<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Using User Campaigns in Access Certification
Jun 27, 2023
Okta Classic Engine
Identity Governance
Okta Identity Engine

Overview

To deliver the most impactful access certification reviews for your organization's most sensitive resources, having the ability to review at the user level is a security must.  Here's how to create those User Campaigns with OIG.

User-centric access certification campaigns enable organizations to align access privileges with the principle of least privilege, granting users only the necessary access required to fulfill their responsibilities. This approach minimizes the risk of unauthorized access, insider threats, and data breaches, as access permissions are tailored to each individual's role and responsibilities.  This approach also opens the door to security-based governance using events to trigger user-based campaigns reactively.
 

Applies To

  • Access Certifications
 

Solution

  To create a new Access Certification:

  1. Log into Okta as an Administrator with the Access Certification role or Super Admin.
  2. Select Identity Governance menu.
  3. Select Access Certification application.
  4. Locate and click the blue + Create campaign button.
  5. Select User Campaign
  6. Fill out each step to create a campaign.

Step 1: General

 Create Campaign

Create campaign screen

  1. Enter the name of the campaign.
  2. Enter an optional description.
  3. The description is visible to the reviewer and can be used as part of a verification rule.
  4. Select the start date/time, and time zone.
  5. Select the duration of time the campaign will run.  Note:  A duration of at least 8 days is required as a minimum to support multiple levels of reviewers.
  6. Lastly, select Make this recurring and set up those related options as needed if desired.
  7. Click the Next button.

 

Step 2: Users

Campaign Users

Option 1: Specific groups

Specific Groups

  1. Select Specific groups from the dropdown
  2. Use the Select groups box to pick groups from within your Okta tenant.
  3. Click Next


Option 2: Individual users

Individual Users

 

  1. Select Individual Users
  2. Use the Select users box to search and select users from within your Okta tenant.
  3. Click the Next button.


Option 3: Custom (Okta Expression Language)

Okta Expression Language

 

  1. Select Custom (Okta Expression Language)
  2. Use the Scope Users box to type in an Okta Expression to identify users based on Okta Expression Language. Feel free to click Sample expressions or the Okta Expression Language guide as a reference.
  3. Click Next.
 

Step 3: Resources

image.png

 

  
  1. Select the Resource Scope related to the users.  Your options are:
    1. All apps and groups assigned to user in scope
    2. All apps assigned to users in scope
    3. All groups assigned to users in scope
Resources Scope

 

  1. Check any of the options above based upon what you selected for the scope.  
    1. Only include individual assigned applications should be selected if a user could be assigned directly and group assigned.  Eliminating duplication entries.
    2. Only include individually assigned groups should be selected if you don’t want to review birthright access based upon Group Rules.
  2. Exclusions should be selected and included based upon the scope of your targeted campaign.
  3. Click Next.
 

Step 4: Reviewer  

Reviewer   
The Multi-level reviewer offers some of the same types of possible reviewers but now includes more than the single-layer reviews.
Select Reviewer NOTE:  If you are reviewing Applications, the Group Owner will be grayed out as that is not a supported review type. Also the same person cannot be both levels of reviewers.  
  1. Select the First-level reviewer by clicking the appropriate box on the screen.  

NOTE: Options applicable to the reviewer that was selected will be displayed.  Clicking the Pencil icon to the right of the reviewer type will bring you back to the previous selection screen.  

  1. Select Preview Reviewer and verify your settings.

Reviewer Type

Explanation

User

Specify the single user in the search to assign.

Manager

Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed is not populated with their manager’s Okta account login.

Group

Select the group that will be the reviewers.

Group Owner

Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer.

Custom

Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer. Specify the Fallback Reviewer.

 
For Multi-level Reviewer setup:
  1. Click + Add level
  2. Follow the same steps for Single Level reviewer above except the Reviewer type cannot be reused if selected in the first level review.  
  3. Select Preview 2nd level Reviewer and verify your settings.
 

Reviewer Type

Explanation

User

Specify the single user in the search to assign.

Manager

Specify the Fallback Reviewer in case the managerId attribute of the user being reviewed isn’t populated with their manager’s Okta account login.

Group

Select the group that will be the reviewers.

Group Owner

Only applies if reviewing Resource Type of Group, specify the Fallback Reviewer.

Custom

Enter in the Okta Expression Language to search another attribute within the user's profile to locate a user’s account login that will be the reviewer.  Specify the Fallback Reviewer.


  When multi-level reviews are configured, Additional Settings are available to configure.

Additional Settings

  1. Select the option for which decision go to the second level

These settings allow you to define which decisions may or may not be reviewed by the second-level reviewer and when the second-level review should start.  

Second-level reviewers will have visibility into only items moving onto the second level. When that second-level reviewer should see all items, it’s recommended to pass on both approved and revoked decisions.

NOTE: Reviews less than 8 days will not support a 2nd level review flow. Items that have not been completed by the first-level reviewer before the second-level review begins will be marked as overdue, and it’s recommended to enable the overdue notifications so that these reviewers know and complete their reviews quickly.

 
  1. Expand the Notification settings section 

Notification Settings

  1. Choose the notifications you want to be sent as part of this campaign.
    1. If you decide to go back to a Single level review for the campaign, simply click the Remove Level button on the screen.
  2. Click the Next button.
 

Step 5: Remediation

Remediation  

 

  1. Select the appropriate remediation steps by selecting the appropriate radio button.

Reviewer revokes Access:

 

Don’t take any Action

Remove user from resource

 

Reviewer does not respond:

 

Don’t take any Action

Remove user from resource

 
  1. Click the Schedule Campaign button to finish creating the campaign.  
  2. From there you can wait until the time scheduled to start or as an Admin you can Launch, Edit or Delete a scheduled campaign.

  Common ways to use User campaigns
  • Customers that have many users changing departments every week
  • Customers using HR as a Source Integration, when changes occur with department changes they can recertify access for those users when it happens.
Note: Any attribute within Okta could be targeted to trigger a user campaign.  To use User Campaigns to do this dynamically, they can:
  • Set up a campaign where the target users are a group, e.g. "User Department Changes" that recurs every week
  • Set up a workflow triggered by the Okta User Profile Change and if the department changed, add the user to that "User Department Change" group
  • Set up a workflow triggered by the campaign launching, and remove all users from that group
 

Related References

 

 

Recommended content

Still looking for help?
Loading
Using User Campaigns in Access Certification