<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5WR000011Biho0ACOkta Identity EngineWorkflowsAnswered2025-12-01T20:06:30.000Z2025-11-28T03:49:44.000Z2025-12-01T20:06:30.000Z

Pratula.69048 (Customer) asked a question.

November 28, 2025 at 3:49 AM
Will it be possible to clean an Okta group using Workflows after Access certification campaign has ended

I have setup access certification based on attribute changes in Okta user profile. User gets added to a Okta group which triggers ad-hoc access certification (I am doing this using Okta APIs to create campaign and then launch it for users manager)

 

Is there a way to use Workflows to clean the Okta group after the campaign is closed by manager or 30 days (certification campaign length)? This is essentially the last piece of the flow.

  • 3 answers
  • 98 views

  • TimL.58332 (Workflows)

    @Pratula.69048 (Customer)​  -- This should be possible.

     

    The event: certification.campaign.close. occurs when the campaign closes out. This event is event-hook-eligible meaning Okta Event Hooks can be used to deliver this System Log event to Okta Workflows (API Endpoint).

     

    You could then take the campaign ID from the received event and search the system Log for that campaign ID and certification.campaign.item.decide events which will include all of the items in the campaign and information about that resource. Here's an example:

     

     "displayMessage": "Access certification review decision: UNREVIEWED",

     "eventType": "certification.campaign.item.decide",

     "outcome": {

      "result": "SUCCESS",

      "reason": null

     

     "debugContext": {

      "debugData": {

       "campaignItemPrincipalId": "00u1hhDFSDFDFSg5d7",

       "campaignItemPrincipalName": "okta user23",

       "campaignId": "ici1dlw3fsdfdssaNN5d6",

       "campaignItemDecision": "UNREVIEWED",

       "campaignTemplateName": "eventLogTest",

       "campaignItemResourceName": "test-group-1",

       "campaignItemReviewerId": "00urg74DFDFD4H5d6",

       "campaignItemReviewerName": "tim laborn",

       "campaignItemRemediationStatus": "NONE",

       "campaignItemRemediation": "NO_ACTION",

       "campaignItemId": "icr1djfsdfde4yjJB25d6",

       "campaignItemResourceId": "00gfsd1gq70jGOfdsssd7",

       "campaignItemResourceStatus": "ACTIVE",

       "campaignTemplateId": "ici1dlw3zUDFDoCNN5d6",

       "campaignItemResourceType": "GROUP"

      }

     

    You can then evaluate each of those payloads to determine if you want to take action against them or not.

    Expand Post
    Selected as Best

  • User17157611498146715886 (Customer Support Online Community and Social Care)

    Hello @Pratula.69048 (Customer)​ , thank you for contacting Okta Community.

     

    I recommend that you open a Support ticket (Customer Support Account ID number required) so one of our engineers can analyze it and provide in-depth troubleshooting. You could also provide more details in a ticket that shouldn’t be given here, as this is a public space.

     

    You could also look into Remediation. This article is a good starting point:

    Understand remediation

     

    Please note that opening a support ticket is a feature available only to paid accounts. If you do not have a paid account, but are interested in upgrading, you can contact our Sales team

     

    Regards. 

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

  • TimL.58332 (Workflows)

    @Pratula.69048 (Customer)​  -- This should be possible.

     

    The event: certification.campaign.close. occurs when the campaign closes out. This event is event-hook-eligible meaning Okta Event Hooks can be used to deliver this System Log event to Okta Workflows (API Endpoint).

     

    You could then take the campaign ID from the received event and search the system Log for that campaign ID and certification.campaign.item.decide events which will include all of the items in the campaign and information about that resource. Here's an example:

     

     "displayMessage": "Access certification review decision: UNREVIEWED",

     "eventType": "certification.campaign.item.decide",

     "outcome": {

      "result": "SUCCESS",

      "reason": null

     

     "debugContext": {

      "debugData": {

       "campaignItemPrincipalId": "00u1hhDFSDFDFSg5d7",

       "campaignItemPrincipalName": "okta user23",

       "campaignId": "ici1dlw3fsdfdssaNN5d6",

       "campaignItemDecision": "UNREVIEWED",

       "campaignTemplateName": "eventLogTest",

       "campaignItemResourceName": "test-group-1",

       "campaignItemReviewerId": "00urg74DFDFD4H5d6",

       "campaignItemReviewerName": "tim laborn",

       "campaignItemRemediationStatus": "NONE",

       "campaignItemRemediation": "NO_ACTION",

       "campaignItemId": "icr1djfsdfde4yjJB25d6",

       "campaignItemResourceId": "00gfsd1gq70jGOfdsssd7",

       "campaignItemResourceStatus": "ACTIVE",

       "campaignTemplateId": "ici1dlw3zUDFDoCNN5d6",

       "campaignItemResourceType": "GROUP"

      }

     

    You can then evaluate each of those payloads to determine if you want to take action against them or not.

    Expand Post
    Selected as Best

Loading
Will it be possible to clean an Okta group using Workflows after Access certification campaign has ended