Get started

Early Access release. See Enable self-service features.

Govern Okta admin roles might not be available for you depending on your org's eligibility. Contact your account executive or customer success manager for more information.

Govern Okta admin roles allows super admins to streamline requesting access to admin roles using Access Requests. In addition, you can also run campaigns to review users’ access to admin roles using Access Certifications.

Initial setup tasks

Follow this sequence of configuration tasks to start governing Okta admin roles:

Super admin tasks


Enable the Govern Okta admin roles feature See Enable self-service features.
When you enable the feature, Okta assigns the following apps automatically to existing super admins:
  • Okta Access Requests Admin
  • Okta Access Requests
  • Okta Access Certifications
Okta also assigns the Okta Access Requests Resource Catalog app to all users automatically.

You must assign the Okta Access Certifications app to any super admins you create after you enable the feature.

Optional. Modify your app sign-on policy

To avoid errors, modify the existing app sign-on policy for the following apps:

  • Okta Access Requests Admin:

    Ensure that all rules match those of the Okta Admin Console app.

  • Okta Access Requests Resource Catalog:

    Ensure that all rules match those of the Okta Dashboard app.

Also, ensure that you don't have rules that require Prompt for re-authentication or Prompt for factor for the these apps. See Configure an app sign-on policy.

Create an admin role bundle

Pair an admin role with a resource set to create an admin role bundle. Use bundles in access request conditions to automate requesting access to admin roles.
Create an access request condition Define which users can request access to which admin role bundles, how long should they have access for, and who should approve their access request. The conditions you create are in an inactive state by default.
Assign Okta Access Requests app to users Assign the Okta Access Requests app to approvers for them to approve or deny a request. See Assign a single app to groups or Assign applications to users.
Enable a condition Enable your new access request condition so that it's active.
Create a campaign Create resource campaigns to periodically review users’ admin role assignments.

Maintenance tasks

Complete these tasks after your initial setup, as needed:

Super admin tasks


Manage bundles View or delete existing admin role bundles.
Manage conditions Enable, disable, view, delete, or change the priority order of a condition.
Edit approval sequences Modify an existing approval sequence to add or remove tasks and questions. Changes to a sequence impact all access request conditions that use the sequence.
Manage campaigns Monitor or change campaigns to ensure they run smoothly.

User tasks

Understand user experience from a super admin perspective:

Super admin tasks


Request admin role assignments Understand how your requesters can submit admin role requests from their dashboard.
Manage tasks Understand how request approvers approve or deny a request from the Access Requests web app.
Manage requests Understand the steps that request assignees (also super admins) need to do to manage an admin role bundle request.
Review access Understand how reviewers can review the items assigned to them.