Campaigns
Campaigns help ensure that your users have the right level of access to resources like apps (and associated entitlements) and groups.
- Preconfigured campaigns
- Preconfigured campaigns are ready-to-use campaigns. You can launch these campaigns without manual configurations. To help you get started with Access Certifications, Okta presets the campaign settings for two campaigns. Use the Discover inactive users to review apps in your org with the highest number of inactive users. Use the Okta administrator review campaign to review admin access to the Admin Console.
- Resource campaigns
- Resource campaigns focus on setting the resource scope for your campaign so that you can review all users who have access to those resources. This campaign type helps you review access to sensitive resources and meet compliance requirements. Use this campaign type if you want to specifically review a user's admin role assignments for governing Okta admin roles.
- User campaigns
- User campaigns focus on defining the user scope for your campaign so that you can perform a comprehensive review of all resources assigned to those users. This campaign type helps you review users' access to resources when specific events happen, such as a department, role, or project change.
-
User's admin roles assignments aren't included for review in a user campaign.
If you've enabled the Realms feature, you can also restrict the campaign to include users from a specific realm using Okta Expression Language.
You can schedule campaigns in advance, make them recur at specific intervals, and modify them before they launch.
A campaign becomes active on the start date and is marked as closed on the end date or when all reviewers in the campaign complete their reviews, whichever happens first. You can launch a campaign before its start date and end an active campaign before its scheduled end date. However, after a campaign launches, you can only reassign review items or end the campaign. You can't modify a campaign after it ends.
You can view active, scheduled, and closed campaigns from the Access certification campaigns page. Recurring campaigns are marked with the Recurring label on the Scheduled tab to indicate that they're a part of a series of recurring campaigns. Closed campaigns are stored for 12 months.
After you schedule a campaign, it becomes active on the scheduled start date.
If a scheduled campaign fails to launch, you receive an email notification. To view errors, you can do any of the following steps:
- Click View Campaign from the email notification.
- Open the campaign from the Closed tab of the Access certification campaigns page.
- Go to the System Log.
Resolve the errors before you recreate the campaign. You may want to note down the Okta Expression Language expressions for users and reviewers from the Overview section before recreating the campaign. You can delete a campaign that failed to launch from the Actions menu.
Campaign reviewers can access the review items assigned to them from the Okta Access Certification Reviews app tile on their dashboard. They can approve, revoke, or reassign the review items.
If you, a campaign creator, have included entitlements in the campaign, then reviewers can also see the entitlements or bundle associated with the resource and how the entitlement or bundle was assigned to the user for a review item. They can review access to entitlements and bundles in a similar manner as they review user's access to apps and groups. They can revoke an entitlement or bundle as individual units, but they can't revoke a specific entitlement that's a part of a bundle assigned to the user. Reviewers must manually remediate any entitlements that were assigned to a user by a policy rule.
You can run campaigns to review entitlements for an app only if Governance Engine is enabled for the app. See Enable Governance Engine and Considerations and limits .
Governance for admin roles
Early Access release. See Enable self-service features.
Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.
After you enable the Govern Okta admin roles feature, you can review a user's admin assignments using a resource campaign. Access Certifications treats admin assignments as entitlements that are associated with the Okta Admin Console. Specifically, it treats the admin role and resource set within a user's admin assignment as a key value pair for an entitlement.
Only super admins can govern admin roles. After you enable the feature, you may have to wait a few hours before you can run a resource campaign to review admin roles.