Okta provides a transparent audit trail for all instances where Okta Support is granted access to the customer environment. Impersonation cannot occur without explicit approval from a Super Admin.

• Read Only Impersonation Access
• Okta Identity Engine (OIE)

There are five specific event types used to track the lifecycle of support access, from the initial grant through session termination.

Event Types and Descriptions

These logs ensure a full audit trail and guarantee that Okta Support access is always authorized by internal admins. By monitoring these five events, security teams can verify exactly who granted access, when the support session occurred, and when it concluded.

How to Search the Logs

The steps below can be followed to audit these actions:

1. Log in to the Okta Admin Console.
2. Navigate to Reports > System Log.
3. In the search bar, enter the desired query using the eventType syntax.
   • Example: eventType eq "user.session.impersonation.initiate".
4. Adjust the time range as needed and click the Search (magnifying glass) icon.
5. Expand the log entry to view detailed information, including the actor and the timestamp.

Audit and Retention

• Default Retention: All impersonation events are retained in the Okta System Log for 90 days.
• Long-term Storage: If compliance requirements exceed 90 days, it is recommended to export these logs via the Okta API or stream them to a Security Information and Event Management (SIEM) system (for example, Splunk, Sumo Logic, or Datadog).

Related References

• Event Types
• How to Export Okta Log Data
• Approving a Read Only Impersonation Access Request for a Support Case