General
What capabilities are available with Okta Identity Governance?
Okta Identity Governance is a solution comprising Lifecycle Management, Workflows, and Access Governance. Access Governance includes four capabilities that help customer organizations deliver fine-grained governance over their identities to ensure only the right users have access to the right resources. The four governance-specific capabilities are:
- Okta Access Requests
- Okta Access Certifications
- Governance-Focused Reports
- Entitlement Management
Are there any help articles or product documentation I can use to familiarize myself with the products?
Yes, the Product team has put together the following documentation:
- Access Requests Product Docs
- Access Certifications Product Docs
- Governance-Focused Report Product Docs
- Entitlement Management Product Docs
In addition, there are some short videos available to demonstrate how these products work and a Product Hub Page with updates on What's New:
Can I use Okta Identity Governance for FedRAMP and HIPAA Okta orgs or user data?
Currently, the complete Okta Identity Governance (OIG) bundle is available in Okta's FedRAMP for US Military.
For Government Moderate and Government High, please review the planned roadmap on the US Public Sector Page.
Please speak with your account team or Okta representative about your specific use case and outcomes to determine how Okta's FedRAMP and HIPAA-compliant identity solutions can help solve your identity challenges.
Access Requests
What are the features available with Okta Access Requests?
With Okta Access Requests, Okta is introducing a modern way for employees to request access to resources. Administrators can configure workflows to represent complex business processes for these requests (e.g., Multiple Approvals) based on any Okta resource (Okta Applications, Okta Groups, and Entitlement Bundles). With Okta Access Requests, Okta is delivering a modern experience for employees by meeting them where they are - they will be able to request resources via the Okta Dashboard, modern chat interfaces (e.g., Slack, Teams, etc.), and a web portal.
Do you have any product documentation to help me set up Access Requests?
Yes, please refer to this documentation for information on how to use the Access Requests product and other product features available at this time.
What is the difference between request conditions and request types?
Access request conditions are the latest way to manage access requests in Okta by bringing the configuration to the resources being requested themselves. With this model, relationships between resources and the access levels within them can be leveraged in a more scalable way to make resources requestable to the right people, with the right levels of approval.
Access request types are the original way to manage access requests in Okta. These request types have more flexible logic definitions but only an implicit link to resources in Okta through the assignment tasks, which limits their tie-in to existing resources (e.g., cannot see the logo for a requestable application in your catalog).
Our recommendation is to explore and implement Access request conditions. Expect investment in the future to primarily focus on Access request conditions.
Does Access Request support requests for app-sourced groups (e.g., Groups sourced from Active Directory)?
For now, the scope of Access Requests is limited to Okta-sourced groups, managed applications, and entitlements. This is because Okta cannot add a user to an app-sourced group directly in Okta, and the fulfillment process becomes difficult to implement. Note that, for Active Directory and many other applications in the Okta Integration Network, Okta can manage users in other applications using group push, as well as through Entitlement Management capabilities.
What other resources can I request outside of Okta applications and Okta groups?
Access Requests are designed for end users to request access to Okta applications, Okta-sourced Groups, Okta admin roles, and entitlement bundles managed within Okta. Okta plans to expand the scope and add more resources (e.g., privileged resources) that can be requested via this modern interface. Please refer to the Okta product roadmap for timelines on when these new capabilities will be available.
Can I track how access has been granted to a user via a report and submit it for audit purposes?
In addition to who has access to which application (which is available with Governance-focused reports), you can also identify who approved access to that application, when the access was granted, what was the business justification, and for how long access was granted. This enriched data will help ensure organizations have all the data necessary to pass any compliance-focused audits.
Access Certifications
What are the features available with Okta Access Certifications?
With Okta’s Access Certifications, audit campaigns can be created to periodically recertify who can access Okta applications, groups, entitlements, and entitlement bundles.
User campaigns can be run to look at resources for specific users who may have undergone a role change within an organization.
The results of an audit campaign can be exported and shared with auditors to satisfy any compliance requirements.
