Create user campaigns

User campaigns display all the resources that a user has access to. Running user campaigns frequently helps ensure that users have the least privileged access. These campaigns allow you to manage user's access to resources efficiently, especially when the user's relationship with your organization changes due to events such as role, department, or project change.

User's admin roles assignments aren't included for review in this campaign type.

You can select a specific user or user group and review their assigned resources. Most privileged access is either requested by the user or it's individually assigned to them. Often reviewers don't need to review access to resources that are granted through group membership or group rules. User campaigns allow you to set up a campaign where reviewers only need to review access to users' individually assigned resources and entitlements.

Before you begin

  • You can exclude a maximum of 50 apps or groups, or a combination of both.

  • The number of review items in a campaign must be between 1 and 100,000. To better manage large campaigns, split reviews into multiple campaigns.

Set up the campaign

  1. In the Admin Console, go to Identity GovernanceAccess Certifications.

  2. Click Create campaign.

  3. Select User campaign as the campaign type from the Create campaign dropdown menu.

  4. Configure the following settings in the wizard and then click Schedule campaign.

Configure general settings

Configure the following settings:

  1. Campaign name: Enter a name for the campaign. Ideally, enter a name that is easy for your reviewers to understand.
  2. Description: Describe the purpose of the campaign.
  3. Start date: Select a start date for the campaign.
  4. Start time: Select a start time and the time zone for the campaign.
  5. Duration: Select the duration for which the campaign should run. Campaigns with multilevel reviewers require a duration of seven days or more.
  6. Optional. Select Make this recurring and set the recurrence schedule for the campaign. To schedule recurring campaigns effectively, see Recurring campaign considerations

Configure user settings

Select one of the following options to define users included in the campaign:

  • Individual users: Select one or more users. You can have a maximum of 100 individual users.

  • Specific groups: Select one or more groups. You can have a maximum of five groups.

  • Custom (Okta Expression Language): Enter an Okta Expression Language expression to include users or groups that meet a specific criteria. The expression should result in true to include the user in the campaign or false to exclude from the campaign. See Define user scope.

    If you have the Realms feature enabled, use this option to restrict the user scope of the campaign to a specific realm.

Configure resource settings

  1. Select one of the following options to define resources included in the campaign:

    • All apps and groups assigned to users in scope: Select this option to include all apps and groups assigned to users you selected earlier.

    • All apps assigned to users in scope: Select this option to include all apps assigned to users you selected earlier.

    • All groups assigned to users in scope: Select this option to include all groups assigned to users you selected earlier.

      Don't select All groups if you want to include entitlements in the campaign or govern admin roles. The Only include individually assigned entitlements option isn't available if you select All groups.

  2. Optional. Select Only include individually assigned apps to restrict the resource scope to apps that were individually assigned to users.

    Apps assigned by a group aren't included. Use this option to reduce redundant reviews when reviewing both apps and groups assigned to a user (since the group that assigns apps and groups has already been reviewed).

  3. Optional. Select Only include individually assigned groups to restrict the resource scope to groups that were individually assigned to users. Any groups assigned by a group rule aren't included. This option is helpful when you're confident about the resources assigned by group rules and only want to review groups that were assigned outside of the group rules.

  4. Optional. Select Only include individually assigned entitlements to exclude entitlements that were assigned by entitlement policy or to exclude admin roles assigned through group assignments.

    To review entitlements for an app in a campaign, ensure that you have Governance Engine enabled for the app and you've created entitlements. See Get started with Entitlement Management.

  5. Optional. Select Exclude specific apps from the campaign and identify apps that should be excluded from the campaign.

  6. Optional. Select Exclude specific groups from the campaign and identify groups that should be excluded from the campaign.

Configure reviewer settings

The campaign won't launch if the reviewers included in the campaign are in a deactivated or deleted status at the time the campaign is set to begin.

  1. Select a reviewer type:

    • User: Enter the name of the reviewer who should review access certifications of all users in the campaign.

    • Manager: Assign review items to the user's manager that is listed in the user's profile in Okta. The review gets assigned to the Fallback reviewer if the user's profile in Okta doesn't have a manager listed.

    • Group: Assign review items to all members of a specific user group. Only one group member needs to review and take action on the review item. So if a group member approves or revokes access for a review item, the review item is marked as completed for all reviewers. The dropdown menu only displays groups that have between one and 10 members. If you add more members to the group, review items are randomly assigned to the 10 members of the group.

