Access Certifications for admin roles
Early Access release. See Enable self-service features.
Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.
It's important for organizations to periodically identify and review users, such as admins, who have access to your critical resources. Use Access Certifications to create campaigns to review your users' admin role assignments periodically to avoid accumulation of elevated or privileged access.
If you aren't subscribed to Okta Identity Governance, you (super admin) can only run a resource campaign or Okta administrator review (preconfigured campaign) to govern admin roles. In addition to these two campaigns, the Discover inactive users (preconfigured campaign) is also available with limited functionality.
- Resource campaigns
- A resource campaign displays all users who have access to a resource. You can customize a resource campaign to your requirements by defining resource, user, reviewer, and remediation settings. For example, you can select a resource, such as Okta Admin Console. Next, select all users assigned to it or define a specific set of users using the Okta Expression Language. You can also exclude certain users from the campaign. Then, specify campaign reviewers who are responsible for reviewing users' admin role assignments and if the campaign should have multiple rounds of approval. Finally, define what remediation actions are taken when a reviewer approves or denies a users' access. See Create campaigns
- Preconfigured campaigns
- Preconfigured campaigns are ready-to-use campaigns. You can launch these campaigns without manual configurations. To help you get started with Access Certifications, Okta presets the campaign settings for two campaigns. Use the Discover inactive users campaign to review one app in your org with the highest number of inactive users. Use the Okta administrator review campaign to review admin access to the Admin Console.
You can view admin role bundles and their expiration dates in the Admin role assignments report. You can also use the Past Campaign Details report and Past Campaign Summary report to view campaigns that were launched and if the user access to the resource was retained or revoked. The User entitlements report is also available if you're subscribed to Okta Identity Governance.
To learn more about Access Certifications, see Access Certifications and Campaigns.