Understand remediation
Remediation settings allow you to decide what happens when a reviewer approves or revokes a user's access to a resource, or doesn't complete a review. You can also customize the remediation using Okta Workflows. You must remediate reviews manually if a user's app or a group assignment is through group rules or group membership.
- Remediation for campaigns with multilevel reviews
- Customize remediation using Okta Workflows
- Handle remediation manually
Remediation for campaigns with multilevel reviews
For campaigns with only one level of review, the remediation process begins immediately after the reviewer approves or revokes a user's access.
For campaigns with multilevel reviews, reviews are sent to the second-level reviewer only after the first-level reviewer has approved or revoked them. If the first-level reviewer doesn't respond and the campaign ends, your remediation configuration for reviewer Doesn't respond takes effect.
The first-level reviewer decisions that are sent to the second-level reviewer determines the final reviewer for those items and the subsequent remediation.
Only approved decisions: The second-level reviewer is the final reviewer for the approved reviews. If they don't respond and the campaign ends, your remediation configuration for reviewer Doesn't respond takes effect.
For example, you selected that Only approved decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for all approved review items, but not for the revoked ones. Your remediation configuration applies to the decisions made by the second-level reviewer.
However, for the review items that the first-level reviewer revoked, the first-level reviewer is the final reviewer. Your remediation configuration for Revoke access applies for those reviews.
Both approved and revoked decisions: The second-level reviewer is the final reviewer for all approved and revoked reviews. If the second-level reviewer doesn't respond and the campaign ends, your remediation configuration for reviewer Doesn't respond takes effect.
For example, you selected that Both approved and revoked decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for those review items. Your remediation configuration applies to the decisions made by the second-level reviewer. If they don't respond, then your remediation configuration for reviewer Doesn't respond takes effect.
Customize remediation using Okta Workflows
Okta Workflows enables you to automate the following remediation tasks:
-
Trigger a ticket to your IT service management (ITSM), such as ServiceNow, to deprovision accounts from your application manually.
-
Delay remediation events by a few days or until the campaign has closed.
-
Send custom notifications to users who have had their access removed, so they're aware and can request access again if needed.
You can use all access certification decisions as events to build custom workflows. See Access Certification Decision Submitted in the Okta Connector.
For more information on configuring Okta Workflows, see Build Flows.
Handle remediation manually
If you have set Remove user from the resource as a remediation option, you may see the remediation status as Manual Remediation Required in the following situations:
-
The user was assigned to an application through a group.
-
The user was added to a group through group rules.
-
The user is a member of an app-sourced group.
If you've enabled Enhanced group remediation and selected Automatically remove group-based access, Access Certifications can automatically revoke user access to group-assigned apps. However, you still need to remediate user access if the app was assigned using group rules or if the group is an app-sourced group.
Enhanced group remediation is an Early access feature. It's available only for resource campaigns that review access to apps without reviewing entitlements. See Enable self-service features.
Considerations for manual remediation
-
Before removing a user from a group, check the assignments that the user has from a group. Apps, admin roles, sign-on policies, and other privileges are often assigned through groups. Removing a user from a group revokes all assignments that the user has through that group.
-
Check if a user has multiple group memberships that could assign them to an app. To remove access, you must remove the user from all groups that give them access to an app.
-
Before removing an app-sourced group, check its usage in the source app.
Remediate access by taking the following recommended actions:
Resource |
Assigned through |
Recommended action |
---|---|---|
Application |
Okta-sourced group membership |
Remove the user from the Okta-sourced group using Workflows. |
Application |
App-sourced group membership (for example, Active Directory (AD) group) |
Remove the user from the app-sourced group. |
Okta-sourced group |
Group rules |
Remove the user from the group and add them as an exception to the group rule. |
App-sourced group |
Imports |
Remove the user from the app-sourced group. |