Understanding Filters in Access Certifications
In an organization, multiple access campaigns can be running, and each of these campaigns can have a large number of access reviews that have been completed or that have yet to be reviewed. Now, if there is a need to just look up a particular access review, how can that be found among the hundreds or thousands of access reviews? Campaign Filters help narrow down the particular access review. Let us dive into the world of Filters to understand how these can be leveraged.
Overview
Before diving into the world of Filters, let us take a look at what OIG Access Certifications are. Access Certification is a mechanism to review and verify a user’s access to any resources within an organization. This is required to keep the access of users in check and in compliance with various regulations or company directives. When performing access reviews of hundreds of thousands of users, someone would like to filter users from a particular group or assigned to a particular application, and this can be achieved using Filters. Filters are nothing but attributes of the user in the Okta org, which can be used to view specific access reviews. There are many filters present in Okta Access Certification, but there are a few filters that are only available and can only be used by Administrators.
Furthermore, the Access Campaign reports have filters that can be used to generate and export custom reports. This helps an organization meet compliance and regulatory requirements. These reports can also be used when migrating applications to Entitlement Management.
In the Okta Access Certification console, select any of the open campaigns, and the view below will be presented. The strawberry menu button on the right side of the page is the filter button, which allows for exploring and applying filters.
To begin with, Okta Identity Governance provides two primary types of campaigns, which are Resource Campaigns and User Campaigns. Again, within resource campaigns, it can be further configured for either application or group. With these different types of campaigns, they provide different attributes in the filters. Let us understand each of them one by one.
- Resource Campaign (Application)
- Resource Campaign (Group)
- User Campaign
Some filters are common to all the above-mentioned campaigns, and a few are specific to each of the three different access campaigns. The diagram below helps to understand which filters are available in which type of access certification campaigns.
User
It signifies the Full Name of the user. Using this attribute, access reviews can be filtered for a specific user by providing their Full Name.
The filter Email is the email address of the user, which is under review for the given campaign. Using this filter, only the access reviews associated with the user with a given email address will be shown.
Resource
The filter resource is the name of the resource against which the review of the user is being conducted. The resource attribute signifies different resources in different campaigns as mentioned below.
- In Application based Campaign, it signifies the application name for which the campaign is running.
- In Group based Campaign, it is the group.
- In User based Campaign, it is the application or group associated with the user.
Cost Center
This attribute is the cost center associated with the user, which is under review. It helps to filter out all the users who are associated with a particular cost center.
Department
This attribute is the name of the department that the user belongs to. It helps to filter and view all the access reviews associated with a particular department.
Group Description
This attribute is the description provided to the Groups in Okta. It can be used to filter the access reviews associated with a group having a particular group description or containing specific words in the group description. It is useful when the name of the group is not available.
Last Reviewed
It describes when was this particular access last reviewed by anyone. This is a date based filter which allows the selection of a particular date. It further provides various conditions as Before, After, In range and Not in range, using which the access reviews can be filtered for a particular timeline.
For example, A manager wants to filter out people whose access has been reviewed in the last month. The manager will use this filter with “In range condition” and provide the dates between which the access was reviewed. So, this will list out all the users whose access has been reviewed between the provided date
Manager
This attribute represents the manager of the user whose access review is being performed.
Organization
This attribute represents the organization of the user whose access review is being performed.
Title
This attribute shows the Title of the user, if any, that has been assigned to the user in an organization.
User Status
This attribute shows the status of the user in the Okta org. The status of the user Staged, Provisioned, Active, Recovery, Password Expired, Locked out, Suspended, Deprovisioned. So, the reviews can be filtered out only for users with a particular status. For more information about what each of these status represent, refer to the User account status document.
User Type
This attribute shows the type of user in the Okta Universal Directory. The user type can be the default user type or any of the custom user types. For more information on user types, refer to the Work with Universal Directory user types document.
Username
This attribute is the username of the user, which is stored in the Okta Universal Directory. It can be used to filter out all the access reviews of a single user using their username.
Entitlement
This filter allows users to view the access reviews based on the entitlement assigned to a single user. It comes with only one condition which is Equals and the value box shows the different entitlements available to be filtered.
Application Assigned Date
This filter allows users to view the access reviews based on the date when the application was assigned to a user. It provides 4 different conditions as Before, After, In Range and Not in Range. The value box is a date datatype where the date can be selected based on the requirement.
Application Assignment Type
This filter allows users to view the access reviews based on the method using which the application was assigned to the user. There are seven different types of application assignment methods: Access Request, Admin, App Group, Group, Group Rule, Custom, and Policy.
Application Last Accessed Date
This filter allows users to view access reviews based on the last accessed date of the application by a user. It provides 4 different conditions as Before, After, In Range and Not in Range. The value box is a date datatype where the date can be selected based on the requirement.
Application Name
This filter allows users to view the access reviews based on the name of the application. It provides conditions such as Equals, Starts With and Contains. The name of the application has to be fed manually into the value box.
