Get started with Access Certifications
Using Access Certifications, create audit campaigns to review and automatically manage your users' access to resources periodically or as required.
Follow this sequence of configuration tasks to start using Access Certifications:
|
Admin tasks |
Description |
|---|---|
| Campaigns | Understand the campaign types that you can use to ensure that your users have the right level of access to resources like apps and groups. |
| Known issues and limits | Keep these considerations in mind before you configure campaigns. |
| Customizable reviewer context | Customize your campaigns with the data that reviewers need to make better governance decisions. |
| Create preconfigured campaigns | Preconfigured campaigns are ready-to-use campaigns that require minimal setup. Okta provides two types of preconfigured campaigns:
|
| Best practices for creating campaigns | Keep these best practices in mind before creating campaigns. |
| Create resource campaigns | Use this campaign type to review all users who have access to a resource and identify users' entitlement assignments that conflict with your separation of duties rules. You can use resource campaigns to govern admin roles or help meet your audit and compliance requirements. |
| Create user campaigns | Use this campaign type to review all resources that a user has access to. User campaigns can efficiently manage users' access to resources, govern admin roles, and to adopt a least privileged access model for your org. |
| References | Refer to these topics to understand key concepts and use campaigns more efficiently: |
| View the progress of an active campaign | Monitor the progress of your active campaigns and pending review items. |
| Modify a scheduled campaign | Modify a campaign that hasn't launched yet. |
| Modify campaign's end date | End an active campaign if you need to relaunch the campaign with a different configuration or skip the remaining review items. You may want to end an active campaign if there's an error in the campaign configuration. |
| Generate the Past Campaign Details report and the Past Campaign Summary report | The Past Campaign Details report provides in-depth information about any certification campaign. The Past Campaign Summary report provides a high-level configuration and status of access certification campaigns. |
Understand reviewer tasks from an admin perspective:
|
Reviewer tasks |
Description |
|---|---|
| Review campaigns | Understand how reviewers can review the items assigned to them. |
| Reassign review items | Understand how reviewers can reassign the review items assigned to them. |
Known issues and limits
-
The campaign launch fails if the resources or reviewers included in the campaign are in a deactivated or deleted status at the start time of the campaign. You receive an email notification that contains a list of errors when a campaign fails to launch. You can also check the Closed tab of the Access certification campaigns page or the Events table in the System Log for more information on the error.
- Automated access revocation is limited to resources (groups or apps) that were individually assigned to a user. Remediate manually in situations where a user was assigned access to a resource through group membership or group rules. See Understand remediation for more information on identifying these cases and how to manually resolve them.
The following limits are applicable for your org:
|
Limit type |
Limit | Maximum |
|---|---|---|
|
General
|
Active campaigns in an org | 500 |
| Review items in a campaign |
1 to 100,000 To better manage large campaigns, split reviews into multiple campaigns. |
|
|
Resource campaigns
|
Resources included in a campaign | 50 |
| Apps reviewing entitlements | 10 | |
|
User campaigns
|
Individual users | 100 |
| User groups | 5 | |
| Excluded resources |
50 You can exclude a maximum of 50 apps or groups, or a combination of both. |