As an organization, it’s important to periodically identify and review users who have access to your critical resources. This ensures that only users who need a resource have access to it and avoid accumulation of elevated or privileged access to a resource.
Use Access Certifications to create audit campaigns to periodically review your users' access to resources and approve or revoke access automatically when required. In each campaign, you can specify:
- The start date and duration of the campaign.
- The resources (apps or groups) that should be included in the review.
- The users or teams that should be included in the campaign.
- The reviewers who should review the access for each user and resource.
You can also view previously closed campaigns and generate reports.
The Access Certifications process helps your company to:
- Secure critical resources by reducing risk of inappropriate access to these resources.
- Pass industry audits by being able to verify access and provide evidence to auditors that only the right users have access to the right resources.
- Reduce license costs related to license sprawl from temporary projects or users changing teams within an organization.
- Improve efficiency by using existing Okta configurations and app integrations to easily create campaigns and automate removal in third-party apps.
Known issues and limitations
Currently, a campaign can only have 50 resources assigned to it.
Each org can have a maximum of 500 active campaigns.
- The number of review items in a campaign must be between 1 and 100,000. To better manage large campaigns, we recommend that you split reviews in to multiple campaigns.
Do not rename, modify, or delete the Access Certification Reviewer group. Reviewers are automatically added to this group when review items are assigned to them. Modifying this group in any way can result in reviewers losing access to the campaign and may not be able to complete their reviews. If you accidentally delete the group, contact Okta Support.
The campaign launch will fail if the resources or reviewers included in the campaign are in a deactivated or deleted status at the time the campaign is set to begin. You are notified by email containing a list of errors when a campaign fails to launch. You can also check the Closed tab of the Access certification campaigns page or the Events table in the System Log for more information on the error.
- Automated access revocation is limited to resources (groups or applications) that were individually assigned to a user. You need to remediate manually in other situations wherein a user was assigned access to a resource through group membership or group rules. See About remediation for more information on identifying these cases and how to manually resolve them.