Do you have any product documentation to help me use Access Certifications?
Yes, please use this documentation for information on how to use the Access Certifications and other product features currently available.
Which Okta resources can I certify access to using Okta Access Certifications?
We support certifying access to Okta groups (Okta or app-sourced), Okta applications, as well as entitlements and entitlement bundles.
Can I manually upload resource information using a CSV or a Flat file and run Access Certifications on that data?
Yes, using Okta Workflows, you can upload all information exported from the downstream system through a CSV and create an Okta group within your Okta org using that information or import your own entitlements (e.g., roles and licenses) for a given resource. You can use Okta Access Certifications to create a new campaign for either the new group or the updated entitlements.
How do I navigate to the Okta Access Certification Reviews app?
Once you log in to the Okta End-User Dashboard, you will find the “Okta Access Certification Reviews” app tile that will take you to the reviewer app.
Okta Access Certifications is integrated with Okta’s email notification system. Once integrated, any individual marked as a reviewer in a given campaign will automatically get an email notification when a campaign is launched. Reviewers will be able to use that email and navigate directly to the Okta Access Certification Reviews app. It is on our roadmap to also introduce chat-based notifications at a later date.
How does Okta do remediation once access to a resource is revoked by a reviewer during an audit campaign?
When creating a campaign, Okta Access Certifications allows you to choose if you want Okta to automatically take an action (e.g., remove a user) once a review decision (Approve/Revoke) has been submitted. You can also configure what should happen if a reviewer does not respond within the specified time of the campaign. Additionally, you can create your own custom remediation flow using Okta Workflows and use that for customized remediation.
In order to help you use Workflows for remediation, Okta has built some pre-configured Workflow templates for some of the most common remediation scenarios (e.g., create a ticket in downstream ITSM once a revoke decision has been made).
If the existing templates do not meet your specific needs, feel free to contact your account team to find out about Workflow office hours.
What are some known limitations of remediating access?
The remediation option to revoke access has some known limitations based on how the user was assigned to an app or a group. If you have set Remove user from the resource as the remediation option, you may see the remediation status as “Manual Remediation Required” when:
- The user was assigned to an application through a group.
- The user was added to a group through group rules.
- The user is a member of a group that is sourced from an application external to Okta.
- The user was added to an entitlement via Entitlement policy.
As an admin, for specific review items where remediation was not possible, you will see an indicator that action is required:
See Understand remediation in the product documentation for more details. To manually resolve access in these scenarios, Okta recommends the following actions:
|
Resource |
Assigned through |
Recommended action |
|---|---|---|
|
Application |
Okta-sourced group membership |
Remove the user from the Okta-sourced group using Workflows. |
|
Application |
App-sourced group membership (For example, AD group) |
Remove the user from the App-sourced group in the App. (For example, remove the user from the group in AD) |
|
Okta-sourced group |
Group rules |
Remove user from the group and add the user as an exception to the group rule. |
|
App-sourced group |
Imports |
Remove the user from the App-sourced group in the App and run another import. (For example, remove the user from the group in AD) |
|
Entitlement |
Policy rules |
Remove Entitlements for the user from the Application directly in Okta. |
Can I trigger a campaign on-demand (e.g., when a user moves to a different role) to make certification campaigns more continuous in nature?
Yes, user campaigns are available within Access Certifications and can be triggered via Workflow. Learn more here.
Can I schedule a campaign to run periodically (e.g., once every three months)?
Yes, when building a campaign, admins have the option to “Make this recurring” and define the campaign's recurrence cadence.
Entitlement Management
What is Entitlement Management?
Entitlement Management (EM) is a powerful new set of product capabilities introduced as part of Okta Identity Governance that offers a modern, cloud-first approach to manage and govern fine-grained entitlements and permissions for your SaaS applications and infrastructure. EM enables customers to get central visibility of which users have what levels of access across their multi-cloud and hybrid environments and enables IT and Compliance teams:
- To have the right business process and automation
- To ensure only the right users get the right level of access to the right resources at the right time
What new capabilities are available with Entitlement Management?
