How to Create an Access Certification via Okta Workflows - Group Event Trigger
Last Updated:
Overview
Overall, the power of Okta access certifications for governance lies in their ability to provide organizations with the tools, visibility, and control necessary to ensure proper access control, enforce the principle of least privilege, enhance security, streamline compliance efforts, and foster a culture of accountability. With Okta, organizations can confidently navigate the governance landscape, safeguard sensitive data, and protect against unauthorized access. This workflow example demonstrates how to trigger a campaign when a user is added to a sensitive group in Okta.
Applies To
-
Okta Access Certifications
-
Okta Workflows
-
Okta Identity Governance API
Assumptions
-
A group is already created within Okta can be used to trigger a certification when a user is added to the group.
-
Users who exist in the Okta tenant have the
managerIdprofile field populated with a username of their manager or some other user who will be acting as an approver for Governance-related approvals. -
All steps in the example workflow are depicted to show a basic workflow for testing in a non-production environment. Additional steps, tailored to each customer's standards, should be taken before use in production.
Solution
- Visit the Okta Identity Governance API page to find the API documentation. Locate the API reference for Campaigns. Please refer to the Guide on using the Okta Identity Governance APIs documentation for more information on using the API.
- Log in to Okta as a Super Admin and navigate to Workflow > Workflows console to get started.
- Create a new flow and name your flow by clicking the pencil next to Unnamed. Select to save all data that passed through the flow and save.
- Add an Event, select Okta under your connected Applications, search for User Added to Group event, and select.
- Click the Add function button and select the Continue If card, drag the Display Name value from the Group details in the card, and store it in the value a option of the card.
-
Change the comparison value on the Continue If card to
equal toand then type in the name of the group in value b. This group is the group in the Okta tenant that used to run a campaign against it whenever someone is added to it. In the example, this workflow will execute only if someone is added to a group calledGroupAdmins. -
Pull the manager’s ID from the user added to the group based on the system log event.
-
Add the Application Action, Okta Read User card. Once you add that card, uncheck all fields under Outputs except
UsernameandManagerId(as shown in the diagram below), and click Save.
- Drag the ID field from the Okta User section of the Event trigger card: User Added to Group and store it in the ID or Login field of the new card.
- Look up the manager within Okta by using the Okta Find User card.
- Add the Application Action, Okta Find User card, choose First Matching Record, and click the Save button.
- Next, select the default fields, select Login, and then click the Save button again.
Configure Find Users Card Configure fields used Configured card
- Look up the manager's login ID in Okta using the Okta Find User card. This value will be used in a later step during the certification process.
- Add the Application Action, Okta Find User card, choose First Matching Record, and click the Save button.
- Next, select the default fields, select Login, and then click the Save button again.
- Now drag the Find Users card to the ID or Login field of the Read User card, as shown in the diagram below.
- Use the time function cards in Okta workflows to set a future date/time for when a campaign should be launched. This is needed as the API will not support creating a campaign in the past.
- Add the Add Function under the Date & Time category in the menu, select the Now card, and click Add Function.
- Under the Date & Time category, also select the Add card. Click the Save button.
- Drag the date field over to the start date field on the Add card.
- Update the add option to 5 and select minutes for the units. This output will be used in the API call to create a certification.
- The next step is to create the JSON to supply the API to create a campaign. This can be done in many ways; this example uses a Compose card to bring all the values together.
-
- Add the Add Function on the main screen, select the Compose card, and click the Save button. It will look like the diagram below.
-
- Cut and paste an example from the Governance APIs, or use the example below in the table and make any necessary updates.
NOTE: A variation of this example is used in the Create Campaign APIs available for OIG.
Campaign using group with user expression scope
Example JSON
NOTE: The areas in red below are values linked to previously captured values within the workflow.
{
"name": "Employee Granted Privileged Access Campaign",
"description": "Testing with the API and Workflows",
"scheduleSettings": {
"type": "ONE_OFF",
"startDate": "output",
"durationInDays": 30,
"timeZone": "America/New_York"
},
"remediationSettings": {
"accessApproved": "NO_ACTION",
"accessRevoked": "DENY",
"noResponse": "DENY"
},
"reviewerSettings": {
"type": "USER",
"reviewerId": "ID"
},
"principalScopeSettings": {
"type": "USERS",
"userScopeExpression": "user.profile.login == \"Username\"",
"excludedUserIds": []
},
"resourceSettings": {
"type": "GROUP",
"targetResources": [
{
"resourceId": "_"
}
]
},
"status": "ACTIVE"
}
-
- Paste the example JSON above into the Compose card, then update the three fields listed below by linking them to previously captured card outputs. Ensure you insert the output between the quotes of the JSON code and do not disrupt the JSON format required by the API endpoint.
-
- Output
- ID
- Username
The view from within the Workflow is broken down into three images to capture all the linked fields.
- Add the Okta Custom API Action card. Add the Application Action and the Okta Custom API Action card, then choose Post. Click the Save button. Only select Body in the Input section and uncheck Headers in the Output section of the card, and then click the Save button again.
- Enter the Relative URL listed below in the Relative URL field.
- /governance/api/v1/campaigns
- Drag the output of the previously created Compose card to the Body field in the Custom API Action card.
- Pull the ID of the newly created campaign to launch the campaign in the next step.
- Add the Add Function on the main screen, select the Object menu on the left, select the Get card, and then click the Save button. Drag the Body output of the Custom API Action card over to the Object field, and then enter
idin the path field. It will look like the diagram below after you update it.
- Construct the API call to auto-launch this campaign when the workflow runs. To do this, use another Compose card and place the
idcaptured in the Object Get card and run another Custom API Action card. - Add the Add Function on the main screen, select the Compose card. and click the Save button. It will look like the diagram below.
- Enter the following URL while linking the output of the Object card as the id of the campaign in order to launch.
/governance/api/v1/campaigns/(output)/launch
- Lastly, use another card to call this API and launch the campaign after it's created. Add the Application Action, Okta Custom API Action card, and choose Post, click the Save button. Uncheck all of the options in the Input section and uncheck Headers in the Output section of the card, and then click the Save button again.
- Drag the output of the last Compose card to the Relative URL field in the Custom API Action card.
- Save the workflow and enable it to run.
Overall Flow
Testing
Once the workflow is enabled and a user is added to the same group you entered in Step 5, this flow should execute and send a new campaign to their manager based on the managerId field stored in the user's profile.
Happy Governing!
Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team.
