Overview
Admin role-centric access certification campaigns enable organizations to align access privileges with the principle of least privilege, granting users only the necessary access required to fulfill their responsibilities. This approach minimizes the risk of unauthorized access, insider threats, and data breaches, as access permissions are tailored to each individual's role and responsibilities.Assumptions
- Self review is not supported for Admin Roles
- Manager and Group reviews always use Fallback Reviewer
- Group Owner reviewer is not supported
Applies To
- Access Certifications of Admin Roles
Solution
Scenarios
| Scenario 1 = User added to campaign is also selected as Reviewer |
| Scenario 2 = User added to campaign is identified their own Manager, Manager selected as reviewer |
| Scenario 3 = User added to campaign is also added to Group selected as reviewer |
| Scenario 4 = Group owner not supported |
| Scenario 5 = User added to campaign and Custom reviewer via expression option is selected. |
Scenario 1:If the user is targeted as the resource of a campaign and is added as the Reviewer. The subsequent campaign will fail with the following error: <user> cannot be assigned their own review item because self-review is disabled for this campaign. Result: |
Scenario 2A:If the user is targeted as the resource of a campaign and also is mapped in the profile as their own manager for review. Another user is assigned as the Fallback reviewer. Because the fallback reviewer is not the target of the review, they will be automatically selected as the reviewer. |
Scenario 2B:If the user is targeted as the resource of a campaign and also is mapped in the profile as their own manager for review. Same user is also assigned as the Fallback reviewer. Because the fallback reviewer is the same as the manager and is the target of the review, this campaign will fail with the following error: |
| <user> cannot be assigned their own review item because self-review is disabled for this campaign. |
Result:  |
Scenario 2C:If the user is targeted as the resource of a campaign and is not mapped in the profile as their own manager for review. The same user is selected as the Fallback Reviewer. Because the users manager is not defined as themself, this review will succeed, as the fallback reviewer is not needed. Result: |
Scenario 2D:If the user is targeted as the resource of a campaign and is not mapped in the profile as their own manager for review but the user who is mapped isn’t active within Okta. The Fallback Reviewer is set to the user being reviewed. This campaign will fall because the Fallback reviewer will be the same as the reviewer. This campaign will fail with the following error: |
| <user> cannot be assigned their own review item because self-review is disabled for this campaign. |
Result: |
Scenario 3A:If the user is targeted as the resource of a campaign and the user is the only member of a group which is assigned as the Group Reviewer. This means the User is self-reviewing. This campaign will fail with the following error: <user> cannot be assigned their own review item because self-review is disabled for this campaign. Result: |
Scenario 3B:If the user is targeted as the resource of a campaign and the user is not the only member of a group that is assigned as the Group Reviewer. This means the User is self-reviewing, except there are other users in the group. The campaign will succeed, but the user will not be included as a reviewer in the campaign. |
Scenario 4:If a user is targeted as the resource of a campaign, Group Owner is not supported. Therefore this type of campaign cannot be created.Result: |
Scenario 5A:If the user is targeted as the resource of a campaign and the custom option is selected as the reviewer. If the custom expression does not resolve the user being reviewed, this campaign succeeds.Result:  |
Scenario 5B:If the user is targeted as the resource of a campaign and the custom option is selected as the reviewer. If the custom expression does resolve the user being reviewed, but the Fallback Reviewer is not the same user, then this campaign succeeds using the user resolved in the expression. Fallback Reviewer is not used. Result: |
Scenario 5C:If the user is targeted as the resource of a campaign and the custom option is selected as the reviewer. If the custom expression does not resolve the user being reviewed, but the Fallback Reviewer is the same user, then this campaign succeeds because the Fallback Reviewer is used. |
Scenario 5D:If the user is targeted as the resource of a campaign and the custom option is selected as the reviewer. If the custom expression does resolve the user being reviewed, and the Fallback Reviewer is the same user, then this campaign fails because the resolved reviewer and Fallback Reviewer are the same as the user being reviewed. This campaign will fail with the following error: <user> cannot be assigned their own review item because self-review is disabled for this campaign. Result: |
Related References
