Access Certification (or recertification, attestation campaigns) is a key capability in any Identity Governance product and it is the one most likely to cause friction with business users. If you’re responsible for running an aspect of the business, re certifying the access of your direct reports is probably not high on the priority list. So it’s important that the process to review access is as straightforward and usable as possible.

Overview

Okta has gone to great lengths to make the user review interface as simple and usable as possible. But up until now the column headings and attributes displayed when reviewing an Access Certification Campaign were fixed and many customers have asked for the ability to modify the attributes used.

This new feature makes user reviews more flexible and will allow:

• Specification of the attributes to appear in a review,
• The ability to sort and size the columns on the review summary page
• The ability to filter the reviews by attributes, and
• The ability for the reviewer to select the attributes displayed on the summary page

Applies To

• Access Certifications

Solution  

Step 1: Configuration of the New Feature

When you navigate to the Identity Governance > Access Certifications menu item, you will notice the page has changed subtly. The previous Active, Scheduled and Closed tabs have been made selection boxes (with the number of each shown). In the example below, the Active campaigns are showing (and there is one of them).

There are now two tabs, Campaigns and Settings, with Campaigns being the default view.

The Settings tab contains the new contextual information, i.e. the attributes presented for users, resources and other.  This information may vary depending on enabled features or mapped attributes.

The Edit button allows changing the attributes, with pull-down sections for each.

The User information section allows for selection/deselection of base and custom attributes (for example the Department ID attribute is a custom attribute).  Your instance and attributes may vary.

Also, these sections may include newer features over time. 

The Resource information contains both attributes for applications, groups and entitlements to be reviewed.

Additional Information is the last section that is visible.  This example is showing Recommendation and Risk Level that is part of this example is related to a new feature called Governance Analyzer.  Once available these options will also be visible in your tenant.

Modify the new context for a specific campaign.

Review Summary Changes

When the reviewer opens the new campaign, they will see some changes from previously.

They are:

1. Filters – there is a list of active filters, and a button to set/manage the filters
2. A Sort option for each of the columns
3. Flexible columns – where you have modified the columns in the Settings page
4. Resize bars – so you can resize the width of the columns
5. A Menu icon for more actions – the only current option is to customize the view

Let’s look at these.

Filters

You can apply filters on any default attribute available to the campaign.

Some require exact matches, some can use Contains/Starts with. When selecting items like resources, you will get a matching dropdown list. You can have multiple conditions in the filter.

This results in a filtered view.

You can remove filters by clicking the cross icon in the filter bar, or by going back into the filter edit screen and changing them there.

Sort Option

Selecting any of the column headings will sort them and you can toggle ascending/descending.

Column Resizing

You can grab the resize bars and move them to see more/less of a column (there are minimum widths).

Changing the Columns

For example removing email and adding in the two description attributes results in the columns changing.

Note that if you have too much info to display, you get a scroll bar at the bottom.

Review Details Changes

The attributes shown on the slide-out Review Details panel reflect those selected in the Access Certification campaign Settings page.

In this case some user details were removed and the Current Project added, and some of the Resource details have changed as per the Settings changes.

The reviewer cannot select which of these are displayed.

Conclusion

This article has explored the new customizable access certification reviewer context feature in Okta Identity Governance. It introduces a number of changes, such as: selecting which attributes are displayed in a campaign; changing, sorting and sizing of columns; and filtering of data.

Businesses can apply a blanket set of attributes that make sense to them. Perhaps not all the standard user profile attributes are used, but they have custom ones they want to show to the reviewer. This feature allows that.

It also makes the review process more usable by the reviewer giving them greater control over the review information they are presented with and used to make review decisions.

Together these changes make access certification campaigns more consumable and usable, meaning business users are more likely to do them rather than avoiding them.

Related References

Training:

• Improve Your Security Posture with Okta Identity Governance (OIG)

We’ve put together other resources below that can help you as you become familiar with Okta Identity Governance:

• We share two videos about Access Certification campaigns and Access Request in this article: Okta Identity Governance
• Corporate blog: Okta Identity Governance: A Unified IAM and Governance Solution
• How to Grant entitlements via API
• Guide on how to use the Okta Identity Governance API’s

Learn about the new capabilities available, Access Requests, Access Certifications, and more in this FAQ: Identity Governance FAQs