Overview

The primary function of configuring delegates is to empower designated individuals to act on behalf of others for three key processes:

• Access Certifications: When an individual responsible for reviewing and certifying access to various applications and resources is unavailable (e.g., due to vacation, leave of absence, or a change in roles), a preconfigured delegate can step in. This ensures that critical access reviews are not delayed, thereby maintaining compliance and security posture. The delegate assumes the responsibility of reviewing access, making decisions, and completing the certification process within the defined timelines.

• Access Requests: Similarly, if a manager or approver is unavailable to act on pending access requests, a delegate can be configured to take over this duty. This prevents bottlenecks in the access provisioning process, allowing employees to gain necessary access in a timely manner. The delegate can review, approve, or deny access requests based on established policies and business needs.

• Executive Reviews: Organizations may opt to delegate governance tasks to executives, with a preference for a designated delegate to handle these functions.

The configuration of delegates within Okta Identity Governance (OIG) is not merely a convenience; it is an essential component of robust identity governance. It helps organizations:

• Maintain Operational Efficiency: Prevents delays in critical identity governance processes, ensuring smooth business operations.

• Ensure Compliance: Guarantees that access certifications are completed on schedule, helping organizations meet regulatory requirements and audit demands.

• Enhance Security: By preventing access review backlogs, it reduces the window of opportunity for unauthorized access to persist.

• Provide Flexibility: Offers organizations the ability to adapt to changes in personnel and workloads without compromising governance standards.

Therefore, understanding and properly utilizing the delegate functionality within OIG's Access Certification and Request Delegate Settings is fundamental for any organization aiming to achieve effective and resilient identity governance.

This guide details configuring Access Certification and Access Requests within the Okta UI and through the API. Configurations made in Access Certifications will automatically apply to Access Requests in the Okta UI, and vice versa.

Identify the Target Group

Delegates for OIG can be assigned in three ways: by the end user, by an Okta Administrator, or programmatically. The decision of who should be assigned a delegate is a business decision often based on evaluating user profile attributes.

For example, an identifier like user.profile.isReviewer = False could exempt certain users from campaigns, or user.profile.title = Vice President could be used to identify executives who require delegation. Okta Workflows can be a valuable tool to search for users fitting these criteria. The output of this process can then be used in a report or via Okta Workflows to automatically set the delegate.

Configure a Delegate

Delegates in Okta can be managed by both administrators and end users for Access Certifications and Access Requests. In OIG, delegates can be set up either at the user level or by an administrator/API.

Administrator Configuration:

1. Enable User-Assigned Delegates:

   1. In the Okta Admin Console, navigate to Identity Governance > Settings.

   2. Under "Delegates," enable the User-assigned delegates option.

      • This grants users the ability to manage their own delegates directly from the UI for both Access Certifications and Access Requests.

   3. Note on Delegation Eligibility: You have the flexibility to disable end users from setting their own delegates based on the organization's business rules.

2. Assign Delegates for Individual Users:

   1. In the Okta Admin Console, go to Directory > People.

   2. Select the desired user.

   3. Navigate to the "Delegate" tab and click the Assign a delegate button.

      • This allows administrators to set a delegate on behalf of a user, particularly for reviews assigned in Access Certifications.

1. 4. Choose the delegate, set an expiration date if necessary, and add a note. Click Save to confirm.    

       

End User Configuration

To configure a delegate for end users, follow these steps:

1. Navigate to the End User Dashboard: Open the Okta Access Certification application.

2. Select the Delegate option: In the top right corner of the page, click on your name and then select the "Delegate" link
    

3. Under the Delegate tab, select the Assign a delegate button.

   • This allows admins to set a delegate on behalf of an executive. This applies to reviews assigned in Access Certifications.

4. Select the delegate, set an expiration if needed, and add a note.  When complete, hit Save.

For Admins, a delegate can be set using an API:

• Define the Delegate via Principal Settings API

Set a delegate

Patch: https://{OktaDomain}/governance/api/v1/principal-settings/{targetPrincipalId}

JSON body:

{

"delegates": {

"appointments": [

{

"delegate": {

"type": "OKTA_USER",

"externalId": "00u2lxfQaw8WRlkQt0g4"

},

"note": "Johnny Appleseed is on parental leave"

}

]

}

}

Set no delegate

Patch: https://{OktaDomain}/governance/api/v1/principal-settings/{targetPrincipalId}

JSON body:

{

"delegates": {

"appointments": [ ]

}

}

Related References

• Corporate blog: Scaling identity lifecycle with Okta Identity Governance

• Guide on using Okta Identity Governance API’s

• Corporate blog: Okta Identity Governance: A Unified IAM and Governance Solution

• School evolving identity threats with confidence

• Understanding Okta Resource Name (ORN)