Using Multi Level Reviews in Access Certification
Last Updated:
To deliver the most impactful access certification reviews for your organization’s most sensitive resources, it’s often necessary to have multiple levels of reviews. Here’s how to create those certifications with OIG.
OVERVIEW
Organizations are increasingly relying on governance to not only meet compliance challenges, but as a critical component of a least privilege approach to security. Building access certification campaigns that have multiple levels of reviewers can help security and IT teams keep an organization’s most sensitive resources secure while meeting compliance thresholds. With OIG, Access Certification campaigns can support one or two levels of reviews. This functionality supports not only an additional review layer but also enhances the notifications supported.
APPLIES TO
-
Access Certifications
SOLUTION
To create a new Access Certification:
-
Log into Okta as an Administrator with the Access Certification role or Super Admin.
-
Select Identity Governance menu.
-
Select Access Certification application.
-
Locate and click the blue + Create campaign button.
-
Fill out each step to create a campaign.
Create campaign screen
Step 1: General
-
Enter the name of the campaign.
-
Enter an option description.
-
The description is visible to the reviewer and can be used as part of a verification rule.
-
Select the start date / time, time zone.
-
Select the duration of time the campaign will run. Note: A duration of at least 8 days is required as a minimum to support multiple levels of reviewers.
-
Lastly, select Make this recurring and set up those related options as needed if desired.
-
Click the Next button.
Step 2: Selecting Resources
-
Select your resourceType and then select the associated resources that exist in your environment by typing the name of the applications / groups that currently exist in Okta. See the following image.
-
Click the Next button.
Step 3: Users
-
Select either All Users assigned to the resources selected or use Okta Expression Language to isolate a subset of users already assigned to the resources selected in Step 2.
NOTE: To create a subset of users simply follow the links to the guide on the Okta expression language or the sample expressions.
-
Select any exclusions as needed by checking the Exclude users from the campaign checkbox.
-
Click the Next button.
Step 4: Reviewer
The Multi level reviewer offers some of the same types of possible reviewers but now includes more than the single layer reviews.
NOTE: If you are reviewing Applications, the Group Owner will be grayed out as that is not a supported review type. Also the same person cannot be both levels of reviewers.
-
Select the First-level reviewer by clicking the appropriate box on the screen.
NOTE: Options applicable to the reviewer that was selected will be displayed. Clicking the Pencil icon to the right of the reviewer type will bring you back to the previous selection screen.
-
Select Preview Reviewer and verify your settings.
| Reviewer Type | Explanation |
|---|---|
| User | Specify the single user in the search to assign. |
| Manager | Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed isn’t populated with their manager’s Okta account login. |
| Group | Select the group that will be the reviewers. |
| Group Owner | Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer. |
| Custom | Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer. Specify the Fallback Reviewer. |
For Multi level Reviewer setup:
-
Click + Add level
-
Follow the same steps for Single Level reviewer above except the Reviewer type cannot be reused if selected in the first level review.
-
Select Preview 2nd level Reviewer and verify your settings.
| Reviewer Type | Explanation |
|---|---|
| User | Specify the single user in the search to assign. |
| Manager | Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed isn’t populated with their manager’s Okta account login. |
| Group | Select the group that will be the reviewers. |
| Group Owner | Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer. |
| Custom | Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer. Specify the Fallback Reviewer. |
When multi level reviews are configured, Additional Settings are available to configure.
-
Select option for which decision go to the second level
These settings allow you to define which decisions may or may not be reviewed by the second level reviewer and when the second level review should start.
Second level reviewers will have visibility into only items moving onto the second level. When that second level reviewer should see all items, it’s recommended to pass on both approved and revoked decisions.
NOTE: Reviews less than 8 days will not support a 2nd level review flow. Items that have not been completed by the first level reviewer before the second level review begins will be marked as overdue, and it’s recommended to enable the overdue notifications so that these reviewers know and complete their reviews quickly.
-
Expand the Notification settings section
-
Choose the notifications you want to be sent as part of this campaign.
-
If you decide to go back to a Single level review for the campaign, simply click the Remove Level button on the screen.
-
-
Click the Next button.
Step 5: Remediation
-
Select the appropriate remediation steps by selecting the appropriate radio button.
| Reviewer revokes Access: | |
| Don’t take any Action | Remove user from resource |
| Reviewer does not response: | |
| Don’t take any Action | Remove user from resource |
-
Click the Schedule Campaign button to finish creating the campaign.
-
From there you can wait until the time scheduled to start or as an Admin you can Launch, Edit or Delete a scheduled campaign.
