<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to create an Access Certification via an Okta Workflow
Jun 27, 2023
Okta Classic Engine
Identity Governance
Okta Identity Engine

Overview

User profile change trigger

The power of Okta access certifications for governance lies in their ability to streamline processes, enhance security, promote accountability, and achieve compliance objectives. By automating and simplifying access reviews, Okta empowers organizations to confidently manage user access rights, mitigating risks and ensuring a secure digital environment. With Okta, governance becomes a seamless and powerful tool that strengthens the overall security posture of organizations in the ever-evolving digital landscape.  This workflow example will show the ability to trigger a User Campaign based on a department change on the user's profile.

Applies to

  • Okta Access Certifications
  • Okta Workflows
  • Okta Identity Governance API

Assumptions

  • Users that exist in your Okta tenant have the department profile field populated and either an automated or manual process to update it, therefore triggering a User Campaign of applications and groups the user has assigned. 
  • Users that exist in your Okta tenant have the managerId profile field populated with a username of their manager or some other user that will be acting as an approval for Governance related approvals. 
  • All steps in the example workflow are depicted to show a basic workflow for testing in a non-production environment.  Additional steps based on each customer's standards should be taken in account before using in production. 

Solution

  1. Visit https://developer.okta.com/docs/api/iga/ to locate the API documentation for Identity Governance.  Locate the API reference for Campaigns.  Please refer to this guide, Guide on using the Okta Identity Governance APIs, for more information on how to use the API.
  2. Next, log into Okta as a Super Admin click on Workflows then Workflow console to get started. 
  3. Create a new flow and name your flow by clicking the pencil next to Unnamed.  Select to save all data that passed through the flow as well and save.
  4. Next, add an Event, select Okta under your connected Applications, search for User Okta Profile Updated event, and select.  
  5. Next, click the Add function button and select the Continue If card, drag the Changed Attributes value from the details in the card, and store it in the value a option of the card. 

1.png

2.png

  1. Change the comparison value on the Continue If card to “equal to” and then enter the value of "department" into the value b field where we are monitoring changes from. In the example, this workflow will execute only if someone changes only the department attribute in Universal Directory.
  2. Next, we need to pull the manager’s Id from the user that was added to the group based on the system log event.  
  3. Add the Application Action, Okta Read User card.  Once you add that card, uncheck all the fields under Outputs except for Username and ManagerId (as shown in the diagram below), then click the Save button.

3.png

  1. Then we need to drag the ID field from the Okta User section of the Event trigger card: User Added to Group and store it in the ID or Login field of the new card.

4.png

  1. Next, we need to look up the manager within Okta by using the Okta Find User card.  

Add the Application Action, Okta Find User card and choose First Matching Record, click the Save button.  Next, take the default fields plus select Login and then click the Save button again.

5.png6.png7.png

  Configure Find Users Card         Configure fields used           Configured card.
 

  1. Next, we need to look up the login ID of the manager within Okta by using the Okta Find User card.  This value will be used during the certification process in a later step.

Add the Application Action, Okta Find User card and choose First Matching Record, click the Save button.  Next, take the default fields plus select Login and then click the Save button again. 

Now drag the Find Users card to the ID or login field of the Read User card as shown in the diagram below. 

8.png

  1. Next, we use the time function cards within Okta workflows to set a date/time in the future when a campaign should be launched.  The reason you need to do this is the API will not support creating a campaign in the past.   

Add the Add Function, under Date & Time category in the menu, select the Now card, and then click Add Function, under Date & Time category also select the Add card. Click the Save button.  

Now, drag the date field over to the start date field on the Add card.  Update the add option to 5 and select minutes for the units.  This output will be used in the API call to create a certification.

9.png

  1. The next step is to create the JSON to supply the API to create a campaign.  You can do this in many ways, this example uses a compose card to bring all the values together.  

Add the Add Function, on the main screen, select the Compose card, and then click the Save button.  It will look like this diagram below.

