Campaign settings
Configure your requirements in the wizard.
Sign in as a super admin if you want to create or manage a campaign to govern Okta admin roles.
Govern Okta admin roles is an Early Access feature. See Enable self-service features.
General settings
Enter values for the following fields:
|
Field |
Value |
|---|---|
| Campaign name | Enter a name for the campaign. Ideally, enter a name that is easy for your reviewers to understand. |
| Description | Describe the purpose of the campaign. |
| Start date | Select a start date for the campaign. |
|
Start time |
Select a start time and the time zone for the campaign. |
|
Duration |
Select the duration for which the campaign should run. Campaigns with multilevel reviewers require a duration of seven days or more. |
Recurring campaign considerations
As a super admin or an access certifications admin, you can set up a recurrence schedule for campaigns to allow them to run periodically. This helps you save time and increases productivity. However, you must keep the following criteria in mind while configuring a recurring campaign.
-
In recurring campaign series, the duration of each campaign must be less than the interval between campaigns.
-
In the dropdown menu in the Repeats Every section, different prepopulated options are available depending on the values you enter for the campaign's duration and recurrence frequency type such as days, weeks, months, and years.
| Recurrence frequency type | Duration (days) | Recurrence interval* | Comments |
|---|---|---|---|
| No recurrence | Enter a value between 1 and 90. | N/A | N/A |
| Days | Enter a value between 1 and 90 that is less than the recurrence interval. | Enter a value between 1 and 182. | N/A |
| Weeks | Enter a value between 1 and 90 that is less than the recurrence interval. | Enter a value between 1 and 26. | N/A |
| Months | Enter a value between 1 and 90 that is less than the recurrence interval. | Enter a value between 1 and 24. |
You can select either of these options from the dropdown menu:
The values inside the parentheses are populated automatically based on the Start date. If you set a campaign to repeat Monthly on [day of the week] of Week 5, and the month ends before that day, the campaign begins on that day in week four. If a month doesn't have the specified day, the last day is automatically used as the campaign’s start date. For example, if you’ve set a campaign to recur on 30th of every month, it will begin on February 28th or February 29th. |
| Years | Enter a value between 1 and 90 that is less than the recurrence interval. | Enter either 1 or 2 as values. | N/A |
When increasing the campaign’s duration, you can increase it up to 90 days or to one day before the campaign’s next recurrence begins.
For example, you have a recurring campaign series where one campaign ends on the 15th and the next one begins on the 28th. You can increase the campaign duration of the first campaign up to the 27th. However, if your campaigns recur at an interval of more than 90 days, then you can only increase a campaign's duration such that the total duration of the campaign is 90 days.
Resource campaign settings
Resource campaigns focus on setting the resource scope for your campaign so that you can review all users who have access to those resources and associated entitlements (including standard and custom admin roles). This campaign helps you review access to sensitive resources and helps you meet compliance requirements.
Use this campaign type if you want to specifically review user’s admin role assignments. If you have the Govern Okta admin roles feature enabled, Access Certifications treats existing admin assignments as entitlements associated with the Admin Console. Specifically, it treats the existing admin role and resource set within a user’s admin assignment as a key value pair for an entitlement.
Govern Okta admin roles is an Early Access feature. See Enable self-service features.
You can select a resource, such as an app or group, and review who has access to it. You can select all users assigned to the resource or define a specific set of users using the Okta Expression Language. You can also exclude certain users from the campaign. Run resource campaigns regularly to ensure that access to sensitive resources is limited.
Resource campaigns are useful for meeting your audit and compliance requirements for professional standards, such as SOC2 and SOX.
You can add up to 50 resources in a campaign. The number of review items in a campaign must be from 1 through 100,000. To better manage large campaigns, split reviews into multiple campaigns.