Application Usage
This filter allows users to view the access reviews based on the number of times the user has accessed the application. It provides conditions such as Equals, Less than, Greater than, and In Range.
Bundle Description
This filter allows users to view the access reviews based on the description provided for the bundle assigned to a user.
Reviewer
This filter allows users to view the access reviews assigned to a particular reviewer. So, an Access Review Administrator can view all the access reviews assigned to a particular user for review. This filter corresponds to the full name of the reviewer.
Remediation
This filter allows users to view all the access reviews based on their remediation status. Remediation statuses can be Completed, Manual Remediation and Failed. This filter can be used by an Administrator to view all the access reviews with a particular remediation status.
Assignment Type
This filter allows users to view all the access reviews based on how the application or entitlement was assigned to the user. It provides an equal condition along with seven different values, which are Access Request, Admin, App Group, Group Rule, Custom and Policy.
City
This filter allows users to view all the access reviews of users who are based out of a particular city. It provides three conditions as Equals, Starts With and Contains.
tate
This filter allows users to view all the access reviews of users who are based out of a particular state. It provides three conditions as Equals, Starts With and Contains.
Country Code
This filter allows users to view all the access reviews of users who are based out of a particular country. It provides three conditions as Equals, Starts With and Contains.
Decision
This filter allows users to view all the access reviews based on the decision taken for the reviews, which can be Access Approved, Access Revoked, Reassigned, and Not Reviewed.
Display Name
This filter allows users to view all the access reviews of a particular user by using their Display Name in Okta. It provides three conditions as Equals, Starts With and Contains.
Division
This filter allows users to view all the access reviews of users who are linked to a particular division. It provides three conditions as Equals, Starts With and Contains.
ManagerID
This filter allows users to view all the access reviews of users who are linked to given ManagerID.. It provides three conditions as Equals, Starts With and Contains.
NOTE: As mentioned above, there are a few filters that are accessible to Administrators only. They will be discussing them below:
Remediation
This filter allows users to view all the access reviews that have been completed based on their remediation status. Remediation status shows what action has been taken based on the decision taken by a reviewer. There are three remediation statuses that can be used to filter the reviews: Completed, Manual Remediation, and Failed.
Review Level
This filter allows users to view all the access reviews based on their current review level. Review Level shows if the review is pending with first level reviewer or second level reviewer.
Reviewer
This filter allows users to view all the access reviews which have been assigned to a particular user for review. It provides three conditions as Equals, Starts With and Contains. And the value to be provided is the Full Name of the required reviewer.
Certification
This filter allows users to view the access reviews with a particular certification status. The certification status shows if the access of the user has been approved, revoked, reassigned or not certified. It can be used by Administrators to view all the access reviews which has not been certified.
Below table provides a more unified view of the filters across different user type and campaigns.
|
Type of Campaign |
End User |
Administrator | ||||
|
Filter Name |
User based Campaign |
Application based Campaign |
Group based Campaign |
User based Campaign |
Application based Campaign |
Group based Campaign |
|
Application Assigned Date |
X |
X |
X |
X | ||
|
Application Assignment Type |
X |
X |
X |
X | ||
|
Application Last Accessed Date |
X |
X |
X |
X | ||
|
Application Name |
X |
X |
X |
X | ||
|
Application Usage |
X |
X |
X |
X | ||
|
Assignment Type |
X |
X |
X |
X | ||
|
Bundle Description |
X |
X |
X |
X | ||
|
Certification |
X |
X |
X | |||
|
City |
X |
X |
X |
X |
X |
X |
|
Cost Center |
X |
X |
X |
X |
X |
X |
|
Country Code |
X |
X |
X |
X |
X |
X |
|
Decision |
X |
X |
X |
X |
X |
X |
|
Department |
X |
X |
X |
X |
X |
X |
|
Display Name |
X |
X |
X |
X |
X |
X |
|
Division |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
X |
|
Entitlement |
X |
X |
X |
X | ||
|
Group Description |
X |
X |
X |
X | ||
|
Type of Campaign |
End User |
Administrator | ||||
|
Filter Name |
User based Campaign |
Application based Campaign |
Group based Campaign |
User based Campaign |
Application based Campaign |
Group based Campaign |
|
Group Source |
X |
X |
X |
X | ||
|
Last Reviewed |
X |
X |
X |
X |
X | |
|
Manager |
X |
X |
X |
X |
X |
X |
|
ManagerID |
X |
X |
X |
X |
X |
X |
|
Organization |
X |
X |
X |
X |
X | |
|
Remediation |
X |
X |
X | |||
|
Resource |
X |
X |
X |
X |
X |
X |
|
Review Level |
X |
X |
X | |||
|
Reviewer |
X |
X |
X | |||
|
State |
X |
X |
X |
X |
X |
X |
|
Title |
X |
X |
X |
X |
X |
X |
|
User |
X |
X |
X |
X |
X |
X |
|
User Status |
X |
X |
X |
X |
X |
X |
|
User Type |
X |
X |
X |
X |
X |
X |
|
Username |
X |
X |
X |
X |
X |
X |
