Enable Governance Engine

Enable Governance Engine to manage third-party app entitlements in Okta.

Before you begin

  • Sign in as a super admin, an app admin, or an admin with the following permissions:

    • Manage applications

    • Edit application's user assignments

    • Edit groups' application assignments or Edit users' application assignments

  • Ensure that you're assigned to the Okta Entitlement Management application.

  • Create a new app instance and then enable Governance Engine to use entitlement policies effectively. Enabling Governance Engine for existing app instances marks the existing user's assignments as Custom. Policies that you create for an existing app instance only apply to new users assigned to the app.

  • Create a new app instance to use Entitlement Management for Box, Google Workspace, NetSuite, Microsoft Office 365, or Salesforce. Don't enable provisioning for these apps.

  • If the users' access was granted by a condition (that has access duration set up), Okta resets the access expiration for existing users when you enable or disable Governance Engine for the app. The access expiration is set to not expire. Consider manually updating user access expiration after you enable or disable Governance Engine.

You can't enable Governance Engine for app instances that have provisioning enabled.

If you disable provisioning on an existing app instance to enable Governance Engine, you may lose all provisioning-related data, including relationships and rules.

Start this task

  1. In the Admin Console, go to ApplicationsApplications.

  2. Select the app that you want to enable Governance Engine for.

  3. Go to the General tab.

  4. Click Edit in the Identity Governance section.

  5. From the Governance Engine dropdown menu, select Enabled.

  6. Click Save. Refresh the page to view the Governance tab for the application.

  7. Optional. Update user's access expiration. When you enable Governance Engine, Okta resets the user's access expiration if their access was granted by access request conditions. The access expiration is set to never expire.

You can enable provisioning for a provisioning-enabled app instance after you enable Governance Engine for it.

Enable Create Users and Update User Attributes for an app that has Governance Engine and provisioning enabled to ensure that entitlements are assigned accurately. Set these options in the To App section under Settings on the Provisioning tab of the app instance.

Disable Governance Engine

Before you disable Governance Engine, keep the following considerations in mind:

  1. For provisioning-enabled apps, you must disable provisioning before you disable Governance Engine.

  2. When you disable Governance Engine for an app, all existing entitlements, bundles, and policies are deleted from the Okta org. There's no impact on the users in the downstream app. However, if you want to manage entitlements from Okta later, you must recreate entitlements after you enable Governance Engine.

To disable Governance Engine for an app, select Disabled from the Governance Engine dropdown list. Optionally, update the user's access expiration.

When you enable or disable Governance Engine, the event appears in the System Log.

Related topics

Create entitlements

Provisioning-enabled app limits