Create campaigns to review admin roles

Create preconfigured, resource, or user campaigns to help ensure that your users have the right level of access. You must be a super admin to create and manage campaigns that govern admin roles.

Preconfigured campaigns

You can create the Okta administrator review campaign using the steps listed in Create preconfigured campaigns.

If you aren't subscribed to Okta Identity Governance , the Discover inactive users campaign is also available with limited functionality. Keep in mind that this campaign doesn't review user's admin role assignments.

Resource and user campaigns

Use the steps listed in Create resource campaigns or Create user campaigns but keep these considerations in mind:

  • User campaigns are available for governing admin roles only if you're subscribed to Okta Identity Governance.

  • For resource campaigns, make the following selections on the Resources page:

    1. Select Applications as the resource type and Okta Admin Console as the app. The Review entitlements checkbox is selected by default.

    2. Select Specific entitlements and bundles.

    3. Select Entitlements to certify admin roles assigned directly from the Admin Console. Alternatively, select Bundles to certify admin roles that were assigned using access request conditions.

  • For user campaigns, make the following selections on the Resources page:

    1. Select the Resource scope as All apps or All apps and groups. Alternatively, if you've enabled the Certify resource collections - User campaigns feature, select Application.

    2. Select the Include Okta admin roles to include the user's admin role assignments.

  • For both resource and user campaigns, the following checkboxes are selected by default on the Reviewers page.

    • Required for approve and revoke access (in the Justification Settings section): Reviewers must justify their decision when they approve and revoke access. However, you can configure when they are required to provide a reason using options in the Justification Settings section.

      The Optional and Disabled options aren't available for campaigns that certify access to admin roles.

    • Disable reassignments: When this checkbox is selected, reviewers can't reassign review items to another user. However, as a super admin, you can still do this after the campaign is active. You can't change this default setting.

  • If your own admin assignments are being reviewed in a campaign and self-review isn't allowed, ensure that you aren't a reviewer for that campaign. This helps avoid errors at the time of campaign launch.

  • Select reviewers carefully for campaigns that govern admin roles. Regardless of whether a reviewer is an admin or not, they can approve or revoke access for review items assigned to them. They can do this even if the user whose access they're reviewing is an admin. The remediation happens immediately.

  • To provide reviewers with Governance Analyzer insights and recommendations, see Set up Governance Analyzer. Governance Analyzer is available only if you're subscribed to Okta Identity Governance.

Related topics

Create campaigns

Create user campaigns

Manage campaigns