About remediation

As an admin, you can decide what happens when a reviewer approves or revokes a user’s access to a resource and also what happens when a reviewer doesn’t complete a review. You can also customize the remediation using Okta Workflows. Note that if an app or a group was assigned to the user through group rules or group membership, you may have to remediate manually.

  • Select a reviewer action on the Remediation pane
  • Customize remediation
  • Handle remediation manually

Select a reviewer action on the Remediation pane

While creating or modifying a campaign, on the Remediation pane, you can select one of the following remediation options for a reviewer action:

Reviewer action Available options
Approve access The default remediation is set to Don’t take any action.

Revoke access

  • Don’t take any action

  • Remove user from the resource

Doesn't respond
  • Don’t take any action

  • Remove user from the resource

Customize remediation using Okta Workflows

Okta Workflows enables you to automate otherwise manual remediation tasks such as:

  • Trigger a ticket to your ITSM, such as ServiceNow, to manually deprovision accounts from your application.

  • Delay remediation events for a certain number of days or until the campaign has closed.

  • Send custom notifications to users who have had their access removed, so they are aware and can request access again if they think it should be restored.

You can use all access certification decisions as events to build custom workflows. See Access Certification Decision Submitted in the Okta Connector.

For more information on configuring Okta Workflows, see Build Flows.

Handle remediation manually

If you have set Remove user from the resource as a remediation option, you may see the remediation status as Manual Remediation Required when:
  • The user was assigned to an application through a group.

  • The user was added to a group through group rules.

  • The user is a member of an app-sourced group.

Considerations for manual remediation

  • Before removing a user from a group, check the assignments that the user gets from a group. Apps, admin roles, sign-on policies, and other privileges are often assigned through groups. Removing a user from a group will revoke all assignments that the user gets through that group.

  • Check if a user has multiple group memberships that could assign them to an application. To remove access, you must remove the user from all groups through which they get access to an application.

  • Check how an app-sourced group is used in the source application before removing it to ensure there aren’t any unintended consequences.

Remediate access by taking the following recommended actions:

Resource

Assigned through

Recommended action

Application

Okta-sourced group membership

Remove the user from the Okta-sourced group using Workflows.

Application

App-sourced group membership (For example, AD group)

Remove the user from the App-sourced group. For example, remove the user from the group in AD.

Okta-sourced group

Group rules

Remove user from the group and add user as an exception to the group rule.

App-sourced group

Imports

Remove the user from the app-sourced group. For example, remove the user from the group in AD.

Related topics

Modify a scheduled campaign

End an active campaign