Resource settings
| Field | Value |
|---|---|
| Type | |
|
Applications |
Select one or more apps. However, if you want to review entitlements for an app that has Governance Engine enabled or govern Okta admin roles, follow these steps instead:
|
| Groups |
Select one or more groups. Don’t select Group if you want to include entitlements in the campaign. The Review entitlements toggle isn’t available if you select Group. |
User settings
| Available options | Actions | Description |
|---|---|---|
| All users assigned to the resource | Select this option to include users who are assigned to resources you selected earlier. | N/A |
| Specify user scope | Select this option to restrict the user scope to a specific set of users in your org.
|
The expression should result in true to include the user in the campaign or false to exclude from the campaign. If you have the Realms feature enabled, use this option to restrict the campaign to include users from a specific realm. See Define user scope. |
|
Only include active Okta users in this campaign |
Select this option to only include users who have one of the following statuses in Okta:
|
N/A |
|
Exclude users from the campaign |
To exclude specific users from the campaign, select Exclude users from the campaign and enter the names of the users who should be excluded from the campaign. |
N/A |
User campaign settings
User campaigns focus on defining the user scope for your campaign so that you can do a comprehensive review of all resources assigned to those users. It helps ensure that users don’t accumulate elevated levels of access when specific events happen, such as a department, role, or project change.
You can select specific users or user groups and review access to the resources and associated entitlements that are assigned to them. You can also configure your campaign in a way that your reviewers only need to review access to users’ individually assigned resources and not group-assigned resources, as the latter is governed by group membership and group rules.
You can exclude a maximum of 50 apps or groups, or a combination of both. The number of review items in a campaign must be from 1 through 100,000. To better manage large campaigns, split reviews into multiple campaigns.
User settings
| Field | Value |
|---|---|
| Select users or groups | |
|
Individual users |
Select one or more users. You can have a maximum of 100 individual users. |
|
Specific groups |
Select one or more groups. You can have a maximum of five groups. |
| Custom (Okta Expression Language) | Enter an Okta Expression Language expression to include users or groups that meet a specific criteria. The expression should result in true to include the user in the campaign or false to exclude from the campaign. If you have the Realms feature enabled, use this option to restrict the user scope of the campaign to a specific realm. See Define user scope. |
Resource settings
| Field | Value |
|---|---|
| Resource scope | |
|
All apps and groups assigned to users in scope |
Select this option to include all apps and groups assigned to users you selected earlier. |
|
All apps assigned to users in scope |
Select this option to include all apps assigned to users you selected earlier. |
|
All groups assigned to users in scope |
Select this option to include all groups assigned to users you selected earlier. Don’t select All groups if you want to include entitlements in the campaign or govern admin roles. The Only include individually assigned entitlements option isn’t available if you select All groups. |
| Include options | |
|
Only include individually assigned apps |
Select this checkbox to restrict the resource scope to apps that were individually assigned to users. Applications assigned by a group aren't included. Use this option to reduce redundant reviews when reviewing both apps and groups assigned to a user (since the group that assigns apps and groups has already been reviewed). |
| Only include individually assigned groups |
Select this checkbox to restrict the resource scope to groups that were individually assigned to users. Any groups assigned by a group rule aren't included. This option is helpful when you're confident about the resources assigned by group rules and only want to review groups that were assigned outside of the group rules. |
| Only include individually assigned entitlements |
Select this checkbox to exclude entitlements that were assigned by entitlement policy or to exclude admin roles assigned through group assignments. |
| Exclude options | |
|
Exclude specific apps from the campaign |
Select this checkbox and identify apps that should be excluded from the campaign. |
| Exclude specific groups from the campaign | Select this checkbox and identify groups that should be excluded from the campaign. |
Reviewer settings
Reviewer type
The campaign won’t launch if the reviewers included in the campaign are in a deactivated or deleted status at the time the campaign is set to begin.
