Certification campaign reviews
Review users' access to resources regularly using Access Certifications campaigns.
A campaign becomes active on its scheduled start date. When a campaign is active, reviewers can approve or revoke a user's access to a resource. They can also reassign the review item to another reviewer. However, reviewers can't change their decisions on review items after submitting them.
The campaign is marked as closed on the campaign's scheduled end date, when all reviewers in the campaign complete their reviews, or when you (super or access certifications admin) close the campaign before the scheduled end date. After a campaign ends, reviewers can't approve or revoke any pending review items.
For campaigns with multilevel reviews, some items reviewed by a first-level reviewer are sent to a second-level reviewer for approval. In this case, the second-level reviewer is the final reviewer for those review items and must make a decision before the campaign ends.
Sometimes, a second-level reviewer may see new review items assigned to them after the second-level review has begun. This happens when the first-level reviewer finished reviewing their pending items after their due date.
Only super admins can reassign review items in a campaign that reviews admin roles. See Considerations.
When reviewing user access, reviewers can also view details of separation of duties conflicts if you (a super or access certifications admin) have configured it on the Contextual Information page before the campaign launch. See Customizable reviewer context.
Reviewers can view previously completed campaigns that they reviewed from the Closed tab of the My reviews page in the Okta Access Certifications Reviews app. If the campaign owner sets up email notifications, reviewers receive notifications for the following events:
- An admin or a reviewer assigns review items.
- A reviewer has pending review items and the campaign ends soon.
-
Overdue reminders for first-level reviewers, if they have pending review items.
- When the campaign ends.
If you know that a reviewer will be unavailable for a period of time, you (super admin) or the reviewer can assign a delegate for the reviewer. Reviewers can specify another user as a delegate or make changes to their assigned delegate only if you've turned on the Enable end users to assign their own delegate toggle. See Enable end users to assign delegates. If you haven't turned on the toggle, they can only view the delegate assignment information.
Note that review items aren't assigned to the delegate if a reviewer included in the campaign assigns a delegate after the campaign launches. See Assign delegate from the Admin Console and Manage delegates.
For campaigns with the Reviewer type as Group or Group Owner, if a group member assigns a delegate who isn't a member of the group, any future review items are assigned to the delegate along with existing group members. The Review details panel for a review item also indicates, which users are delegates.
Smart review
Early Access release. See Enable self-service features.
Smart Review is an alternate method for reviewers to review and certify access in campaigns in the Okta Access Certifications Reviews app. Instead of certifying access for each review item one-by-one in a campaign table, this feature groups review items by user, resource, and recommendation. This helps reviewers take more intentional and accurate access decisions and efficiently certify access for campaigns with a high volume of review items.
Reviewers can use one of the following modes to begin certifying access:
- By Resource: Review items are grouped by resource. Reviewers can review and certify access for all users who have access to a resource in the campaign at once. This mode is ideal for resource owners certifying who has access to the resources that they're responsible for managing.
- By User: Review items are grouped by user. Reviewers can review and certify access for all resources that a user has access to in the campaign at once. This mode is ideal for managers certifying access for their direct reports.
Depending on the mode, review items are grouped by a user or resource into multiple steps. A step is a set of two or more review items that include a common factor like resource, user, or recommendation.
For example, you launched a campaign targeting all apps and groups, assigning review tasks to the users' managers.
In the review By Resource mode, each step displays the access that users have for a single resource. Step 1 is a set of review items where the users are assigned to an App A. Step 2 is a set of review items where all users are assigned to Group B, and so on.
In the review By User mode, each step contains a list of resources that a user has access to. Step 1 includes all review items (list of user's access to various apps and groups) associated with User 1. Step 2 includes all review items associated with User 2, and so on.
In both modes, reviewers can select All reviews to see an overview of all steps in the current mode.
Irrespective of the smart review mode, there may be an additional Wrap up step, which includes review items that don't have a common attribute among them.
Reviewers can use the options menu to end the ongoing smart review or disable the smart review feature for all campaigns for the duration of their active Okta session.
The You've seen everything message appears at the end of the smart review if there are pending review items. Reviewers can either go back to the previous step or finish the smart review.
The Smart Review option is only available to reviewers for active campaigns if the following conditions are met:
- The total review items assigned to a reviewer is less than 10,000.
- There is at least one applicable smart review mode.
- There are a minimum of two steps (excluding the Wrap up step) and a maximum of 100 steps.