Overview
Admin role-centric access certification campaigns enable organizations to align the need of admin access privileges with the principle of least privilege admin roles and granting users only the necessary admin access required to fulfill their day to day operation work or responsibilities. This approach minimizes the risk of having standing admin roles, access, insider threats, and data breaches, as admin permissions are tailored to an individual's role and responsibilities.
Applies To
- Access Certifications
Solution
To create a new Access Certification:- Log into Okta as an Administrator with the Access Certification role or Super Admin.
- Select Identity Governance menu.
- Select Access Certification application.
- Locate and click the blue + Create campaign button.
- Select Resource Campaign.
- Fill out each step to create a campaign.
Create campaign screen
Step 1: General
- Enter the name of the campaign.
- Enter an optional description.
- The description is visible to the reviewer and can be used as part of a verification rule.
- Select the Start date / Start time and time zone.
- Select the Duration of time the campaign will run. NOTE: A duration of at least 8 days is required as a minimum to support multiple levels of reviewers.
- Select Make this recurring and set up those related options as needed if desired.
- Click the Next button.
Step 2: Resources
Option : Applications
- Select Applications from the dropdown.
- Enable Review entitlements toggle button.
- Use the Select application box to pick Okta Admin Console as an application.
- Use the Select Scope box to pick an option of All entitlements and Bundles or select Specific entitlements and bundles to limit the campaign scope.
- Click Next.
Step 3: Users
Select the user's scope for this campaign. Your options are:
- Option 1: All users assigned to the selected resources
- Option 2: Specify users in scope
- Select Specify user scope.
- Use the Scope Users box to type in an Okta Expression to identify users based upon Okta Expression Language. Feel free to click Sample expressions or the Okta Expression Language guide as reference.
- Click Next.
Step 4: Reviewer
The Multi level reviewer offers some of the same types of possible reviewers but now includes more than the single layer reviews.
NOTE: If you are reviewing Applications, the Group Owner will be grayed out as that is not a supported review type. Also the same person cannot be both levels of reviewers.
- Select the First-level reviewer by clicking the appropriate box on the screen.
NOTE: Options applicable to the reviewer that was selected will be displayed. Clicking the Pencil icon to the right of the reviewer type will bring you back to the previous selection screen.
- Select Preview Reviewer and verify your settings.
|
Reviewer Type |
Explanation |
|---|---|
|
User |
Specify the single user in the search to assign. |
|
Manager |
Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed isn’t populated with their manager’s Okta account login. |
|
Group |
Select the group that will be the reviewers. |
|
Group Owner |
Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer. |
|
Custom |
Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer. Specify the Fallback Reviewer. |
For Multi level Reviewer setup:
- Click + Add level.
- Follow the same steps for the Single Level reviewer above, except the Reviewer type, which cannot be reused if selected in the first level review.
- Select Preview 2nd level Reviewer and verify your settings.
|
Reviewer Type |
Explanation |
|---|---|
|
User |
Specify the single user in the search to assign. |
|
Manager |
Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed isn’t populated with their manager’s Okta account login. |
|
Group |
Select the group that will be the reviewers. |
|
Group Owner |
Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer. |
|
Custom |
Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer. Specify the Fallback Reviewer. |
When multi level reviews are configured, Additional Settings are available to configure.
- Select the option for which decision go to the second level.
These settings allow you to define which decisions may or may not be reviewed by the second level reviewer and when the second level review should start.
Second level reviewers will have visibility into only items moving onto the second level. When that second level reviewer should see all items, it is recommended to pass on both approved and revoked decisions.
NOTE: Reviews less than 8 days will not support a 2nd level review flow. Items not completed by the first level reviewer before the second level review begins will be marked as overdue, and it’s recommended to enable the overdue notifications so that these reviewers know and complete their reviews quickly.
- Expand the Notification settings section.
- Choose the notifications you want to be sent as part of this campaign.
- If you decide to go back to a Single level review for the campaign, simply click the Remove Level button on the screen.
- Click the Next button.
Step 5: Remediation
- Select the appropriate remediation steps by selecting the appropriate radio button.
|
Reviewer revokes Access: | |
|
Don’t take any Action |
Remove user from resource |
|
Reviewer does not respond: | |
|
Don’t take any Action |
Remove user from resource |
- Click the Schedule Campaign button to finish creating the campaign.
- From there you can wait until the time scheduled to start or as an Admin you can Launch, Edit or Delete a scheduled campaign.
Related References
