Access Certifications

Okta Identity Governance is generally available to customers on a subscription basis. For more information, contact your Account Executive or Customer Success Manager.

As an organization, it’s important to periodically identify and review users who have access to your critical resources. This ensures that only users who need a resource have access to it and avoid accumulation of elevated or privileged access to a resource.

Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required. In each campaign, you can specify the following items:

  • The start date and duration of the campaign.
  • The resources (apps or groups) that you want to include in the review.
  • The users or teams that you want to include in the campaign.
  • The reviewers who must review the access for each user and resource.

You can also view previously closed campaigns and generate reports.

The Access Certifications process helps your company meet the following requirements:

  • Secure critical resources by reducing risk of inappropriate access to these resources.
  • Pass industry audits by being able to verify access and provide evidence to auditors that only the right users have access to the right resources.
  • Reduce license costs related to license sprawl from temporary projects or users changing teams within an organization.
  • Improve efficiency by using existing Okta configurations and app integrations to easily create campaigns and automate removal in third-party apps.

Known issues and limitations

  • Currently, a campaign can only have 50 resources assigned to it.

  • Each org can have a maximum of 500 active campaigns.

  • The number of review items in a campaign must be between 1 and 100,000. To better manage large campaigns, we recommend that you split reviews in to multiple campaigns.
  • Don’t rename, modify, or delete the Access Certification Reviewer group. Reviewers are automatically added to this group when and admin assigns review items to them. Modifying this group in any way can result in reviewers losing access to the campaign and being unable to complete their reviews. If you accidentally delete the group, contact Okta Support.

  • The campaign launch fails if the resources or reviewers included in the campaign are in a deactivated or deleted status at the start time of the campaign. You receive an email notification containing a list of errors when a campaign fails to launch. You can also check the Closed tab of the Access certification campaigns page or the Events table in the System Log for more information on the error.

  • Automated access revocation is limited to resources (groups or applications) that were individually assigned to a user. You need to remediate manually in other situations wherein a user was assigned access to a resource through group membership or group rules. See Remediation for more information on identifying these cases and how to manually resolve them.

Related topics

Create campaigns

Modify a scheduled campaign