account type, MFA status, last login, and privilege level
Owner Context	Owner profile (name, email, title, department, manager), owner status, risk score, privileged accounts count, total accounts count, policy violations count, and role analyses showing access patterns
Owner Changes	Audit trail of changes to the owner and their accounts with timestamps and responsible parties

Enhanced Owner Context

The Owner Context tab now includes role analysis showing what applications and groups are commonly accessed by users with the same role, helping you understand whether the account's access is typical for the role.

Entitlements Section

The Entitlements section shows the account's current group memberships and application role assignments.

Item	Description
Groups	All groups the account belongs to. High-privilege groups are flagged with a warning indicator.
Application Roles	All application roles assigned to the account, grouped by data source.

Use this section to verify whether the account's group and role access is appropriate for the user's job function.

Previous Decisions Section

The Previous Decisions section shows how this account was reviewed in past campaigns.

Field	Description
Campaign Name	Name of the campaign where the decision was made
Decision	Approved, Rejected, Revoked, or Flagged
Date	When the decision was recorded
Reviewer	Who made the decision
Comment	Notes the reviewer added (if any)

Use this section to understand review history and identify accounts that have been flagged or rejected before.

You can customize which sections appear in your detail panel. See Preferences.

Making Decisions

For each pending account, you have four decision options:

Action	When to Use	Keyboard Shortcut
Approve	Access is appropriate and should continue	`A`
Reject	Access should be revoked and removed	`R`
Revoke	Similar to reject, explicitly removes access entitlements	`V`
Flag for Review	Needs further investigation or escalation	`F`

Shortcut	Action
`J` or `↓`	Move to next item
`K` or `↑`	Move to previous item
`[` or `]`	Previous / next page
`Space`	Toggle batch selection on current item
`Ctrl+A`	Select all pending items
`Esc`	Clear batch selection

Batch Action Shortcuts

Shortcut	Action
`Ctrl+Shift+A`	Approve all selected items
`Ctrl+Shift+R`	Reject all selected items

Other Shortcuts

Shortcut	Action
`S`	Skip to next account without deciding
`Z`	Undo last decision
`?`	Show keyboard shortcuts help

AI Recommendations

If AI recommendations are enabled for the campaign, each account shows:

Suggested Action: Approve, revoke, or review
Confidence Score: How confident the AI is in its recommendation (0-100)
Reason: One-sentence explanation of why the AI made this recommendation
Primary Factors: Key factors that influenced the recommendation
Risk Indicators: Security or compliance concerns identified
Data Gaps: Missing information that limited the analysis

Using AI Recommendations

AI recommendations are generated during campaign launch and stored for consistent review. Recommendations are based on risk factors, access patterns, owner context, group memberships, and role analysis. Always review the supporting information before making your decision.

Batch Review with AI Grouping

When AI recommendations are enabled, the system can group similar accounts into batches for efficient review:

Batch Groups: Accounts with similar characteristics grouped together
AI Analysis: Each batch includes an AI-generated summary with:
- Title: Descriptive name for the batch
- Traits: Common characteristics shared by accounts in the batch
- Summary: Key observations about the batch
- Recommendation: Suggested action for the batch
- Confidence: AI confidence in the batch recommendation
Bulk Actions: Apply decisions to all accounts in a batch simultaneously

Batch grouping is particularly useful for campaigns with hundreds or thousands of accounts, allowing reviewers to process similar accounts efficiently while maintaining decision quality.

Undo Decisions

After making a decision, you have a 30-second window to undo it:

The action bar shows "Undo available for Xs"
Click Undo Decision or press Ctrl+Z
The account returns to Pending status

Undo Window

The undo window is limited to 30 seconds after making a decision. After this time, the decision is finalized and can only be changed by administrators.

Campaign Management

Viewing Campaign Progress

Administrators and Auditors can monitor campaign progress:

Navigate to Campaigns and click View on any campaign.
The Overview tab shows:
- Start and end dates
- Campaign owner
- Progress percentage
- Statistics (total, pending, approved, rejected, flagged)

Campaign Tabs

Tab	Description
Overview	Key campaign details and progress statistics
All	All accounts in the campaign with their current status
Pending	Accounts awaiting review
Reviewed	Accounts that have been reviewed (approved, rejected, or flagged)
Policies & Rules	Applied policies and campaign rules with evaluation results
Settings	Campaign configuration (read-only) and rule evaluation options

Rule Evaluation and Testing

Administrators can test and evaluate campaign rules before applying them:

Test Rules: Test rule conditions against current data to see how many accounts or owners would match
- View total matches and sample results
- See part-by-part evaluation results for complex rules
- Identify syntax errors before launching campaigns
Evaluate Campaign Rules: Run rule evaluation on an active campaign to see automated decisions
- Monitor evaluation progress (pending → in_progress → completed)
- View approved, rejected, and no-decision counts
- Review any errors or skipped accounts
Background Jobs: Rule evaluations run as background jobs
- Track progress percentage and processed entities
- View job history and results
- Get notified when evaluation completes

Pre-Launch Testing

Always test campaign rules before launching campaigns to ensure they match the expected accounts and produce the desired decisions.

