<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Exploring Enhanced Group Remediation in Access Certification
Jan 29, 2025
Okta Classic Engine
Identity Governance
Okta Identity Engine

This article describes the new enhanced group remediation feature in Access Certification and how to use it. 

Overview

In Okta Access Certification, two different resource-based campaigns allow the review of the users assigned to an application or users assigned to a group. Until now, when a user reviews the access of a user assigned to an application(only for group-based user assignment) and chooses to revoke the access, it requires manual intervention to remove the user assignment from the application. Now, administrators can suggest that a group-based campaign can be executed to automatically revoke the user access, but in that case, the reviewer cannot view the application-related information such as Last Login, etc. So, to bring the best of both and to allow revocation of access from an application by removing users from the group, the Enhanced Group Remediation feature has been introduced in Okta Access Certification. Using this feature, the users assigned to an application (only via Group) can be automatically removed from the group, and consecutively, they get unassigned from the application. We will see below under which situation this is applicable and how to configure this. 

 

Applies To

Application based Campaigns 

This feature is only present within Application-based Campaigns, where the campaign is created only for the application and does not include entitlement reviews. It only applies to users who are assigned via group and not directly to the application.

 

How To

When creating an application-based campaign, after all the applications and reviewers have been selected, under Remediation, select Remove access from user for either Reviewer revokes access or Reviewer does not respond. Once either option is selected, the Automatically remove group-based access option is displayed as shown below:

1.jpeg

 

Check the option Automatically remove group-based access to configure enhanced group remediation features. Once it has been selected, by default, it selects the option of All Groups, which means the access can be revoked from all groups assigned to the application.

2.jpeg

 

But if there is a requirement to only allow some groups to be available for automatic removal from the group then uncheck the All groups option and select the groups from the drop-down menu under Select groups

3.jpeg 

Now, select Schedule Campaign to create the campaign with enhanced group remediation.

 

Caveat

This feature should not be used for groups that have group rules configured for adding users to it. Once the user is removed from the group using the Enhance Group Remediation feature, it will be added back to the group using the group rule.



Recommended content

Still looking for help?
Loading
Exploring Enhanced Group Remediation in Access Certification