Okta is introducing multiple new capabilities with Entitlement Management, including, but not limited to, the ability to:
- Discover entitlement data from any SaaS or hybrid application and bring it into Okta
- Achieved through OOTB connectors, Workflows, or building your own SCIM connectors
- Create attribute-based rules (ABAC) for who gets access to which entitlements
- Create Entitlement Bundles, which are groupings of entitlements for any application
- Access Requests and approvals for requesting elevated access to any application
- Access Certification campaigns for any specific role or entitlement
- Centralized reports on which users have access to what entitlements, along with their governance trial
Are there any help articles or product documentation I can use to familiarize myself with Entitlement Management?
Visit Okta’s Help site for Entitlement Management help docs.
Do you have any public-facing API docs for Entitlement Management?
Visit Okta Identity Governance API docs here.
What are some new concepts that are introduced with Entitlement Management?
|
Concept Name |
Description |
|---|---|
|
Entitlement |
An entitlement is the category of permissions that allows users to perform specific actions in an application. For example: Role, License |
|
Entitlement Value |
The specific permission of the Entitlement that can be set for users. For example: Business Operations Manager may be an Entitlement Value of Role. |
|
Bundle |
A collection of related entitlements: entitlement value key value pairs that can be assigned together as a single unit. For example: Business Ops bundle may include Role: Business Operations Manager and License: Standard. |
|
Policy |
Programmatic rules that can use attributes to automate entitlement assignment. For example: If the user's department is BizOps, then assign Role: Business Operations Manager. |
|
Grant |
The individual instance or event that changes a user’s entitlements. For example: John may receive a policy grant that assigned him Role: Business Operations Manager. He can subsequently request for additional entitlements, and those instances will create additional grants for John. |
How can I enable Entitlement Management for an eligible application in my Okta Org?
On the General tab of the eligible application, find the Identity Governance - Governance Engine section and click “Edit” then ‘Enable’.
Where can I see more information on Entitlement Management?
See the Entitlement Management FAQs here.
- Frequently Asked Questions about Entitlement Management
- Frequently Asked Questions About Entitlement Management Platform.
- Frequently Asked Questions About Integrations (Connectors) for Entitlement Management.
- Frequently Asked Questions About Governance for Entitlements
- Frequently Asked Questions About Integration with Access Requests and Access Certifications
Governance-Focused Reports
How are these new reports different from what already exists within Okta today?
The reports introduced as part of Okta Identity Governance offer significant improvements along three dimensions:
- Breadth of data presented
- Admin experience
- Scale
Our governance-focused reports combine data from multiple sources, aiming to provide admins with all the information they need in a single report. These reports give admins more flexibility to manipulate and extract data from Okta.
Do you have any product documentation to help me navigate Governance-Focused Reports?
Yes, please use this documentation for information on how to use Governance-Focused Reports.
Is the data available in the Reports user interface all that is available?
The data presented in the Reporting interface of the Okta Admin Dashboard represents only a subset of the data contained in reports. For visibility and ease of consumption, Okta has included the fields necessary to help you understand which users have access to a resource and how they were granted access, as well as the ability to narrow down the dataset using filters. To view the full dataset, you can export it to a CSV, which contains all columns. For example, the CSV export of a report will contain the ID for resources like applications and groups, which may be useful for automation built using Okta Workflows.
I just made a change to a user’s access in Okta. When can I expect to see this in reports?
Changes in Okta are synced to the Reporting platform periodically, several times a day. As a result, actions such as adding or removing a user from a Group or assigning or unassigning a user (or group) from an application or entitlement will not be reflected in Governance-Focused Reports immediately. If you know that a change has been made recently and want to see it reflected in these reports, please wait a few hours for this change to be captured.
Can I run a report on a scheduled basis or use an API to generate a report?
No, not at this time. While these features are in consideration for our future roadmap, configuring a schedule to run a report or providing documented API endpoints for Governance-Focused Reports are not available for Beta.
