Create resource campaigns

Resource campaigns display all the users who have access to a resource. Running resource campaigns regularly helps ensure that access to sensitive resources is limited. These campaigns are also useful for meeting your audit and compliance requirements or professional standards like SOC2 and SOX.

If you enabled Govern Okta admin roles, use this campaign type to review user admin role assignments.

You can select a resource, such as an app or group, and review who has access to it and the associated entitlements and bundles (including standard and custom admin roles). You can select all users assigned to the resource or define a specific set of users using the Okta Expression Language. You can also exclude certain users from the campaign.

Before you begin

  • You can select a maximum of 50 resources and review who has access to them.

  • You can have a maximum of 100,000 review items in a campaign. To manage large campaigns, split reviews into multiple campaigns.

  • If you're creating a campaign to govern admin roles, ensure that you're signed in as a super admin and have the feature enabled. Also, read the considerations listed in the Create campaigns to review admin rolestopic.

    Existing admin assignments are treated as key value pairs: the entitlement and the resource (the Admin Console).

  • If you're creating a campaign to review conflicting entitlement assignments, verify that the Separation of duties (SOD) details checkbox is selected before you launch the campaign. The checkbox is located on the Contextual Information page. This checkbox allows the campaign reviewers to view SOD conflict details. See Customizable reviewer context.

Set up the campaign

  1. In the Admin Console, go to Identity GovernanceAccess Certifications.

  2. Click Create campaign.

  3. Select Resource campaign as the campaign type from the Create campaign dropdown menu.

  4. Configure the following settings in the wizard and then click Schedule campaign.

Configure general settings

Configure the following settings:

  1. Campaign name: Enter a name for the campaign. Ideally, enter a name that is easy for your reviewers to understand.
  2. Description: Describe the purpose of the campaign.
  3. Start date: Select a start date for the campaign.
  4. Start time: Select a start time and the time zone for the campaign.
  5. Duration: Select the duration for which the campaign should run. Campaigns with multilevel reviewers require a duration of seven days or more.
  6. Optional. Select Make this recurring and set the recurrence schedule for the campaign. To schedule recurring campaigns effectively, see Recurring campaign considerations

Configure resource settings

Select the resource type as Application or Group.

Application

  1. Select one or more apps.
    • If you want to review entitlements including the ones that conflict based on SOD rules, select up to 10 apps highlighted in blue.
    • If you want to govern admin roles, search for and select Okta Admin Console. You can't add any other apps if you select this one.
  2. Turn on the Review entitlements toggle to review entitlements including the ones that conflict based on SOD rules. However, if you want to review apps that have inactive users, leave it toggled off.

  3. For each app, indicate whether you want to view All entitlements and bundles or Specific entitlements and bundles. If you specify an entitlement, you can also retrieve any bundle that contains your entitlement value by selecting the checkbox.

    After enabling the Review entitlements toggle, you must select All entitlements and bundles to view entitlement conflicts based on your SOD rules.

  4. Click Add to include other bundles or entitlements.

Group

Select one or more groups. Don't select Group if you want to include entitlements in the campaign. The Review entitlements toggle isn't available if you select Group.

Configure user settings

  1. Select one of the available options:

    • All users assigned to the resource: Select this option to include users who are assigned to resources you selected earlier.

    • Specify user scope: Select this option to restrict the user scope to a specific set of users in your org. If you have the Realms feature enabled, use this option to restrict the campaign to include users from a specific realm.

      1. Enter a valid Okta Expression Language (EL) expression to specify the user scope. The expression should result in true to include the user in the campaign or false to exclude from the campaign. See Define user scope.

      2. Recommended. In the Previewer reviewer field, enter a user's name to check if they're included in the campaign. Click Preview. You get a message stating whether the user is a part of the campaign or not.

        If you preview a user that isn't assigned to a resource in the campaign, the preview indicates that they aren't a part of the campaign, even if the EL expression includes them.

    • Predefined user scope:

      • No recent activity: Select this option to review apps that haven't been used over a period of time. Specify the number of days users have been inactive. This option only appears if you've set the campaign's resource scope as Apps and toggled off the Review entitlements setting.

      • Have separation of duties (SOD) conflicts: Select this option if you only want to review users whose entitlements conflict based on separation of duties rules. This option only appears if you've set the campaign's resource scope as Apps, toggled on the Review entitlements setting, and selected All entitlements and bundles.

    • Only include active Okta users in this campaign: Select this option to only include users who have Active, Password Reset (or Recovery), Password Expired, or Locked Out status in Okta.

  2. Optional. Exclude users from the campaign: To exclude specific users from the campaign, select Exclude users from the campaign and enter the names of the users who should be excluded from the campaign.

Configure reviewer settings

The campaign won't launch if the reviewers included in the campaign are in a deactivated or deleted status at the time the campaign is set to begin.

  1. Select a reviewer type:

    • User: Enter the name of the reviewer who should review access certifications of all users in the campaign.

    • Manager: Assign review items to the user's manager that is listed in the user's profile in Okta. The review gets assigned to the Fallback reviewer if the user's profile in Okta doesn't have a manager listed.