| Reviewer type | Actions | Comments |
|---|---|---|
| User |
Enter the name of the reviewer who should review access certifications of all users in the campaign. |
This reviewer is responsible for reviewing all review items. |
| Manager |
|
The review gets assigned to the Fallback reviewer if the user’s profile in Okta doesn’t have a manager listed. |
| Group |
Assign review items to all members of a specific user group. |
Only one group member needs to review and take action on the review item. So if a group member approves or revokes access for a review item, the review item is marked as completed for all reviewers. The dropdown menu only displays groups that have between one and 10 members. If you add more members to the group, review items are randomly assigned to the 10 members of the group. |
|
Group owner |
|
If the number of group owners within a group is greater than 10, then review items are randomly assigned to the 10 group owners. The Group Owner option is available and effective only if the following conditions are true:
|
|
Custom |
|
The expression should return the Okta User ID or username of the user who should be assigned as the reviewer. If the expression doesn’t return a value for the reviewer, the Fallback reviewer is assigned as the reviewer for the users. If you have the Realms feature enabled, use this option to limit the campaign reviewers to a specific realm. |
Disable self-review
This option gives you the flexibility to allow or disallow self-reviews for campaigns depending on the criticality or sensitivity of the resources included. This option is enabled by default for campaigns that review access to admin roles.
If the Disable self-review checkbox is selected for a campaign and the user and reviewer that would be assigned happens to be the same person, then at the time of campaign launch, Okta assigns the review to a different reviewer depending on the reviewer type:
-
Manager, Group owner, or Custom: Okta assigns that review item to the fallback reviewer. If the fallback reviewer is deactivated, doesn’t exist in Okta, or is the reviewer for their own review item, Okta assigns the review to the person who created the campaign.
If there are two or more group owners as reviewers, Okta assigns that review item to other group owners who aren't the user.
-
User: Okta assigns that review item to the person who created the campaign.
-
Group: Okta assigns that review item to other members of the group who aren't the user. If the group only has one member and that person is also the user in the campaign, Okta assigns the review to the person who created the campaign.
The campaign fails to launch if Okta assigns the review item to the person who created the campaign and any of the following conditions are met:
-
The user who created the campaign doesn’t exist in Okta.
-
The user who created the campaign is the reviewer for their own review item.
When a campaign has self-reviews disabled, you can’t approve, revoke, or reassign your own review item. This option is enabled by default for campaigns that review access to admin roles.
Additional level settings
-
Select which first-level reviewer decisions should go to the second-level reviewer.
-
Only approved decisions: The second-level reviewer is the final reviewer for approved decisions. This option allows second-level reviewers to make a decision on the first-level reviewer's approvals, but not their revoked decisions. The first-level reviewer is still the final reviewer for revoked decisions.
-
Both approved and revoked decisions: The second-level reviewer is the final reviewer for both approved and revoked decisions. This option provides second-level reviewers the ability to make a decision on all decisions made by the first-level reviewer.
-
-
Use the slider to determine when the second-level reviews should begin. This number should be less than the campaign’s duration. The second-level reviews begin when the first-level reviews end. First-level reviews are flagged as overdue if the reviews are pending when the second-level reviews begin.
Notifications
| Notification options | Description |
|---|---|
| Reviews assigned | Reviewers receive an email notification when review items are assigned to them at the time of campaign launch and when a review item gets reassigned. As an admin, you can customize the email that the reviewers receive at time of campaign launch. See Customize an email template |
|
Reminder for pending reviews |
Reviewers who have pending review items receive email notifications before the campaign closes. You can opt to send reminders at the campaign’s midpoint, on the day the campaign ends, or a few days before the campaign ends. For campaigns with multilevel reviews, both first-level and second-level reviewers get these reminders. As an admin, select this option if you also want to receive a reminder email before a campaign’s scheduled end date. |
|
Overdue reminders for first-level reviewers |
First-level reviewers who have pending review items receive an email notification every day after the first-level reviews end and until the campaign ends. This option is available for campaigns with multilevel reviews. |
| Campaign ended | Reviewers receive an email notification when the campaign closes. As an admin, you’re auto-subscribed for email notifications when a campaign you created launches or ends. You also get an email notification with a link to the campaign's page when a campaign fails to launch |
Additional settings
-
Require justification: Select this option to make it mandatory for the reviewers to enter a justification for their decision to approve or revoke a user’s access to a resource. This option is enabled by default for campaigns that review access to admin roles.