    • Group owner: Assign review items to the owner of a group that is listed in the group's profile in Okta. The Group Owner option is available and effective only if the following conditions are true:

      • You selected one or more groups as resources on the Resource pane.

      • The group owner for each group is either individual people or a group. For any group, you can't have a combination of people and groups as group owners. If the number of group owners within a group is greater than 10, then review items are randomly assigned to the 10 group owners.

    • Custom: Enter a valid Okta Expression Language expression to specify the reviewer. The expression should return the Okta User ID or username of the user who should be assigned as the reviewer. If the expression doesn't return a value for the reviewer, the Fallback reviewer is assigned as the reviewer for the users. See Define dynamic reviewers.

      If you have the Realms feature enabled, use this option to limit the campaign reviewers to a specific realm.

  2. In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
  3. Recommended. Click the Preview reviewer link and enter a user's name. Click Preview to see their assigned reviewer.

  4. Optional. Select Disable self-review. This option gives you the flexibility to allow or disallow self-reviews for campaigns depending on the criticality or sensitivity of the resources included. This option is enabled by default for campaigns that review access to admin roles. When a campaign has self-reviews disabled, you can't approve, revoke, or reassign your own review item. This option is enabled by default for campaigns that review access to admin roles. See Understand Disable self-review.

  5. Optional. Click Add level to add another level of reviews and select a reviewer type.

  6. If you added a second level of reviews, in the Additional level settings section, select which first-level reviewer decisions should go to the second-level reviewer.

    • Only approved decisions: The second-level reviewer is the final reviewer for approved decisions. This option allows second-level reviewers to make a decision on the first-level reviewer's approvals, but not their revoked decisions. The first-level reviewer is still the final reviewer for revoked decisions.

    • Both approved and revoked decisions: The second-level reviewer is the final reviewer for both approved and revoked decisions. This option provides second-level reviewers the ability to make a decision on all decisions made by the first-level reviewer.

    • Use the slider to determine when the second-level reviews should begin. This number should be less than the campaign's duration. The second-level reviews begin when the first-level reviews end. First-level reviews are flagged as overdue if the reviews are pending when the second-level reviews begin.

  7. Set up notifications:

    • Reviews assigned: Reviewers receive an email notification when review items are assigned to them at the time of campaign launch and when a review item gets reassigned. As an admin, you can customize the email that the reviewers receive at time of campaign launch. See Customize an email template

    • Reminder for pending reviews: Reviewers who have pending review items receive email notifications before the campaign closes. You can opt to send reminders at the campaign's midpoint, on the day the campaign ends, or a few days before the campaign ends.

      For campaigns with multilevel reviews, both first-level and second-level reviewers get these reminders.

      As an admin, select this option if you also want to receive a reminder email before a campaign's scheduled end date.

    • Overdue reminders for first-level reviewers: First-level reviewers who have pending review items receive an email notification every day after the first-level reviews end and until the campaign ends. This option is only available for campaigns with multilevel reviews.

    • Campaign ended: Reviewers receive an email notification when the campaign closes. As an admin, you're auto-subscribed for email notifications when a campaign you created launches or ends. You also get an email notification with a link to the campaign's page when a campaign fails to launch.

  8. Configure additional settings for reviewers:

    • Require justification: Select this option to make it mandatory for the reviewers to enter a justification for their decision to approve or revoke a user's access to a resource. This option is enabled by default for campaigns that review access to admin roles.

    • Disable bulk decisions: Select this option to prevent reviewers from selecting multiple reviews to approve or revoke. Reviewers can still reassign multiple reviews to another user and must enter a justification for the reassignment (even if the Require justification checkbox isn't selected). This option is enabled by default for campaigns that review access to admin roles.

Configure remediation settings

Select what happens when a reviewer approves or revokes a user's access to a resource, or doesn't complete a review.

You can also customize the remediation using Okta Workflows. For most campaigns, you must remediate reviews manually if a user's app or a group assignment is through group rules or group membership.

To understand how remediation works, see Understand remediation.

Related topics

Examples of Okta Expression Language

View the progress of an active campaign

Modify a scheduled campaign

Modify campaign's end date