Create campaigns
Create campaigns to periodically review your users’ access to applications and groups within Okta. You can schedule campaigns in advance and modify them before they launch.
A campaign becomes active on the start date and closes on the end date. You can launch a campaign before its start date and end an active campaign before its scheduled end date. After a campaign launches, you can reassign review items or end the campaign. You can’t modify a campaign after it ends.
Best practices
- Select a campaign name that is self-explanatory. Campaign names are visible to your reviewers. Okta recommends using unique names that include the month and year.
- For the campaign description, include information that can help a reviewer understand the purpose of the campaign. For example, if you have set up a campaign to review Salesforce permissions of users, you can add that as the campaign description to provide the context to the reviewers.
- Ensure that the resource associated with the campaign exists in Okta and isn’t deactivated or deleted.
- The number of review items in a campaign must be from 1 through 100,000. To better manage large campaigns, Okta recommends that you split reviews into multiple campaigns.
- Don’t rename, modify, or delete the Access Certification Reviewer group. Reviewers are automatically added to this group when review items are assigned to them. Modifying this group in any way can result in reviewers losing access to the campaign and may not be able to complete their reviews. If you accidentally delete the group, contact Okta Support.
- Ensure that the fallback reviewer that you select is active in Okta.
- Currently, you can only have 500 active campaigns for an org. If you reach that limit, consider ending some active campaigns before creating campaigns.
-
To use the Group Owner reviewer type, ensure that you have group owners configured in Okta. See Configure Okta group owners.
-
For campaigns with multilevel reviews, keep the following considerations in mind:
-
You can set up two levels of review in a single campaign.
-
Review items are sent to the second-level reviewer only after the first-level reviewer approves or revokes them. It’s important for the first-level reviewers to take decisions on review items on time to avoid blocking the campaign’s progress.
-
The second-level reviewer can view the first-level reviewer’s decision and the justification for a review item.
-
The final reviewer varies depending on the campaign’s configuration.
-
The remediation options that you configure for a campaign are applicable to the decisions made by the final reviewer. See Remediation
-
Note: Multilevel Reviews is an Early Access feature for orgs with Identity Governance enabled. Use the Early Access Feature Manager as described in Manage Early Access and Beta features to enable the feature.
Start this task
Ensure that you’re signed in as a super admin or an access certifications admin before doing the following steps.
- In the Admin Console, go to
- Click + Create campaign.
Configure your requirements in the wizard.
General
- Enter values for the following fields:
Field
Value
Campaign name Enter a name for the campaign. Ideally, enter a name that is easy to understand for your reviewers. Description Describe the purpose of the campaign. Start date Select a start date for the campaign. Start time
Select a start time and the time zone for the campaign.
Duration
Select the duration for which the campaign should run.
Campaigns with multilevel reviewers require a duration of seven days or more.
Campaigns begin at 12:00 on the start date and close at 23:59 on the end date in the time zone of the admin who configured the campaign.
-
If you want the campaign to repeat after a specific interval, select Make this recurring. If you only want to set up a single campaign, skip the next two steps.
-
Enter or select the appropriate values in the Repeats every section to configure the frequency of the recurring campaigns. See Recurring campaign considerations
-
In the Recurrence ends section, select either Never or On a specific date based on your requirements.
- Click Next.
Resources
- Select the resource type as Applications or Groups.
- Select the applications or groups that you want to include the campaign. You can add up to 50 resources in a campaign.
- Click Next.
Users
- Select either of the following options:
Available options Actions Description All users assigned to the resource Select this option to include users who are assigned to resources you selected earlier. N/A Specify user scope Enter a valid Okta Expression Language (EL) expression to specify the user scope. This option restricts the user scope to a specific set of users. The expression should result in true to include the user in the campaign or false to exclude from the campaign. See Define user scope. - Recommended. In the Previewer reviewer field, enter a user’s name to check if they’re included in the campaign. Click Preview. You get a message stating whether the user is a part of the campaign or not.
If you preview a user that isn’t assigned to a resource in the campaign, the preview indicates that they aren't a part of the campaign, even if the EL expression includes them.
- To exclude specific users from the campaign, select Exclude users from the campaign and enter names of the users who should be excluded from the campaign.
- Click Next.
Reviewer
- The reviewers you select here are automatically added to the Access Certification Reviewer group. Don’t rename, modify, or delete the Access Certification Reviewer group. If you accidentally delete the group, contact Okta Support.
- The campaign won’t launch if the reviewers included in the campaign are in a deactivated or deleted status at the time the campaign is set to begin.
- Select a type of reviewer.
Reviewer type Actions Comments A specific user - Enter the name of the reviewer who should review access certifications of all users in the campaign.
This reviewer is responsible for reviewing all review items. User's manager - Assign review items to the user’s manager that is listed in the user’s profile in Okta.
- In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
If the user’s profile in Okta doesn’t have a manager listed, the Fallback reviewer is assigned as a reviewer for that user. Group - Assign review items to all members of a specific user group.
Only one group member needs to review and take action on the review item. So if a group member approves or revokes access for a review item, the review item is marked as completed for all reviewers.
