Overview

In situations where automatically removing permissions or accounts from downstream systems is not possible, IT administrators are required to manually execute such tasks while providing the same level of audit and traceability that an automatic operation would generate through system logs.

This template enables organizations to automatically open incidents at ServiceNow at the end of an access certification decision; the system records the event and campaign information, along with the incident number from ServiceNow. The template will periodically check the incident status, updating the Okta record.

Workflows Template: Governance with Manual Fulfillment

Before Getting Started

The following will be needed:

• Access to an Okta tenant with Okta Workflows enabled.
• Access to an Okta tenant with Access Certification enabled.
• Admin access to a ServiceNow instance.

Step-by-Step instructions

1. Sign in to the Okta admin dashboard.
2. Choose Workflow > Workflows console from the navigation menu.

NOTE: If the Workflows Console is not seen, it may be needed to contact the designated Account Executive (AE). The Workflows options may appear different than what is presented here.

3. In the top menu bar, click Flows.

4. Click the + button next to Folders. Name the folder, and save.

5. Hover the cursor over the folder that was created and click the 3 dots next to the folder. Click Import and choose the governanceManualFulfillment.folder file.

6. Once the import operation completes, 7 flows and 3 tables will be added to the workflow folder.

7. Click the Tables (3) tab > Application table.

8. Add a new line for each application that requires manual intervention to remove access to resources.

NOTE: The name of the application should be the same name used in the Okta Tenant.

9. The other two tables are Incidents and Okta Event Error:
• Incidents: Each entry represents an audit record from a campaign decision + the incident number opened at ServiceNow.
• Okta Event Error: In case of error, the template records the debug data of the event and the error message.

10. Ensure that the following flows have the following connections configured. These configurations can be done by navigating back to the Flows (7) tab, choosing the appropriate workflow, and adding a connector as needed.
• 01.Event.Access.Certification.Decision: The Okta Tenant
• 02.Access.Certification.Revoke.Open.Incident: The Okta Tenant and ServiceNow
• 98.1.Update.Incident.Status: ServiceNow

• • • Example of Correct Connection:

• • • Example of Errored Connection:

11. It is possible to change the message that is used to create the new incident by modifying the Short Description and Description cards at 02.Access.Certification.Revoke.Open.Incident flow.

12. Enable all flows by toggling the ON/OFF button until they are all blue, with the exception of 01.Helper.Access.Certification.Decision.

NOTE: If using this template in conjunction with Governance - Grace Period with Manual Operation, enable 01.Helper.Access.Certification.Decision and leave 01.Event.Access.Certification.Decision off.

NOTE: Flow 98.0.Init.Incident.Status runs every 15 minutes. This schedule can be modified by clicking the clock icon on the Scheduled Flow event card.

Testing this flow

1. Sign in to the Okta admin dashboard.
2. Choose Identity Governance > Access Certifications from the navigation menu.
    

3. Create a new access certification campaign by clicking on the + Create campaign button.
    
4. Follow the + Create Campaign Wizard.

5. Once the campaign is created, from the Okta admin dashboard, navigate to Workflows > Workflows console.
    

6. Click the folder that has the Manual Fulfillment template.
    

7. Click the Tables (3) tab.
8. Click the Application table.
   

9. Add a new line for every application that requires manual operation. Keep the Workflow console open, as we will reference another table shortly.
    

10. Go back to the Campaign and launch it by navigating to the Scheduled tab, then choosing the campaign created > Actions > Launch.

11. As a reviewer, revoke a resource. In this example, Salesforce is used. Navigate to the (or the assigned reviewers) end-user dashboard and click Okta Access Certification Reviews. Choose the campaign. Scroll down to Pending Reviews. Choose a user and revoke them by clicking the Revoke or X button.
             

12. Back at the Workflows console, click the Tables (3) tab and the event information should be stored in the Incidents table with the incident number from Salesforce.
13. At Salesforce, a new incident should be seen.

Limitations and Known Issues

• The Workflows table is not optimized to store large numbers of data records. If the campaigns are generating large numbers of entries, be mindful of the record limits found in the Workflows system limits.
• If this template is used with the Grace Period with Manual Operation, it is necessary to disable the 01.Event.Access.Certification.Decision flow.

Related References

• Workflows system limits
• ​Okta Identity Governance API
• Okta Access Certification documentation
• Okta Workflows documentation

Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team.