Overview

During an access certification, some organizations might allow for revoke decisions, and some campaigns implement a grace period where end-users retain access to the resource for a period of time, before revoking it.

This template enables this configuration per campaign, applying the revoke decision at a future date, determined by the number of days that are granted as a grace period.

Workflows Template: Governance Revoke After Grace Period

Before Getting Started

The following will be needed:

• Access to an Okta tenant with Okta Workflows enabled.
• Access to an Okta tenant with Access Certification enabled.

Step-by-Step instructions

1. Sign in to the Okta admin dashboard.
2. Choose Workflow > Workflows console from the navigation menu.

NOTE: If the Workflows Console is not seen, it may be necessary to contact Okta support. The Workflows options may appear different than what is presented here.

3. In the top menu bar, click Flows.

4. Click the + button next to Folders. Name the folder, and save.

5. Hover the cursor over the folder that was created and click the 3 dots next to the folder. Click Import and choose the governanceGracePeriod.folder file.

6. Once the import operation completes, 3 flows and 2 tables will be added to the workflow folder.

7. Click the Tables (2) tab, and click Configuration.

8. Add a new line for each campaign that will have a grace period. For example, to enable a grace period for the Semi-Annual campaign of 15 days, add a new line to the table with the following information:
• Campaign Name: Semi-Annual
• The period in Days: 15

9. Ensure that the following flows have the following connections configured. These configurations can be done by navigating back to the Flows (3) tab, choosing the appropriate workflow, and adding a connector as needed.
• Flow Name: 01.Event.Access.Certification.Decision: The Okta Tenant
• Flow Name: 02.1.Event.Process.Decision: The Okta Tenant

• • • Example of Correct Connection:

• • • Example of Errored Connection:

10. Enable all three flows by toggling the ON/OFF button until they are all blue.

NOTE: By default, flow 02.0.Event.Expired.List runs every day at 12:00 AM. This schedule can be modified by clicking the clock icon on the Scheduled Flow event card.

Testing this flow

1. Sign in to the Okta admin dashboard.
2. Choose Identity Governance > Access Certifications from the navigation menu.

3. Create a new access certification campaign by clicking on the + Create campaign button.

4. Follow the + Create Campaign Wizard.

5. Once the campaign is created, copy the name of the campaign.
6. From the Okta admin dashboard, choose Workflows > Workflows console.

7. Click the folder with the Grace Period template.

8. Click the Tables (2) tab.
9. Click the Configuration table.

10. Add a new line and paste or type in the newly created campaign.

11. Navigate back to Identity Governance > Access Certifications and launch the campaign by selecting the Scheduled tab and then choosing the campaign > Actions > Launch.

12. As a reviewer, revoke a resource. In this example, Salesforce is used. Navigate to the assigned reviewer’s end-user dashboard and choose Okta Access Certification Reviews. Choose the campaign. Scroll down to Pending Reviews. Choose a user and revoke them by clicking the Revoke or X button.

13. From the Okta admin dashboard, choose Workflows > Workflow Console > the folder with the Grace Period template > Tables (2). The event information should be stored at the Grace Period Events at Workflows table.

Limitations and Known Issues

The Workflows table is not optimized to store large amounts of data records. If the campaigns are generating large amounts of entries, be mindful of the record limits found in the Workflows system limits.

Related References

• Workflows system limits
• Okta Access Certification documentation
• Okta Workflows documentation

Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team.