Identity Governance release notes

• Impact of team deletion

  When you delete a team, all Request Types and associated requests are also deleted from the Access Requests console. You can no longer view the deleted requests in the Access Requests console. You can only view them from the Past Access Requests report.

• An error occurred when importing group owners for AD groups if queries exceeded a maximum number of entities. (OKTA-540040)

• Some customers were unable to edit or save Request Types.

• When users were assigned the access requests administrator role through group assignments, they were unable to perform admin-specific tasks. (OKTA-581692)

• Settings page update

  The Settings page user interface has been updated to improve user experience and the following tabs have been added:

  • Resources

  • Configuration lists

  • Pushed groups

  The following terms have also been updated to improve clarity and reduce confusion:

  • Resource lists synced directly from an integration are called Resources.

  • Sublists and admin-defined configuration lists are called Configuration lists.

  See Components and Create a configuration list.

• Some group owners didn't receive an email notification when they were assigned an approval task in a Request Type.

• Group owner functionality for Universal Directory available in Production environments

  Admins can now view and manage the owners of a group in OktaUniversal Directory. A group can have a maximum of 10 owners. This feature allows you to manage resource owners centrally when the resource ownership changes, and reduces the need to update your configurations manually. See Group ownership.

• Import group owner information from AD available in Production environments

  Admins can now import the group ownership information from AD to Okta Directory using full or incremental imports. The group owner is extracted from a managedBy attribute in AD user profile.

  This feature reduces the need to manually define group owners for AD-sourced groups that have been imported to Okta. See Import group owner from Active Directory.

Access Certifications

• Additional reviewer type options available in Preview environments

While creating or editing an Access Certification campaign, now you can select one of the following options from the Select reviewer type dropdown menu.

• A specific user

• User's manager

• Group

• Group owner
• Define using Okta Expression Language

This feature allows you to select a Group and Group owner as reviewer types. As a result, you can take the following actions:

• Assign reviews to multiple users at the same time to make review decisions when you have multiple application owners or a reviewer might be out of office.

• Leverage the same Okta group that you use in Access Requests in Access Certifications as well. This also minimizes the need to manually update reviewers in campaigns when the reviewers change.

See Reviewer.

• Group owner approvals for Access Requests

  Now you can assign group owners as task assignees or approvers in a Request Type. This feature allows you to create a single Request Type instead of multiple Request Types when you need to reference groups with different group owners as approvers. See Create a Request Type and Group ownership.

• Change to new Request Types

  For new Request Types, you can no longer select an integration’s source list as a Configuration items value for questions and conditional logic. While it’s not recommended, you can still use source lists for tasks in a Request Type.

  Existing Request Types that use source lists are unaffected with this change because the system creates reusable sublists for them.

• You could configure a Request Type to use applications and groups that weren't available for your team.

• Group owner functionality for Universal Directory available in Preview environments

  Admins can now view and manage the owners of a group in Okta Universal Directory. A group can have a maximum of 10 owners. This feature allows you to manage resource owners centrally when the resource ownership changes, and reduces the need to update your configurations manually. See Group ownership.

• Import group owner information from AD available in Preview environments

  Admins can now import the group ownership information from AD to Okta Directory using full or incremental imports. The group owner is extracted from a managedBy attribute in AD user profile.

  This feature reduces the need to manually define group owners for AD-sourced groups that have been imported to Okta. See Import group owner from Active Directory.

Access Certifications

• UI enhancements

  For active campaigns, the Review details view is now available as a panel next to the review item. As well, the Reviewer and status details section has been updated and split into Reviewer details and Certification details sections. See View the progress of an active campaign.

• Some requests didn't resolve automatically when access was granted to two apps or groups at the same time.

• Some task approvers couldn’t take action from the email notification because the email didn’t contain the Open Tasks section.

• Sometimes second-level approvers didn’t receive a Slack notification when a request was assigned to them.

• Remove Request Action menu

  Admins can no longer manually overwrite the original request using the Request Action menu in the header panel.

• UI enhancements

  For Access Certifications campaigns, the user, group, and app dropdown menus now display an icon next to each selection. In addition, the group dropdown menu now displays the number of assigned users and apps, and the app dropdown menu now displays the app status and the app ID.

  Since a user, group, or an app name isn't always unique, this enhancement provides more context to you for the resources you select. As well, these enhancements allow you to configure campaigns for the correct users, groups, and apps.

• Additional reviewer type options available in Preview environment

While creating or editing an Access Certification campaign, now you can select one of the following options from the Select reviewer type dropdown menu.

• A specific user

• User's manager

• Group

• Group owner
• Define using Okta Expression Language

This feature allows you to select a Group and Group owner as reviewer types. As a result, you can take the following actions:

• Assign reviews to multiple users at the same time to make review decisions when you have multiple application owners or a reviewer might be out of office.

• Leverage the same Okta group that you use in Access Requests in Access Certifications as well. This also minimizes the need to manually update reviewers in campaigns when the reviewers change.

See Reviewer.

• View user's email address

  When adding users to a team, you can now view a user’s email address in addition to their name in the Add team members dialog. This allows you to pick the correct user when you have multiple users with the same name.