10.png

Next, you’re going to either cut and paste an example from the Governance API’s or you can use the example posted below in the table and make any updates you would like.

Note: I’m using a variation of this example in the Create Campaign API’s available for OIG. Campaign using group with user expression scope 

 

Example JSON. 

Note:  the areas in red below are values linked to previously captured values within the workflow.  

{
"name": "User Department Change - Certification Campaign",
"description": "Review access of all resources associated with a user when their department changes",
"campaignType": "USER",
"scheduleSettings": {
"type": "ONE_OFF",
"startDate": "output",
"durationInDays": 30,
"timeZone": "America/New_York"
},
"resourceSettings": {
"type": "APPLICATION_AND_GROUP",
"individuallyAssignedAppsOnly": false,
"individuallyAssignedGroupsOnly": false
},
"principalScopeSettings": {
"type": "USERS",
"userIds": [
"00u1ciel7qsiN82l48g6"
]
},
"reviewerSettings": {
"type": "USER",
"reviewerId": "00u1ciel8qsiN81l98g6"
},
"remediationSettings": {
"accessApproved": "NO_ACTION",
"accessRevoked": "DENY",
"noResponse": "DENY"
},
"notificationSettings": {
"notifyReviewerWhenReviewAssigned": true,
"notifyReviewerAtCampaignEnd": true,
"notifyReviewerWhenOverdue": true,
"notifyReviewerDuringMidpointOfReview": true,
"notifyReviewPeriodEnd": true
},
"status": "ACTIVE"
}
}
  You will need to paste the example JSON above into the Compose card and then update the three fields listed below by linking them to previously captured outputs of cards.  Make sure you insert the output between the quotes of the JSON code and not disrupt the JSON format required by the API endpoint.  
  • Output which is the date value
  • ID of the users profile that had the department changed.
  • Username of the same user's manager stored in their profile.

The view from within the Workflow broken down in three images to capture all the linked fields.  
 

11.png

12.png

13.png

  1. Next, we need to add the Okta Custom API Action card. Add the Application Action, Okta Custom API Action card and choose Post, click the Save button.  Next, only select Body in the Input section and uncheck Headers in the Output section of the card and then click the Save button again. 

Enter in the Relative URL listed below in the Relative URL field. 

/governance/api/v1/campaigns

And drag the output of the previously created Compose card to the Body field in the Custom API Action card. 

14.png

  1. Next, we need to pull the Id of the newly created campaign in order to launch the campaign in the next step.
  2. Add the Add Function, on the main screen, select the Object menu on the left and select the Get card and then click the Save button.  Drag the Body output of the Custom API Action card over to the Object field and then enter in “id” in the path field. It will look like this diagram below after you update.

15.png

  1. Now, we need to construct the API call in order to auto-launch this campaign when the workflow runs.  In order to do this, we need to use another compose card and place the Id captured in the Object Get card and run another Custom API Action card.
  2. Add the Add Function, on the main screen, select the Compose card, and then click the Save button.  It will look like this diagram below.

16.png

Enter the following URL while linking the output of the Object card as the id of the campaign in order to launch.

 

/governance/api/v1/campaigns/(output)/launch

17.png

  1. Lastly, we can use one more card to call this API and launch the campaign after creation.  Add the Application Action, Okta Custom API Action card and choose Post, click the Save button.  Next, uncheck all of the options in the Input section and uncheck Headers in the Output section of the card and then click the Save button again. 
  2. Drag the output of the last Compose card to the Relative URL field in the Custom API Action card.  

18.png

  1. Save the workflow and enable it to run.
 

Overall flow

 

20.png

19.png

Testing

Once the workflow is enabled and a user is changed, this flow should execute and send a new User Campaign to their manager based upon the managerId field stored in the user's profile. 

Happy Governing!

 

Related References


Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team. 

 

Recommended content

Still looking for help?
Loading
How to create an Access Certification via an Okta Workflow