Overview
Overall, the power of Okta access certifications for governance lies in their ability to provide organizations with the tools, visibility, and control necessary to ensure proper access control, enforce the principle of least privilege, enhance security, streamline compliance efforts, and foster a culture of accountability. With Okta, organizations can confidently navigate the governance landscape, safeguarding sensitive data and protecting against unauthorized access. This workflow example will show the ability to trigger a campaign based on a user getting added to a sensitive group within Okta.
Applies To
-
Okta Access Certifications
-
Okta Workflows
-
Okta Identity Governance API
Assumptions
-
You have a group already created within Okta that you would like to trigger a certification when a user is added to the group.
-
Users that exist in your Okta tenant have the managerId profile field populated with a username of their manager or some other user that will be acting as an approval for Governance related approvals.
-
All steps in the example workflow are depicted to show a basic workflow for testing in a non-production environment. Additional steps based on each customer's standards should be taken into account before using in production.
Solution
- Visit https://developer.okta.com/docs/api/iga/ to locate the API documentation for Identity Governance. Locate the API reference for Campaigns. Please refer to this document, Guide on using the Okta Identity Governance APIs, for more information on how to use the API.
- Log into Okta as a Super Admin and click on the Okta Workflow console to get started.
- Create a new flow and name your flow by clicking the pencil next to Unnamed. Select to save all data that passed through the flow and save.
- Add an Event, select Okta under your connected Applications, search for User Added to Group event, and select.
- Click the Add function button and select the “Continue If” card, drag the Display Name value from the Group details in the card and store it in the “value a” option of the card.
-
Change the comparison value on the “Continue If” card to “equal to” and then type in the name of the group in value b. This group is the group in your Okta tenant that you want to run a campaign against whenever someone is added to it. In the example, this workflow will execute only if someone is added to a group called “GroupAdmins.”
-
Pull the manager’s Id from the user added to the group based on the system log event.
-
Add the Application Action, Okta Read User card. Once you add that card, uncheck all the fields under Outputs except for Username and ManagerId (as shown in the diagram below), then click the Save button.
- Drag the ID field from the Okta User section of the Event trigger card: User Added to Group and store it in the ID or Login field of the new card.
- Look up the manager within Okta by using the Okta Find User card.
Add the Application Action, Okta Find User card, choose First Matching Record, and click the Save button. Next, select the default fields, select Login, and then click the Save button again.
Configure Find Users Card Configure fields used Configured card.
- Look up the login ID of the manager within Okta by using the Okta Find User card. This value will be used during the certification process in a later step.
Add the Application Action, Okta Find User card and, choose First Matching Record, click the Save button. Next, select the default fields, select Login, and then click the Save button again.
Now drag the Find Users card to the ID or login field of the Read User card, as shown in the diagram below.
- Use the time function cards within Okta workflows to set a date/time in the future when a campaign should be launched. The reason you need to do this is the API will not support creating a campaign in the past.
Add the Add Function under Date & Time category in the menu, select the Now card, and click Add Function. Under the Date & Time category, also select the Add card. Click the Save button.
Drag the date field over to the start date field on the Add card. Update the add option to 5 and select minutes for the units. This output will be used in the API call to create a certification.
- The next step is to create the JSON to supply the API to create a campaign. You can do this in many ways, this example uses a Compose card to bring all the values together.
Add the Add Function on the main screen, select the Compose card, and click the Save button. It will look like this diagram below.
Cut and paste an example from the Governance APIs or use the below example in the table and make any necessary updates.
Note: A variation of this example is used in the Create Campaign APIs available for OIG.
Campaign using group with user expression scope
Example JSON
NOTE: The areas in red below are values linked to previously captured values within the workflow.
{
"name": "Employee Granted Privileged Access Campaign",
"description": "Testing with the API and Workflows",
"scheduleSettings": {
"type": "ONE_OFF",
"startDate": "output",
"durationInDays": 30,
"timeZone": "America/New_York"
},
"remediationSettings": {
"accessApproved": "NO_ACTION",
"accessRevoked": "DENY",
"noResponse": "DENY"
},
"reviewerSettings": {
"type": "USER",
"reviewerId": "ID"
},
"principalScopeSettings": {
"type": "USERS",
"userScopeExpression": "user.profile.login == \"Username\"",
"excludedUserIds": []
},
"resourceSettings": {
"type": "GROUP",
"targetResources": [
{
"resourceId": "_"
}
]
},
"status": "ACTIVE"
}
Paste the example JSON above into the Compose card and then update the three fields listed below by linking them to previously captured outputs of cards. Ensure you insert the output between the quotes of the JSON code and do not disrupt the JSON format required by the API endpoint.
- Output
- ID
- Username
The view from within the Workflow is broken down into three images to capture all the linked fields.
- Add the Okta Custom API Action card. Add the Application Action, Okta Custom API Action card and choose Post, click the Save button. Only select Body in the Input section and uncheck Headers in the Output section of the card and then click the Save button again.
Enter in the Relative URL listed below in the Relative URL field.
/governance/api/v1/campaigns
Drag the output of the previously created Compose card to the Body field in the Custom API Action card.
- Pull the Id of the newly created campaign to launch the campaign in the next step.
- Add the Add Function on the main screen, select the Object menu on the left and select the Get card and then click the Save button. Drag the Body output of the Custom API Action card over to the Object field and then enter in “id” in the path field. It will look like the diagram below after you update it.
- Construct the API call to auto-launch this campaign when the workflow runs. To do this, use another Compose card and place the id captured in the Object Get card and run another Custom API Action card.
- Add the Add Function on the main screen, select the Compose card. and click the Save button. It will look like this diagram below.
/governance/api/v1/campaigns/(output)/launch
- Lastly, use one more card to call this API and launch the campaign after creation. Add the Application Action, Okta Custom API Action card, and choose Post, click the Save button. Uncheck all of the options in the Input section and uncheck Headers in the Output section of the card, and then click the Save button again.
- Drag the output of the last Compose card to the Relative URL field in the Custom API Action card.
- Save the workflow and enable it to run.
Overall Flow
Testing
Once the workflow is enabled and a user is added to the same group you entered in Step 5, this flow should execute and send a new campaign to their manager based on the managerId field stored in the user's profile.
Happy Governing!
Related References
Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team.
