Instacart's JIT access playbook

How to complete access change tasks

ConductorOne tasks are assigned to you when your expertise is needed to approve, provision, or revoke access to applications and specific resources for members of your team.

Complete a request task

Request tasks are assigned to you when a colleague asks for new access and your review of the request is needed. Reviewers are assigned based on the request policy governing the requested app or resource.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not direct you to the task list automatically, locate it by clicking on Requests and navigating to the Assigned to me tab.

Step 2: Review the task and take action

Each line in the table is a task assigned to you. For each task, complete the appropriate steps:

  1. Review the request

    • Look at the account and the resource. Is this access needed for the user’s work and appropriate to the user’s role in the company?
  2. Learn more about the request

    If you need more information about the request, click the task number to open the details view, where you’ll find additional information to help you make your decision.

    If you’re a reviewer for emergency access requests: Go to Enable emergency access requests to learn more about how and when these special requests are created and how they’re designated in the ConductorOne app.

View insights from ConductorOne Access Copilot to help make your decision.

The detail view of a request task showing a list of Insights.
  1. If needed, edit the duration of the requested grant

    You can change the duration of the grant to a different length than what the user requested. Click the pencil icon next to the Duration and enter a new duration, then click Save.

  2. Provide your decision

    • If you agree that the access should be granted, click Approve.

    • If you don’t think this access should be granted, click Deny.

    I see there is more than one review step. If I deny the request does it still go to other reviewers? No, the review will stop at you, and the request will be closed.

Step 3: Repeat the process

Repeat these steps to review and take action on each request task assigned to you.

To take the same action on multiple tasks at once, select each task by clicking its checkbox, then select the action from the menu at the bottom left. You’ll be prompted to add a comment about your action, which is posted on each impacted task.

Click Completed tasks to see everything you’ve finished so far.

Complete a provisioning task

A request to grant new access has already been reviewed and approved. A provisioning task is now assigned to you because manual provisioning of the new access is required and you are a designated provisioner for the app.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a provisioning task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not automatically direct you to the task, locate it by clicking on Requests and navigating to the Assigned to me tab.

Step 2: Review the task and take action

  1. Go to the Awaiting provisioning tab. Each line in the table is a provisioning task assigned to you.

  2. Complete the provisioning process in the requested app, then click Provisioned. Click the more actions () menu for additional options, such as marking the task as Won’t provision.

  3. If you need additional guidance or context, click the task number to open the details view. Here you’ll find additional information:

    • If the ConductorOne admins at your company have provided any notes or instructions for how to complete the provisioning assignment, these are shown here.

    • The Comments section shows any notes other members of your organization have made about this task. (Comments posted in Slack about this task are also displayed here.)

    • The Execution plan tab shows the task’s workflow, highlighting the role you play and the policy being applied to this task.

Step 3: Repeat the process

Repeat these steps to complete each provisioning task assigned to you. Click Completed tasks to see everything you’ve finished so far.

Complete a revocation task

Revocation tasks are generated when someone (such as a manager or app owner) decides that some access is no longer used, needed, or appropriate, and recommends its removal.

ConductorOne creates a revocation task and assigns it to the appropriate reviewer (you’re likely reading this because that’s you!). Reviewers are assigned based on the applicable revocation policy.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a revocation task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not direct you to the task list automatically, locate it by clicking on Requests and navigating to the Assigned to me tab.

Step 2: Review the task and take action

Each line in the table is a task assigned to you. For each task, complete the appropriate steps:

  1. Review the proposal

    • Look at the account and the resource. Is this access no longer needed for the user’s work, or no longer appropriate to the user’s role in the company?
  2. (Optional) Find more information about the proposal

    If you need more information, click the task number to open the details view, where you’ll find additional information to help you make your decision:

    • The Comments section shows any notes other members of your organization have made about this task. (Comments posted in Slack about this revocation proposal are also shown here.)

    • The Execution plan tab shows the task’s workflow, highlighting the role you play, and the policy being applied to this task.

  3. Provide your decision

    • If you agree that the access should be revoked, click Confirm.

    • If you don’t think this access should be revoked, click Deny. This means you believe the access is still needed and appropriate. Clicking Deny will halt the revocation process and close the task.

