<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z0000A1C5HICQ0Okta Identity EngineIdentity GovernanceAnswered2025-04-20T09:03:20.000Z2024-03-18T07:37:08.000Z2024-03-25T18:06:34.000Z
Access Requests - block approving your own access when approvers are set to Group Owners

We have an issue with segregation of duties when using Okta Access Requests. It is mandatory that users raising the request would not be able to approve their own access requests. Currently, if approvers are set to Group Owners, then it allows to self-approve your access request which raises a flag in security audit. The only workaround at the moment is - to use Groups for approvals (it does not assign approval to requester by design as described here: https://support.okta.com/help/s/article/access-request-expected-reviewer-self-attestation-behavior?language=en_US). However, this is not an option just to re-work all request types to use Groups instead of Group Owners (would have to duplicate all existing groups - assignment groups and approver groups as approvers are different for each group). Any ideas if there are any proper workarounds for this without moving away from Group Owner approvals? Additionally, does anyone know if it is in plan to implement such segregation of duties feature for Group Owners as approvers in the near future?


  • TimL.58332 (Workflows)

    @User16166002114184590819 (Customer)​ - I don't think that is intended. Obviously, if there is ONLY 1 group owner self-attestation cannot be avoided (Edit: I stand corrected, the expected behavior in this scenario would be for the approver to be left unassigned). But the logic is supposed to work the same regardless of the "pool" selection. Essentially it determines if the user (requester) and user (approver) Okta Id's match. If they do they should be removed from the list of candidates for approval.

     

    There "might" be a defect here I will see if I can reproduce the behavior you have described.

    Expand Post
    Selected as Best
  • TimL.58332 (Workflows)

    @User16166002114184590819 (Customer)​ - I don't think that is intended. Obviously, if there is ONLY 1 group owner self-attestation cannot be avoided (Edit: I stand corrected, the expected behavior in this scenario would be for the approver to be left unassigned). But the logic is supposed to work the same regardless of the "pool" selection. Essentially it determines if the user (requester) and user (approver) Okta Id's match. If they do they should be removed from the list of candidates for approval.

     

    There "might" be a defect here I will see if I can reproduce the behavior you have described.

    Expand Post
    Selected as Best
    • s9llb (s9llb)

      Thank you for your response @TimL.58332 (Workflows)​! Few months ago Okta support said that this is intended behavior that Group Owner can approve his/her own requests. Here is the statement I have received: "There's no eta or roadmap item in place that would provide a limitation for the requesters and group owners to approve or deny their own request at this time." I was informed to raise a feature idea. There are few ideas for this raised with nr. 160595, 182681. In the idea I see it saying that this idea is on the roadmap, but not too clear when to expect it (says next quarter or two).

      Expand Post
      • TimL.58332 (Workflows)

        @s9llb (s9llb)​ -- Sorry for the delay in following up. I discussed this with a colleague of mine that had run into the same scenario you are describing. At present it looks like there is a difference in self-attestation behavior if the group owner is "individually assigned" or if they are "group assigned"

         

        The following is likely to change as I would classify it as unexpected: (Current behavior as of Mar 24)

         

        • If a user is individually assigned as a "Group Owner" self-attestation prevention does not occur. They can receive an approval for themselves.
        • If a user is a member of group that is assigned as a "Group Owner" self-attestation prevent occurs. They will not receive an approval for themselves.

         

        This behavior is currently reproducible.

        Expand Post
This question is closed.
Loading
Access Requests - block approving your own access when approvers are set to Group Owners