Understand prioritization for security access reviews

Early Access release. See Enable self-service features.

Okta calculates and assigns a priority level to a security access review and resources in it. Okta assigns a priority level of low, medium, or high to each security access review and resources (the app itself, its entitlements, and groups that assign the app).

Okta considers the following things to assign the priority to a security access review:

  • Access impact: This pertains to the level of access the user has for a given resource. For example, users with admin roles access have a greater impact than users with just read-only access.

  • Resource impact: This pertains to how critical a resource is for the org. If you have Labels enabled for the org, the labels you assign to a resource (app, entitlement, or bundle) are considered in assigning a priority to the review.

  • Access anomalies: This pertains to any unusual behaviors that were observed for the user's access against the following conditions:

    • Separation of duties rule conflicts: This is based on the separation of duties rules that are defined for the org. These rules allow (with or without additional oversight) or block specific entitlement combinations for apps with Governance Engine enabled.

    • Usage history: This is determined by the user's last access date, compared to the average last access date of all users in the org. High risk can indicate either of the following scenarios:

      • The user's last access date (or the date they were assigned the app) is more than 90 days ago.

      • The user's last access date is less recent than the average access date.

    • Past governance decisions in access certification campaigns and access requests: This is determined by other governance decisions made for the same user:resource pair.

      • A High risk score means that the last governance decision for this pair was left unreviewed in the last two campaigns (and those campaigns weren't test campaigns). For example, they were opened and closed immediately after.

      • A medium risk score means that the last governance decision for this user or resource was revoked but the user received access again later.

      • A low risk score means that the last governance decision for this user or resource was approved.

    • Assignment method: This depends on whether the resource is an app or a group.

      • App membership: If the resource being certified is an app, this is determined by how the user's app assignment method compares to other users in the org. High or medium risk means that the user was assigned to the app individually but the majority of users were assigned by group.

      • Group membership: If the resource being certified is a group, this is determined by how the user was assigned to the group compared to others in the group. High or medium risk means that the user was assigned to the group directly, but the majority of users were assigned through other methods, such as policy or import.

      • User profile changes: This signal is determined by changes in a user's division, organization, department, cost center, or user type. Log queries retrieve the date of the change. This date change is compared to the date of their last approval (or the date of their assignment, if there's no approval). High risk means that the user's attribute has changed since this date. Low risk means that there's been no change.

      Okta assigns a severity level of low, medium, or high to anomalies. You can only filter for anomalies with medium or high severity.