Step 3: Repeat the process

Repeat these steps to review and take action on each task assigned to you.

To take the same action on multiple tasks at once, select each task by clicking its checkbox, then select the action from the menu at the bottom left. You’ll be prompted to add a comment about your action, which is posted on each impacted task.

Click Completed tasks to see everything you’ve finished so far.

Complete a deprovisioning task

A revocation proposal (see above) has already been reviewed and approved. A deprovisioning task is now assigned to you because manual deprovisioning of the revoked access is required and you are a designated manual deprovisioner for the app.

Step 1: Receive a notification and go to the task

ConductorOne sends you notifications by email and Slack (if enabled) whenever a deprovisioning task is assigned to you. Make sure that notification emails can reach your inbox by adding no-reply@conductorone.com to your email contacts list.

Go to Interact with ConductorOne via Slack for instructions on setting up our Slack app.

  1. Log into ConductorOne by clicking the link in your email or Slack notification.

  2. If the link in your notification does not automatically direct you to the task, locate it by clicking on Requests and navigating to the Assigned to me tab.

Step 2: Review the task and take action

  1. Go to the Awaiting deprovisioning tab. Each line in the table is a deprovisioning task assigned to you.

  2. Complete the deprovisioning process in the requested app, then click Deprovisioned. Click the more actions () menu for additional options, such as marking the task as Won’t deprovision.

  3. If you need additional guidance or context, click the task number to open the details view. Here you’ll find additional information to help you:

    • If the ConductorOne admins at your company have provided any notes or instructions for how to complete the deprovisioning assignment, these are shown here.

    • The Comments section shows any notes other members of your organization have made about this task. (Comments posted in Slack about this task are also displayed here.)

    • The Execution plan tab shows the task’s workflow, highlighting the role you play, and the policy being applied to this task.

Step 3: Repeat the process

Repeat these steps to complete each deprovisioning task assigned to you.

Click Completed tasks to see everything you’ve finished so far.

Reassign a task

If you need to reassign a task:

  1. In the task list or the details view, click the (more actions) menu and select Reassign to….

  2. Select the new assignee and provide a reason for the reassignment.

    Depending on how the request policy governing task is set up, you might have a limited number of approved users who the task can be reassigned to.

The newly assigned reviewer will receive email and Slack (if enabled) notifications about their new task assignment.

Additional task actions

Depending on your user permissions in ConductorOne, the task type, and the current status of the task, you might have additional task actions available to you in the (more actions) menu.

Actions labeled with a 🔐 symbol are only available to users who have the Super Administrator role.

Task actionDescriptionUseful when
Cancel 🔐Stop the task and close it with Canceled status. The task remains in the Task log.You don’t want or need to complete a task, but want to retain a record of its existence.
Delete 🔐Stop the task and delete it from ConductorOne entirely. No record of the task is retained in the Task log.You don’t want or need to complete a task, and want the record of its existence removed from ConductorOne.
(Action) with commentTake an action (such as certify, approve, mark as provisioned) and add a comment to the task.You want to provide context or documentation with your decision
CommentAdd a comment to the task.You have a question, request, comment, or context to share.
Reassign toAssign the task to a different user.Someone else should complete the task
Restart 🔐Restore the task to its starting state. All decisions and actions on the task are reset. The task’s history prior to the restart is maintained in the task’s audit log.You need to start the task over, using the current policy.
Hard reset 🔐Restore the task to its starting state and recalculate and apply the policy that governs the task. All decisions and actions on the task are reset. The task’s history prior to the hard reset is maintained in the task’s audit log.You need to recreate a task so it reflects changes to the governing policy. This is especially helpful after policy updates.
Change policy 🔐Restore the task to its starting state and apply the policy you select. All decisions and actions on the task are reset. The task’s history prior to the policy change is maintained in the task’s audit log. This option is not available on request tasks.You need to recreate a review or revocation task using a different governing policy.
Skip step 🔐Skip the current step in the task’s execution plan. The skipped step is assumed to have been completed successfully.You need to move a task forward without waiting for a user or system to act.
Process now 🔐Force a refresh and update of the task’s current status.A task has gotten stuck or is in an error state.
Send reminderSend an email reminder to the user the task is currently assigned to.A task has been sitting open and the assigned user might have forgotten about it.