Okta Identity Governance release notes

Release 2024.11.0

Features and enhancements

Access request conditions and resource catalog is available in Production environments

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app' s profile page in the Okta Admin Console.

As a super admin, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the resource catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

In addition, you can view and edit a user's access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Sequence templates and out-of-the-box sequences

To make setting up approval sequences with access request conditions easier, you can now create sequences from a set of common templates. Once you select a template, you can modify it to fit your needs rather than starting a sequence from scratch.

In addition, all new orgs using access request conditions or access request conditions for admin roles are set up with an out-of-the box approval sequence with three sequential steps -- Business Justification, Manager Approval, and Manager Justification.

Changes to request assignee

For access requests that are managed by conditions, request assignees are no longer delegated automatically. Super admins and access request admins can view or modify the request assignee in the Access Requests web app. The name of the request assignee won't appear in notifications.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready to use campaigns where the Okta presets some default settings. See Campaigns.

This is an Early Access feature. See Enable self-service features.

Enhanced group remediation

Remediate user access to group-assigned apps automatically from the campaign. This reduces the need for manual remediation. See Configure remediation settings.

This is an Early Access feature. See Enable self-service features.

Access Requests notification updates for Microsoft Teams is available in production environments and for Slack in preview environments

The notification experience for Access Requests has been updated to streamline the process for users:

  • Reduced the number of notifications throughout the process.

  • Removed unnecessary information from notifications.

  • Notifications are sent regardless of whether they've been viewed in the Access Requests web app.

Changes to Request Access button

The Request Access button only appears on the End-User Dashboard if you have one active condition or if you're assigned to the Okta Access Request app.

Improved Access Requests error message

When you navigate to the Access Requests tab for an app, the resulting error message is now clearer.

Additional information in System Log events

The System Log events for creating, cancelling, and resolving requests now contain the following information in the DebugData field:

  • accessRequestMatchedConditionId
  • accessRequestApprovalSequenceId
  • requestedForId

This is only applicable for requests managed by access request conditions.

Updates to User Accounts report

The maximum number of rows in a CSV export has been increased from 1 million to 5 million.

Fixes

  • When a user requested access on behalf of another user, they couldn't select the user's name from the Request access for dropdown list. (OKTA-815894)

  • The Access Request conditions and Resource catalog feature wasn't turned on properly in some Preview environments. (OKTA-818226)

  • Admins couldn't edit a campaign if the user account for the Fallback reviewer was deleted. (OKTA-824673)

  • Review items sometimes reverted to the pending review state after the reviewer had made a decision. (OKTA-826795)

To view release notes prior to this release, see Okta Identity Governance release notes (Archive).