Certify service accounts

Early Access release. See Enable self-service features.

When Access Certifications for Service Accounts is enabled, you can use Okta Access Certifications resource campaigns to review and certify access to service accounts that are managed within Okta Privileged Access.

Resource campaigns focus on setting the resource scope for your campaign so that you can review all users who have access to those resources, including service accounts.

Running campaigns periodically helps ensure that your users have the right level of access to resources like apps, app associated service accounts and entitlements, and groups.

There are two primary personas involved in a resource campaign:

Campaign admin
This is typically a super or Access Certifications admin who is responsible for setting up and configuring the campaign, defining its scope, and scheduling it.
Reviewer
This is the user responsible for making governance decisions. A reviewer can be a user's manager, a group owner, a resource owner, a specific user, or a user dynamically assigned with a custom Okta Expression Language (OEL) expression. Reviewers access their assigned review items from the Okta Access Certification Reviews app tile on their dashboard.

Get started

  1. Update the campaign settings to include contextual information specific to service accounts for reviewers. See Customizable reviewer context.

  2. Familiarize yourself with Known issues and limits .

  3. Read Best practices for creating campaigns.

  4. Use the steps listed in Create resource campaigns.

    When you create campaigns that review access to service accounts, keep the following considerations in mind.

    • General settings: If a resource campaign includes service accounts in its scope, the following reports within the auditor reporting package are not available:

      • Resource access - Campaign launch
      • Resource access - Campaign complete
      • Resource access changes - Campaign launch to campaign complete

    • Resource settings: The page where you define the scope of what is being reviewed. When configuring the campaign, you can select Service accounts and set the service account type to either SaaS application service account or Okta service account.

    • Reviewer settings: The page where you assign one or more levels of reviewers to approve, revoke, or reassign access for each user and resource combination. Specify events for which reviewers receive notifications and reminders. If the Owner groups or Owner users attributes aren't defined or are unavailable for a service account and you select Resource Owner as the reviewer type, then the review is assigned to the fallback reviewer.

    • Remediation settings: The page where you configure what happens when a reviewer approves or revokes access, or when a review isn't completed. You must manually remediate access to service accounts. The automatic remediation settings aren't available if the campaign scope only includes service accounts.

      The recommended remediation action is to manually remove the user from the associated group, or security policy in Okta Privileged Access.

Related topics

Campaigns

Understand remediation

Manage service accounts