Overview
The standard Okta Identity Governance interface for Access Certification Campaigns requires a single Okta User to be designated as the Fallback Reviewer. To effectively notify a group of users (like a team or security group) when the fallback condition is met, an Okta service account can be used with its primary email set to a Distribution List (DL) email address.
The following is a step-by-step guide to implement this workaround.
Create a Dedicated Okta Service Account
First, create a non-human Okta user account that will serve as the Fallback Reviewer placeholder.
-
Navigate to User Creation: In the Okta Admin Console, go to Directory > People, and click Add Person.
-
Configure the Account:
-
First name: Enter a descriptive name (e.g., Fallback)
-
Last name: Enter a descriptive name (e.g., Reviewers)
-
Username: Create a unique, functional username (e.g., ac_fallback_reviewer@domain.com).
-
Primary email: Crucially, enter the email address of your existing Distribution List (DL) (e.g., security_team_dl@domain.com).
* User must change password on first login: Uncheck this box, as this is a non-human account. -
Activation: Set the password and choose an activation option appropriate for a service account (e.g., Set by admin and leave Send user activation now unchecked).
-
-
Save: Click Save to create the user.
NOTE: This user should not be used for regular sign-in and should have its lifecycle (password, security) managed like any other service account in your environment.
Configure the Distribution List (DL)
Ensure the external Distribution List (DL) is properly set up to receive and distribute emails to its members.
-
External Email System (e.g., Exchange, Google Workspace): Verify that the email address used for the Okta service account's "Primary email" is a working Distribution List.
-
Membership: Confirm that all desired fallback reviewers are active members of this Distribution List.
-
External Mail Acceptance: If the Okta email domain is internal, ensure the DL is configured to accept emails from external senders (or at least from Okta's notification systems) to ensure the Access Certification emails are delivered to all members.
Assign the Fallback Reviewer in Access Certification Campaign
Finally, select the newly created Okta service account as the Fallback Reviewer in the Access Certification Campaign settings.
-
Navigate to Campaigns: In the Okta Admin Console, go to Identity Governance > Access Certifications > Certification campaigns.
-
Create or Edit Campaign: Select an existing campaign or click Create campaign.
-
Reviewer Step: Proceed to the Reviewer configuration step for the campaign. This is where the primary reviewer type (e.g., Manager, Resource owners, or Custom) is selected.
-
Specify Fallback Reviewer: In the Fallback reviewer field that appears for applicable reviewer types, search for and select the Okta Service Account created in Step 1 (e.g., Fallback Reviewers).
Test and Validation
Before launching the campaign broadly, it is critical to test the fallback mechanism.
-
Test Scenario: Identify an entitlement review item that is guaranteed to trigger the fallback condition.
-
Example for "Manager" Reviewer: Find a user whose Okta profile is missing a populated managerId attribute.
-
Example for "Resource Owner" Reviewer: Ensure a resource has no defined owner.
-
-
Launch Campaign: Launch the campaign with a limited scope that includes your test user/resource.
-
Verify Notification: Confirm that all members of the Distribution List (not just the service account itself) receive the email notification from Okta that a review has been assigned to them. The email will indicate the review is assigned to the service account name, but the DL ensures all members are notified.
This configuration successfully leverages Okta's single-user requirement for the Fallback Reviewer while ensuring multiple individuals are alerted and can take action, effectively achieving a Group Fallback Reviewer through email distribution.