-
Disable bulk select: Select this option to prevent reviewers from selecting multiple reviews to approve or revoke. Reviewers can still reassign multiple reviews to another user and must enter a justification for the reassignment (even if the Require justification checkbox is unselected). This option is enabled by default for campaigns that review access to admin roles.
Remediation settings
Remediation settings allow you to decide what happens when a reviewer approves or revokes a user’s access to a resource, or doesn’t complete a review. You can also customize the remediation using Okta Workflows. You must remediate reviews manually if a user's app or a group assignment is through group rules or group membership.
Select a reviewer action
While creating or editing a campaign, you can select one of the following remediation options for a reviewer action:
| Reviewer action | Available options |
|---|---|
| Approve access | The default remediation is Don’t take any action. |
|
Revoke access |
|
| Doesn't respond |
|
For campaigns with only one level of review, the remediation process begins immediately after the reviewer approves or revokes a user’s access.
For campaigns with multilevel reviews, reviews are sent to the second-level reviewer only after the first-level reviewer has approved or revoked them. If the first-level reviewer doesn’t respond and the campaign ends, your remediation configuration for reviewer Doesn’t respond takes effect.
The first-level reviewer decisions that are sent to the second-level reviewer determines the final reviewer for those items and the subsequent remediation.
Only approved decisions: The second-level reviewer is the final reviewer for the approved reviews. If they don’t respond and the campaign ends, your remediation configuration for reviewer Doesn’t respond takes effect.
For example, you selected that Only approved decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for all approved review items, but not for the revoked ones. Your remediation configuration applies to the decisions made by the second-level reviewer.
However, for the review items that the first-level reviewer revoked, the first-level reviewer is the final reviewer. Your remediation configuration for Revoke access applies for those reviews.
Both approved and revoked decisions: The second-level reviewer is the final reviewer for all approved and revoked reviews. If the second-level reviewer doesn’t respond and the campaign ends, your remediation configuration for reviewer Doesn’t respond takes effect.
For example, you selected that Both approved and revoked decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for those review items. Your remediation configuration applies to the decisions made by the second-level reviewer. If they don’t respond, then your remediation configuration for reviewer Doesn’t respond takes effect.
Customize remediation using Okta Workflows
Okta Workflows enables you to automate the following remediation tasks:
-
Trigger a ticket to your IT service management (ITSM), such as ServiceNow, to deprovision accounts from your application manually.
-
Delay remediation events by a few days or until the campaign has closed.
-
Send custom notifications to users who have had their access removed, so they’re aware and can request access again if needed.
You can use all access certification decisions as events to build custom workflows. See Access Certification Decision Submitted in the Okta Connector.
For more information on configuring Okta Workflows, see Build Flows.
Handle remediation manually
If you have set Remove user from the resource as a remediation option, you may see the remediation status as Manual Remediation Required in the following situations:
-
The user was assigned to an application through a group.
-
The user was added to a group through group rules.
-
The user is a member of an app-sourced group.
Considerations for manual remediation
-
Before removing a user from a group, check the assignments that the user gets from a group. Apps, admin roles, sign-on policies, and other privileges are often assigned through groups. Removing a user from a group revokes all assignments that the user gets through that group.
-
Check if a user has multiple group memberships that could assign them to an app. To remove access, you must remove the user from all groups that give them access to an app.
-
Before removing an app-sourced group, check its usage in the source app.
Remediate access by taking the following recommended actions:
|
Resource |
Assigned through |
Recommended action |
|---|---|---|
|
Application |
Okta-sourced group membership |
Remove the user from the Okta-sourced group using Workflows. |
|
Application |
App-sourced group membership (for example, Active Directory (AD) group) |
Remove the user from the app-sourced group. |
|
Okta-sourced group |
Group rules |
Remove the user from the group and add them as an exception to the group rule. |
|
App-sourced group |
Imports |
Remove the user from the app-sourced group. |