    • Group: Assign review items to all members of a specific user group. Only one group member needs to review and take action on the review item. So if a group member approves or revokes access for a review item, the review item is marked as completed for all reviewers. The dropdown menu only displays groups that have between one and 10 members. If you add more members to the group, review items are randomly assigned to the 10 members of the group.

    • Group owner: Assign review items to the owner of a group that is listed in the group's profile in Okta. The Group Owner option is available and effective only if the following conditions are true:

      • You selected one or more groups as resources on the Resource pane.

      • The group owner for each group is either individual people or a group. For any group, you can't have a combination of people and groups as group owners. If the number of group owners within a group is greater than 10, then review items are randomly assigned to the 10 group owners.

    • Custom: Enter a valid Okta Expression Language expression to specify the reviewer. The expression should return the Okta User ID or username of the user who should be assigned as the reviewer. If the expression doesn't return a value for the reviewer, the Fallback reviewer is assigned as the reviewer for the users. See Define dynamic reviewers.

      If you have the Realms feature enabled, use this option to limit the campaign reviewers to a specific realm.

  2. In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
  3. Recommended. Click the Preview reviewer link and enter a user's name. Click Preview to see their assigned reviewer.

  4. Optional. Select Disable self-review. This option gives you the flexibility to allow or disallow self-reviews for campaigns depending on the criticality or sensitivity of the resources included. This option is enabled by default for campaigns that review access to admin roles. When a campaign has self-reviews disabled, you can't approve, revoke, or reassign your own review item. This option is enabled by default for campaigns that review access to admin roles. See Understand Disable self-review.

  5. Optional. Click Add level to add another level of reviews and select a reviewer type.

  6. If you added a second level of reviews, in the Additional level settings section, select which first-level reviewer decisions should go to the second-level reviewer.

    • Only approved decisions: The second-level reviewer is the final reviewer for approved decisions. This option allows second-level reviewers to make a decision on the first-level reviewer's approvals, but not their revoked decisions. The first-level reviewer is still the final reviewer for revoked decisions.

    • Both approved and revoked decisions: The second-level reviewer is the final reviewer for both approved and revoked decisions. This option provides second-level reviewers the ability to make a decision on all decisions made by the first-level reviewer.

    • Use the slider to determine when the second-level reviews should begin. This number should be less than the campaign's duration. The second-level reviews begin when the first-level reviews end. First-level reviews are flagged as overdue if the reviews are pending when the second-level reviews begin.

  7. Set up notifications:

    • Reviews assigned: Reviewers receive an email notification when review items are assigned to them at the time of campaign launch and when a review item gets reassigned. As an admin, you can customize the email that the reviewers receive at time of campaign launch. See Customize an email template

    • Reminder for pending reviews: Reviewers who have pending review items receive email notifications before the campaign closes. You can opt to send reminders at the campaign's midpoint, on the day the campaign ends, or a few days before the campaign ends.

      For campaigns with multilevel reviews, both first-level and second-level reviewers get these reminders.

      As an admin, select this option if you also want to receive a reminder email before a campaign's scheduled end date.

    • Overdue reminders for first-level reviewers: First-level reviewers who have pending review items receive an email notification every day after the first-level reviews end and until the campaign ends. This option is only available for campaigns with multilevel reviews.

    • Campaign ended: Reviewers receive an email notification when the campaign closes. As an admin, you're auto-subscribed for email notifications when a campaign you created launches or ends. You also get an email notification with a link to the campaign's page when a campaign fails to launch.

  8. Configure additional settings for reviewers:

    • Require justification: Select this option to make it mandatory for the reviewers to enter a justification for their decision to approve or revoke a user's access to a resource. This option is enabled by default for campaigns that review access to admin roles.

    • Disable bulk decisions: Select this option to prevent reviewers from selecting multiple reviews to approve or revoke. Reviewers can still reassign multiple reviews to another user and must enter a justification for the reassignment (even if the Require justification checkbox isn't selected).

    • Disable reassignment: Select this option to prevent reviewers from reassigning review items to other users from the Okta Access Certifications Reviews app. This option is enabled by default for campaigns that review access to admin roles. However, super or access certifications admins can still reassign review items from the campaign's page in the Admin Console.

Configure remediation settings

  1. Select what happens when a reviewer approves or revokes a user's access to a resource, or doesn't complete a review. If you've selected Remove access from user for any reviewer actions, the Automatically remove group-based access checkbox is available.

    Enhanced group remediation is only available for resource campaigns that review access to apps without reviewing entitlements.

  2. Optional. Select Automatically remove group-based access to allow Access Certifications to automatically revoke access group-assigned apps. This reduces the need for manual remediation after a reviewer makes the decision to revoke user access. However, you still need to remediate user access if the app was assigned using group rules or if the group is an app-sourced group.

  3. Optional. Specify up to 50 groups from which Access Certifications can remove users from to revoke their app access. By default, Access Certifications can remove users from all groups that assign apps to users.

You can also customize the remediation using Okta Workflows. For most campaigns, you must remediate reviews manually if a user's app or a group assignment is through group rules or group membership.

To understand how remediation works, see Understand remediation.

Related topics

Examples of Okta Expression Language

View the progress of an active campaign

Modify a scheduled campaign

Modify campaign's end date