To deliver the most impactful access certification reviews for the organization’s most sensitive resources, having the ability for a manager or end user to request to review their own or others' access is powerful. Here is how to create that Request Type and User Campaigns with Okta Identity Governance (OIG).
User-centric access certification campaigns enable organizations to align access privileges with the principle of least privilege, granting users only the necessary access required to fulfill their responsibilities. This approach minimizes the risk of unauthorized access, insider threats, and data breaches, as access permissions are tailored to each individual's role and responsibilities. This approach also opens the door to security-based governance using events to trigger user-based campaigns reactively. Combined with Access Requests and approvals, this allows managers to review their employees' access and users to self-manage their access with approvals.
- Access Certifications
- Access Requests
- Okta Workflows
Assumptions
- Okta Workflows has been connected to the test Okta instance.
- Consumption of this article does require some level of understanding of Okta Workflows.
- Permissions have been granted to allow an Access Request to call a workflow.
- An Access Request will be built to call this Workflow
- Users are allowed to self-review their access
- Managers need to review other employees' access
- Users in the scope of review are in the audience of the Access Request Type
- Users in the Okta tenant have the managerId profile field populated with the username of their manager or some other user who will be acting as an approver for governance-related approvals.
- All steps in the example workflow are depicted to show a basic workflow for testing in a non-production environment. Additional steps based on each customer's standards should be taken into account before using in production.
Steps
- Visit the Okta Identity Governance API to locate the API documentation for Identity Governance. Locate the API reference for Campaigns. Refer to this guide, Guide on using the Okta Identity Governance APIs, for more information.
- Log in to Okta as a Super Admin. Click on the Okta Workflow console to get started.
- Create a new flow and name the flow by clicking the pencil next to Unnamed. Enter the name, select to save all data that passed through the flow as well, and save.
- Add an Event, select Delegated Flow
under Okta Apps. This is required to call a Workflow directly from an Access Request.
- Within the Okta Delegated Flow card, add three inputs. The default is a text format.
- Add email, reviewItem, and reason, as seen in the image.
- Click the Add app action button. Under Okta, search for the Find Users card. Under the Result Set, select the First Matching Record.
- Uncheck the options so that only Query input and ID are selected, as seen in the image. Click Save.
NOTE: Make sure the Connection to Okta is also connected. Otherwise, set up the connection to Okta.
- Select the ID in the result section of the card and select Customize. Update it to say requestors_id.
Update to:
- Drag the email input from the first card (Delegated Flow) over to the Query Inputs on the Okta Find Users card. This will be passed from the Access Request to the workflow to look up the user.
- Click the Add app action button, locate Okta again, and add the Okta Read User card. Select the Output fields to make the complete card image. Then drag the requestors_id field from the Okta Find Users card over to the ID or Login* field.
Link the two cards as seen below:
- Click the Add app action button, locate Okta again, locate the Find Users card, and select it. In the Result Set, select First Matching Record and click Save. Uncheck all Output fields except ID. Rename the ID Result field to managers_Id.
Next, drag the ManagerID field of the Okta Read User card over to the Query field of the Okta Find Users card. It should look like this.
- Click the Add function button and select Now under the Date & Time menu.
- Click the Add function button and select Add card under the Date & Time menu. Place the number “1” in the add field and select “minutes” under units. Drag the date field from the Now card over.
Rename the output field to date_time_plus_1_min. The end result should look like this.
update to
- Click the Add function button and select the Compose card. Paste the following text into that compose card:
{ "name": "Self Service Self Review of First name Last name ", "description": "Review access of any applications/groups/entitlements granted!", "campaignType": "USER", "scheduleSettings": { "type": "ONE_OFF", "startDate": "date_time_plus_1_minutes", "durationInDays": 10, "timeZone": "America/New_York" }, "resourceSettings": { "type": "APPLICATION_AND_GROUP", "targetResources": [], "excludedResources": [] ,"individuallyAssignedAppsOnly": false, "individuallyAssignedGroupsOnly": false, "includeEntitlements": true, "onlyIncludeOutOfPolicyEntitlements": false }, "principalScopeSettings": { "type": "USERS", "userIds": [ "requestors_Id" ] }, "reviewerSettings": { "type": "MULTI_LEVEL", "reviewerLevels": [ {"reviewerId": "requestors_Id", "type": "USER", "startReview": { "onDay": 0 } }, {"reviewerId": "managers_Id", "type": "USER", "startReview": { "onDay": 5, "when": "LOWER_LEVEL_APPROVES_OR_REJECTS" } } ] }, "remediationSettings": { "accessApproved": "NO_ACTION", "accessRevoked": "DENY", "noResponse": "NO_ACTION" }, "notificationSettings": { "notifyReviewerWhenReviewAssigned": true, "notifyReviewerAtCampaignEnd": true, "notifyReviewerWhenOverdue": true, "notifyReviewerDuringMidpointOfReview": true, "notifyReviewPeriodEnd": true } }
Drag the field highlighted in blue into the compose card. Those sections above, highlighted in blue, are fields pulled from previous cards. The last part of this step is to rename the output of the Compose card to campaign_json_body.
-
-
- First name = mapped from Okta Read User card
- Last name = mapped from Okta Read User card
- Date_time_plus_1_minute = Date Add card
- Requestor_id - mapped from Okta Read User card
- managers_Id = mapped from the Okta Find User card
-
- Click the Add function button and add another compose card, just like the previous step. This time, add /governance/api/v1/campaigns in the card.
- Click the Add app button and select the Custom API Action card listed under Okta. Select POST, then click Save. Then select only the Body checkbox in the Inputs.
- The last step before executing the flow is to drag the output from the two Compose cards to the Custom API Action card.
- Click Save and make sure the flow is Active and ready to run.
Summary of steps
Related References