Extending a Campaign

If reviewers need more time:

Open the campaign and click Extend Campaign.
Select a new end date.
Reviewers are notified of the extension.

Completing a Campaign

Once all accounts have been reviewed:

Click Complete Campaign to finalize the campaign.
Results are locked and available for export.

Exporting Results

Export campaign results for compliance and audit purposes:

Navigate to a completed campaign.
Click Export to CSV to download the results.
The export includes account details, decisions, reviewers, comments, and timestamps.

Campaign Types

Application Review

Review who has access to specific applications:

Target specific applications from your synchronized data
Validate business need for each account's access
Ensure least privilege principles are followed

Group Review

Review group memberships:

Target specific groups to audit
Validate group purposes and membership appropriateness
Clean up unnecessary or outdated memberships

Role-Based Review

Review role assignments:

Target specific roles for review
Validate role assignments against job functions
Identify opportunities to optimize role definitions

Platform Review

Comprehensive review across distributed systems:

Target entire platforms (e.g., all Active Directory accounts)
Review access across systems of the same type
Useful for broad compliance reviews

Query-Based Review

Dynamically define campaign scope using filter conditions:

Build inclusion and exclusion filters across five entity types: Account, Owner, Group, Role, Classification
Conditions use AND logic within inclusions and OR logic across exclusions
Test the query before launch to preview matching account count and a sample
Accounts are resolved at campaign start — changes after launch do not affect scope
Use cases: "All accounts in Finance department with a threat score above 70," "All accounts belonging to a specific group but not classified as service accounts"

Campaign Features

Automated Targeting

Rule-based selection using campaign rules
Dynamic campaign scope based on filters
Risk threshold filtering

Approval Workflow

Multiple reviewer assignment methods
Delegation support
Bulk approve/reject operations
Comment requirements

Progress Tracking

Real-time progress monitoring
Completion statistics by reviewer
Reminder notifications
Escalation paths for overdue reviews

AI-Powered Assistance

Risk-based account prioritization
AI recommendations with confidence scores
Automatic anomaly flagging
Access pattern analysis

Campaign Dashboard

The Campaigns page provides filtering to control what campaigns are displayed:

Status Filter

Status	Description
All	Show all campaigns
Draft	Campaigns not yet launched
Active	Currently running campaigns
Completed	Finished campaigns
Cancelled	Campaigns that were cancelled

Type Filter

Filter by campaign type: All, Manager Review, Group Review, Role Review, Application Review, Platform Review, or Query-Based Review.

Table Columns

The campaigns table displays:

Name: Campaign name with description
Type: Campaign type
Status: Current status badge
Start/End Date: Campaign timeline
Campaign Owner: Person responsible for the campaign
Actions: View, Delete (if applicable), Export (for completed campaigns)

Campaigns ​

Overview ​

Typical Campaign Workflow ​

Role-Based Responsibilities ​

For Administrators: Creating a Campaign ​

Prerequisites ​

Step 1: Campaign Basics ​

Step 2: Define Scope ​

Step 2b: Build Query (Query-Based campaigns only) ​

Entity Types ​

Available Operators ​

Build and Test a Query ​

Step 3: Assign Reviewers ​

Step 4: Set Schedule ​

Step 5: Automation & Rules ​

Step 6: Review & Launch ​

Using Templates ​

For Reviewers: Reviewing Accounts ​

Accessing Your Reviews ​

The Review Interface ​

Account List Features ​

Review Panel Tabs ​

Entitlements Section ​

Previous Decisions Section ​

Making Decisions ​

Navigation and Selection Shortcuts ​

Batch Action Shortcuts ​

Other Shortcuts ​

AI Recommendations ​

Batch Review with AI Grouping ​

Undo Decisions ​

Campaign Management ​

Viewing Campaign Progress ​

Campaign Tabs ​

Rule Evaluation and Testing ​

Extending a Campaign ​

Completing a Campaign ​

Exporting Results ​

Campaign Types ​

Application Review ​

Group Review ​

Role-Based Review ​

Platform Review ​

Query-Based Review ​

Campaign Features ​

Automated Targeting ​

Approval Workflow ​

Progress Tracking ​

AI-Powered Assistance ​

Campaign Dashboard ​

Status Filter ​

Type Filter ​

Table Columns ​

Related Topics ​