Review campaigns

Use Access Certifications campaigns to periodically review users' access to resources. While creating a campaign, a campaign creator determines the users, resources, and reviewers that are part of the campaign.

If a reviewer is assigned one or more items in a campaign, they're granted access to the Okta Access Certifications Reviews app in their End-User Dashboard. They can review and make decisions about a user's current access in the app.

Reviewers use the Okta Access Certification Review app to approve or revoke a user's access, or reassign the review item to another user if needed. Their decisions on review items are final and can't be changed.

When the campaign has self-reviews disabled, admins can't approve, revoke, or reassign their own review item.

If you've enabled the Governance Analyzer feature for your org, you can provide insights and recommendations to reviewers to help them make informed decisions about approving or revoking access during access certification campaigns. See Configure Governance Analyzer settings.

Okta restricts self-reviews for campaigns that govern admin roles. This means that admins can't approve, revoke, or reassign their own review item. However, if the Self-review for Okta admin roles feature is enabled, you can configure whether self-review is allowed or restricted in campaigns that govern access to Okta admin roles.

The Governance Analyzer approve/revoke recommendations and insight data that's provided to reviewers is for informational purposes only. Reviewers should use this information as a supplement, not a substitute, to their independent judgement and normal review processes. Okta makes no guarantees related to, and disclaims all liability surrounding, your use of the insights and recommendations to inform your certification review decisions.

If you have the Smart Review feature enabled for your org, you can help increase review efficiency for campaigns with a high volume of review items and reduce review fatigue for reviewers. See Smart Review.

If you've selected the Assignment methods contextual information option before the campaign launches, reviewers can see how a user was assigned access to a resource. This includes visibility into all methods used to grant specific entitlements. See Assignment methods.

Best practices for reviewers

  • If you or reviewers are reviewing user access to admin roles, see Review access to admin roles instead.

  • Verify decisions before making them. When reviewers submit a decision for a review item, it's final and can't be changed.
  • Add a business justification to provide context on the decision, whether that's to approve or revoke access. This note is visible to you, the campaign creator, and the reviewers. The justification also becomes visible to any user who gets reassigned to the review item.
  • Reviewers can reassign a review item to another person if they think someone else is better suited to review a user's access. Reassigning a review item doesn't extend the campaign's end date. The new reviewer must approve or revoke access before the campaign ends. See Reassign review items.

  • For campaigns with multilevel reviews, keep the following considerations in mind:

    • Some review items are sent to second-level reviewers.

    • The second-level reviewer can take a decision only after the first-level review approves or revokes a review item. It's important for the first-level reviewers to finish the reviews on time to avoid blocking the campaign's progress.

    • The second-level reviewer can view the first-level reviewer's decision and the justification for a review item.

    • The final reviewer varies depending on the campaign's configuration.

    • Remediation occurs only for the decisions of the final reviewer. See Understand Disable self-review.

  • Reviewers can specify another user as a delegate or make changes to their assigned delegate only if you've toggled on Enable end users to assign their own delegate. See Enable end users to assign delegates.

  • For campaigns with a high volume of review items, use Smart Review to make more intentional and accurate access decisions efficiently.

Start this task

  1. On the End-User Dashboard, reviewers click Okta Access Certification Reviews.

  2. On the My reviews page, they go to the Open tab, and select the access certification campaign that they want to begin reviewing.

  3. Optional. If Smart Review is available for the campaign, click Start Review and select one of the available modes and follow the prompts in the UI:

    • By User

    • By Resource

    • By Recommendation (This mode is available only if you've set up Governance Analyzer.)

  4. Optional. In the Smart Review mode, reviewers can click All reviews to view the Review queue (a list of steps) and navigate to different steps quickly.

  5. Optional. Customize column filters. For example, if you want to view review items for users who have conflicting entitlements, select the Separation of duty (SOD) rule or Has separation of duties conflict column filter.

    The columns available on the Pending reviews section and the fields available in the Review details pane depend on your contextual information configurations before the campaign launched. See Customizable reviewer context.

  6. Optional. They select a review item to view more details about the user and resource they're reviewing, and the user's resource usage. Note that the information for a resource collection is available only if you've configured Resource collections for your org and customized the context settings.

    The Review details pane includes the following sections.

    • User Details: Information pulled directly from the user's profile in Okta.

    • The resource details section varies depending on the resource (entitlement, app, group, or resource collection) being reviewed.

    • Governance Analyzer: This section (if available) contains Governance Analyzer insights and recommendations.

    • SOD conflict details: This section contains information about the separation of duties rules that are in conflict and the specific entitlements that cause the conflict.

    • History: This section contains useful information such as details about the original reviewer and delegate assignment, business justification for the reassignment, details of the assigned reviewer, and the reviewers' decision.

  7. Optional. They can click Reassign to reassign a review item to another person. They can follow steps 3 - 6 listed in the Reassign review items topic. If you've disabled review reassignment for a campaign, reviewers can't reassign a review item from the Okta Access Certifications Reviews app. However, super or access certification admins can still reassign reviews from the campaign's page in the Admin Console.

  8. Reviewers click Approve or Revoke. They provide a business justification for their decision. When they approve or revoke access, the remediation process begins immediately.

  9. They click Submit.

If the campaign creator has allowed selecting multiple review items simultaneously, reviewers can also select multiple review items and approve or revoke access or reassign the reviews for the selected items. They can only take one action at a time and the business justification that they enter applies to the selected review items. Reviewers can always reassign multiple review items to another user but you must provide a justification for the reassignment.

Reviewers can also monitor their review metrics using the counts on the campaign page. In addition, they can reference the items that they've already reviewed from the Closed tab of the campaign's page. On the Closed tab, they can filter their reviews using various options or search for a specific user.

Related topics

Reassign review items

Certification campaign reviews