<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content

How to Create an Access Certification via Okta Workflows - Group Event Trigger

Identity Governance
Okta Classic Engine
Okta Identity Engine

Overview

Overall, the power of Okta access certifications for governance lies in their ability to provide organizations with the tools, visibility, and control necessary to ensure proper access control, enforce the principle of least privilege, enhance security, streamline compliance efforts, and foster a culture of accountability. With Okta, organizations can confidently navigate the governance landscape, safeguard sensitive data, and protect against unauthorized access. This workflow example demonstrates how to trigger a campaign when a user is added to a sensitive group in Okta.
 

Applies To

  • Okta Access Certifications
  • Okta Workflows
  • Okta Identity Governance API
     

Assumptions

  • A group is already created within Okta can be used to trigger a certification when a user is added to the group.
  • Users who exist in the Okta tenant have the managerId profile field populated with a username of their manager or some other user who will be acting as an approver for Governance-related approvals. 
  • All steps in the example workflow are depicted to show a basic workflow for testing in a non-production environment.  Additional steps, tailored to each customer's standards, should be taken before use in production.
     

Solution

  1. Visit the Okta Identity Governance API page to find the API documentation.  Locate the API reference for Campaigns. Please refer to the Guide on using the Okta Identity Governance APIs documentation for more information on using the API.
  2. Log in to Okta as a Super Admin and navigate to Workflow > Workflows console to get started.
  3. Create a new flow and name your flow by clicking the pencil next to Unnamed.  Select to save all data that passed through the flow and save.
  4. Add an Event, select Okta under your connected Applications, search for User Added to Group event, and select.  
  5. Click the Add function button and select the Continue If card, drag the Display Name value from the Group details in the card, and store it in the value a option of the card. 

Most Popular  
Continue If 

 

  1. Change the comparison value on the Continue If card to equal to and then type in the name of the group in value b. This group is the group in the Okta tenant that used to run a campaign against it whenever someone is added to it. In the example, this workflow will execute only if someone is added to a group called GroupAdmins.
  2. Pull the manager’s ID from the user added to the group based on the system log event.  
  3. Add the Application Action, Okta Read User card.  Once you add that card, uncheck all fields under Outputs except Username and ManagerId (as shown in the diagram below), and click Save.

    Read User 

     
  4. Drag the ID field from the Okta User section of the Event trigger card: User Added to Group and store it in the ID or Login field of the new card.
image.png

 

  1. Look up the manager within Okta by using the Okta Find User card.  
    1. Add the Application Action, Okta Find User card, choose First Matching Record, and click the Save button.
    2. Next, select the default fields, select Login, and then click the Save button again.

Find Users

                           Configure Find Users Card                   Configure fields used                         Configured card


 

  1. Look up the manager's login ID in Okta using the Okta Find User card.  This value will be used in a later step during the certification process.
    1. Add the Application Action, Okta Find User card, choose First Matching Record, and click the Save button.
    2. Next, select the default fields, select Login, and then click the Save button again. 
    3. Now drag the Find Users card to the ID or Login field of the Read User card, as shown in the diagram below.

Find User Card 

 

  1. Use the time function cards in Okta workflows to set a future date/time for when a campaign should be launched. This is needed as the API will not support creating a campaign in the past.   
    1. Add the Add Function under the Date & Time category in the menu, select the Now card, and click Add Function.
    2. Under the Date & Time category, also select the Add card. Click the Save button.
    3. Drag the date field over to the start date field on the Add card. 
    4. Update the add option to 5 and select minutes for the units. This output will be used in the API call to create a certification.

Date & Time 

 

  1. The next step is to create the JSON to supply the API to create a campaign. This can be done in many ways; this example uses a Compose card to bring all the values together.  
    1. Add the Add Function on the main screen, select the Compose card, and click the Save button.  It will look like the diagram below.


Compose 

    1. Cut and paste an example from the Governance APIs, or use the example below in the table and make any necessary updates.

NOTE: A variation of this example is used in the Create Campaign APIs available for OIG.

Campaign using group with user expression scope

Example JSON

NOTE: The areas in red below are values linked to previously captured values within the workflow. 
 

{
  "name": "Employee Granted Privileged Access Campaign",
  "description": "Testing with the API and Workflows",
  "scheduleSettings": {
    "type": "ONE_OFF",
    "startDate": "output",
    "durationInDays": 30,
    "timeZone": "America/New_York"
  },
  "remediationSettings": {
    "accessApproved": "NO_ACTION",
    "accessRevoked": "DENY",
    "noResponse": "DENY"
  },
  "reviewerSettings": {
    "type": "USER",
    "reviewerId": "ID"
  },
  "principalScopeSettings": {
    "type": "USERS",
    "userScopeExpression": "user.profile.login == \"Username\"",
    "excludedUserIds": []
  },
  "resourceSettings": {
    "type": "GROUP",
    "targetResources": [
      {
        "resourceId": "_"
      }
    ]
  },
  "status": "ACTIVE"
}
    1. Paste the example JSON above into the Compose card, then update the three fields listed below by linking them to previously captured card outputs.  Ensure you insert the output between the quotes of the JSON code and do not disrupt the JSON format required by the API endpoint.  
    • Output
    • ID
    • Username

 

The view from within the Workflow is broken down into three images to capture all the linked fields.
 

Workflow
Workflow 
 
  1. Add the Okta Custom API Action card. Add the Application Action and the Okta Custom API Action card, then choose Post. Click the Save button. Only select Body in the Input section and uncheck Headers in the Output section of the card, and then click the Save button again. 
    1. Enter the Relative URL listed below in the Relative URL field.
    2. /governance/api/v1/campaigns
    3. Drag the output of the previously created Compose card to the Body field in the Custom API Action card.
      Custom API Action 

 

  1. Pull the ID of the newly created campaign to launch the campaign in the next step.
  2. Add the Add Function on the main screen, select the Object menu on the left, select the Get card, and then click the Save button. Drag the Body output of the Custom API Action card over to the Object field, and then enter id in the path field. It will look like the diagram below after you update it.
Custom API Action
 
  1. Construct the API call to auto-launch this campaign when the workflow runs. To do this, use another Compose card and place the id captured in the Object Get card and run another Custom API Action card.
  2. Add the Add Function on the main screen, select the Compose card. and click the Save button. It will look like the diagram below.

Compose

 

  1. Enter the following URL while linking the output of the Object card as the id of the campaign in order to launch.
    /governance/api/v1/campaigns/(output)/launch

Workflow 

 

  1. Lastly, use another card to call this API and launch the campaign after it's created.  Add the Application Action, Okta Custom API Action card, and choose Post, click the Save button. Uncheck all of the options in the Input section and uncheck Headers in the Output section of the card, and then click the Save button again. 
  2. Drag the output of the last Compose card to the Relative URL field in the Custom API Action card.  
Workflow
 
  1. Save the workflow and enable it to run.

 

Overall Flow

Overall Workflow

Overall Workflow


Testing

Once the workflow is enabled and a user is added to the same group you entered in Step 5, this flow should execute and send a new campaign to their manager based on the managerId field stored in the user's profile. 

Happy Governing!


 

To view feature requests and upvote product enhancement requests, please visit the Okta Ideas page.

Looking for Okta Identity Governance help? Visit the Okta Identity Governance Product Hub or schedule Office Hours with the Okta Identity Governance team.

 

Related References

Loading
Okta Support - How to Create an Access Certification via Okta Workflows - Group Event Trigger