In our continuing effort to improve our customers’ security posture, approvals will now be required for Read-Only Impersonation Access and for Support Access on a self-assigned case.
-
Read-Only Impersonation Access will now be tied directly to a support case and only accessible by the Okta Support team members associated with the case.
-
If an Okta Support Agent creates a case and assigns it to themselves, extra approval will be required for support access
This article provides details on how to approve an Impersonation Access Request. For additional details about approving a Support Access request for a self-assigned case, refer to Approving a Support User Grant for a Self-Assigned Case.
- Okta Classic Engine
- Okta Identity Engine (OIE)
- Read-Only Impersonation Access
How is a request for read-only impersonation for an Okta Support case approved?
Okta Support Engineers may request read-only impersonation access to troubleshoot a support case. This request will require customer approval. The system does not send an automatic notification when the request is made. The Support Engineer needs to request approval for this access directly.
A Super Admin for the organization or the Admin who entered the case must approve these requests. Requests for both Impersonation for Support cases and Support Access for self-assigned cases are approved from the account settings page.
To approve a request for read-only impersonation for a support case:
-
Access the Okta Admin Console.
-
Choose Settings > Account.
-
Select Edit next to Give Access to Okta Support to view the approval requests.
-
Locate the request that displays for the specific case number under Impersonation for Support Cases.
-
Select the Grant impersonation checkbox to approve the request.
-
Review the expiration date and time. Expiration is set to 8 hours by default.
Frequently Asked Questions
How is Read-Only Impersonation Access revoked?
Admins can revoke Read-Only Impersonation Access by clearing the checkbox. Clearing this checkbox immediately removes the access.
Okta does not provide a reject button for these requests. Leaving the checkbox cleared denies the read-only impersonation grant request.
Who can approve Impersonation Access Requests?
The Super Admin for the organization and the Admin who entered the case can approve these requests.
How long does a Read-Only Impersonation Access request display in the dashboard?
The Read-Only Impersonation Access request will display in the dashboard as long as the case is open. Once the case closes, it no longer displays.
When can the expiration date on a request be extended?
Admins can extend the expiration date at any time while the case remains open, including while the request is active and after it expires.
Select the Extend access by 1 day link to add an additional 24 hours from the time the link is clicked to the expiration date and time. Admins can select this option both prior to the initial expiration or after the initial request expires.
NOTE: The Extend access by 1 day selection is not stackable. For example, Admins can select the option to extend access for an additional 24 hours. However, Admins cannot immediately select it again to extend access for 48 hours.
When Admins grant Read-Only Impersonation Access on the case, who has access?
This access is specific to the case, and the read-only impersonation approval applies only to Okta Support personnel who require access to continue troubleshooting.
Related References
