Targeting users based on a Realm in Access Certifications is possible. This article details how to set up a realm and report on it, showing how to create those Realm-based Campaigns with OIG.
Realms enable efficient management of user populations within a single organization. Realms partition users in the Universal Directory while allowing resource sharing. Each realm stores and manages users separately within an Okta org. Realms enable the delegation of user and group administration to external collaborators or business units.
Realm centric access certification campaigns will enable organizations to run campaign scoping users within a specific realm.
- Access Certifications
- Realms
Steps
To enable Realms
- Log into Okta as an Administrator with the Access Certification role or Super Admin.
- Select Settings / Features menu.
- Locate the Realms feature and enable it.
To create a new Access Certification:
- Log into Okta as an Administrator with the Access Certification role or Super Admin.
- Select the Identity Governance menu.
- Select the Access Certification application.
- Locate and click the blue + Create campaign button.
- Select Resource Campaign.
- Fill out each step to create a campaign.
Step 1: General
- Enter the name of the campaign.
- Enter an option description.
- The description is visible to the reviewer and can be used as part of a verification rule.
- Select the start date/time, time zone.
- Select the duration of time the campaign will run. Note: A duration of at least 8 days is required as a minimum to support multiple levels of reviewers.
- Lastly, select Make this recurring and set up those related options as needed if desired.
- Click the Next button.
Step 2: Resources
Option: Applications
- Select Applications from the dropdown
- Enable Review entitlements toggle button
- Use the Select application box to pick Okta Admin Console as an application.
- Use the Select Scope box to select the option to limit the campaign scope to All entitlements and Bundles or Select Specific entitlements and bundles.
- Click Next.
Step 3: Users
Select the user's scope for this campaign. The options are:
Option 1: All users assigned to the selected resources
Option 2: Specify users in scope
- Select user scope.
- Use the Scope Users box to type in an Okta Expression to identify users based upon Okta Expression Language. Feel free to click Sample expressions or the Okta Expression Language guide as reference.
- Click Next.
Step 4: Reviewer
The Multi level reviewer offers some of the same types of possible reviewers but now includes more than the single layer reviews.
NOTE: If reviewing Applications, the Group Owner will be grayed out as that is not a supported review type. Also, the same person cannot be both levels of reviewers.
- Select the First-level reviewer by clicking the appropriate box on the screen.
NOTE: Options applicable to the selected reviewer will be displayed. Clicking the Pencil icon to the right of the reviewer type will return to the previous selection screen.
- Select Preview Reviewer and verify the settings.
|
Reviewer Type |
Explanation |
|
User |
Specify the single user in the search to assign. |
|
Manager |
Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed isn’t populated with their manager’s Okta account login. |
|
Group |
Select the group that will be the reviewers. |
|
Group Owner |
Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer. |
|
Custom |
Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer. Specify the Fallback Reviewer. |
For Multi-level Reviewer setup:
- Click + Add level.
- Follow the same steps for Single Level reviewer above except the Reviewer type cannot be reused if selected in the first level review.
- Select Preview 2nd level Reviewer and verify the settings.
|
Reviewer Type |
Explanation |
|
User |
Specify the single user in the search to assign. |
|
Manager |
Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed isn’t populated with their manager’s Okta account login. |
|
Group |
Select the group that will be the reviewers. |
|
Group Owner |
Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer. |
|
Custom |
Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer. Specify the Fallback Reviewer. |
When multi level reviews are configured, Additional Settings are available to configure.
- Select option for which decision go to the second level.
These settings allows to define which decisions may or may not be reviewed by the second level reviewer and when the second level review should start.
Second level reviewers will have visibility into only items moving onto the second level. When that second level reviewer should see all items, it’s recommended to pass on both approved and revoked decisions.
NOTE: Reviews less than 8 days will not support a 2nd level review flow. Items that have not been completed by the first level reviewer before the second level review begins will be marked as overdue, and it’s recommended to enable the overdue notifications so that these reviewers know and complete their reviews quickly.
- Expand the Notification settings section.
- Choose the notifications to be sent as part of this campaign..
- To switch back to a Single level review for the campaign, simply click the Remove Level button on the screen.
- Click the Next button.
Step 5: Remediation
- Select the appropriate remediation steps by selecting the appropriate radio button.
|
Reviewer revokes Access: | |
|
Don’t take any Action |
Remove user from resource |
|
Reviewer does not response: | |
|
Don’t take any Action |
Remove user from resource |
- Click the Schedule Campaign button to finish creating the campaign.
- From there, wait until the time scheduled to start, or as an Admin, Launch, Edit, or Delete a scheduled campaign.
Related References