The dropdown only displays groups that have between one and 10 members. If you add more members to the group, review items are assigned to the first 10 members of the group.
Group owner
- Assign review items to the owner of a group that is listed in the group’s profile in Okta.
- In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
- Recommended. You can preview the group owner for a group. In the Preview section, select a group for the Preview group owner dropdown. Click Preview.
If the number of group owners within a group is greater than 10, then review items are assigned to the first 10 group owners.
The Group Owner option is available and effective only if the following conditions are true:
- You selected one or more groups as resources on the Resource pane.
- The group owner for each group is either individual people or a group. For any group, you can't have a combination of people and groups as group owners.
Custom
- Enter a valid Okta EL expression to specify the reviewer.
- Recommended. In the Preview a user’s reviewer field, enter the name of a user to check who their reviewer is.
- Click Preview.
- In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
The expression should return the Okta User ID or username of the user who should be assigned as the reviewer. See Define dynamic reviewers. If the expression doesn’t return a value for the reviewer, the Fallback reviewer is assigned as the reviewer for the users. -
Optional. Click + Add level to add a second-level reviewer, and then perform these steps:
-
Select the second-level reviewer type.
-
In the Additional Settings section, select which first-level reviewer decisions should go to the second-level reviewer.
-
Only approved decisions: The second-level reviewer is the final reviewer for approved decisions. This option allows second-level reviewers to make a decision on the first-level reviewer's approvals, but not their revoked decisions. The first-level reviewer is still the final reviewer for revoked decisions.
-
Both approved and revoked decisions: The second-level reviewer is the final reviewer for both approved and revoked decisions. This option provides second-level reviewers the ability to make a decision on all decisions made by the first-level reviewer.
-
-
Select or enter a day when the second-level reviews should begin. This number should be less than the campaign’s duration. The second-level reviews begin when the first-level reviews end. First-level reviews are flagged as overdue if the reviews are pending when the second-level reviews begin.
Note: Multilevel Reviews is an Early Access feature for orgs with Identity Governance enabled. Use the Early Access Feature Manager as described in Manage Early Access and Beta features to enable the feature.
-
- In the Notifications section, select one or more of the following options:
Notification options Description Reviews assigned Reviewers receive an email notification when review items are assigned to them at the time of campaign launch and when a review item gets reassigned. As an admin, you can customize the email that the reviewers receive at time of campaign launch. See Customize an email template Reminder for pending reviews
Reviewers who have pending review items receive email notifications before the campaign closes. You can opt to send reminders at the campaign’s midpoint, on the day the campaign ends, or a few days before the campaign ends.
If you've enabled the Multilevel Reviews feature, both first-level and second-level reviewers get these reminders.
As an admin, select this option if you also want to receive a reminder email before a campaign’s scheduled end date.
Overdue reminders for first-level reviewers
First-level reviewers who have pending review items receive an email notification everyday after the first-level reviews end and until the campaign ends.
This option is available if you've enabled the Multilevel Reviews feature for your org.
Campaign ended Reviewers receive an email notification when the campaign closes. As an admin, you’re auto-subscribed for email notifications when a campaign you created launches or ends. You also get an email notification with a link to the campaign's page when a campaign fails to launch - Click Next.
Remediation
-
Select what happens in the following situations:
-
The reviewer approves or revokes a user’s access.
-
The reviewer doesn’t respond.
For campaigns with only one level of review, the remediation process begins immediately after the reviewer approves or revokes a user’s access.
For campaigns with multilevel reviews, remediation happens when the final reviewer makes a decision. See Remediation.
Remediation is extensible with Okta Workflows. See Access Certification Decision Submitted. For information on configuring Okta Workflows, see Build Flows.
-
-
Click Schedule campaign.
You can modify a scheduled campaign at any time before the campaign becomes active but not after it has become active or has closed. See Modify a scheduled campaign and End an active campaign.
As an admin, you can reassign review items to a different reviewer even when the campaign is active.
You can view the campaign you created on the Scheduled tab of the Access certification campaigns page. Recurring campaigns are marked with the Recurring label on the Scheduled tab to indicate that they’re a part of a series of recurring campaigns.
You can also view any active and closed campaigns on the Access certification campaigns page. Recurring campaigns are marked with the Recurring label on the Scheduled tab to indicate that they’re a part of a series of recurring campaigns. Closed campaigns are stored for 12 months.
After you schedule a campaign, it becomes active on the scheduled start date. Your reviewers can access the review items assigned to them from the Okta Access Certification Reviews app tile on their dashboard. They can approve, revoke, or reassign the review items.
If a scheduled campaign fails to launch, you’re notified by email. To view errors, you can do any of the following steps:
- Click the View Campaign button from the email notification.
- Open the campaign from the Closed tab of the Access certification campaigns page.
- Go to the System Log.
Resolve the errors before you recreate the campaign. You may want to note down the Okta Expression Language expressions for users and reviewers from the Overview section before recreating the campaign. You can delete a campaign that failed to launch from the Actions menu.
Related topics
Examples of Okta Expression Language