Get started
Early Access release. See Enable self-service features.
Govern Okta admin roles might not be available for you depending on your org's eligibility. Contact your account executive or customer success manager for more information.
Govern Okta admin roles allows super admins to streamline requesting access to admin roles using Access Requests. In addition, you can also run campaigns to review users’ access to admin roles using Access Certifications.
Initial setup tasks
Follow this sequence of configuration tasks to start governing Okta admin roles:
Super admin task |
Description |
|
---|---|---|
Enable the Govern Okta admin roles feature |
After you enable the feature, Okta automatically assigns the Okta Access Requests Resource Catalog app to all users, and the following apps to existing super admins:
You must assign the Okta Access Certifications app to any super admins you create after you enable the feature. If you previously changed or canceled your subscription while a campaign was active, that campaign is considered unsuccessful. However, successful review and revoke decisions in the campaign are still honored. If you re-enable the feature, you should recreate those campaigns to determine which items require manual remediation. See Copy campaigns. |
|
Optional. Modify your app sign-on policy |
To avoid errors, modify the existing app sign-on policy for the following apps:
Also, ensure that you don't have rules that require Prompt for re-authentication or Prompt for factor for the these apps. See Configure an app sign-on policy. |
|
Pair an admin role with a resource set to create an admin role bundle. Use bundles in access request conditions to automate requesting access to admin roles. | ||
Create an access request condition | Define which users can request access to which admin role bundles, how long should they have access for, and who should approve their access request. The conditions you create are in an inactive state by default. | |
Assign Okta Access Requests app to users | Assign the Okta Access Requests app to approvers for them to approve or deny a request. See Assign a single app to groups or Assign applications to users. | |
Enable a condition | Enable your new access request condition so that it's active. | |
Create a campaign | Create resource campaigns to periodically review users’ admin role assignments. |
Maintenance tasks
Complete these tasks after your initial setup, as needed:
Super admin task |
Description |
---|---|
Manage bundles | View or delete existing admin role bundles. |
Manage conditions | Enable, disable, view, delete, or change the priority order of a condition. |
Edit approval sequences | Modify an existing approval sequence to add or remove tasks and questions. Changes to a sequence impact all access request conditions that use the sequence. |
Manage campaigns | Monitor or change campaigns to ensure they run smoothly. |
User tasks
Understand user experience from a super admin perspective:
User task |
Description |
---|---|
Request admin role assignments | Understand how your requesters can submit admin role requests from their dashboard. |
Manage tasks | Understand how request approvers approve or deny a request from the Access Requests web app. |
Manage requests | Understand the steps that request assignees (also super admins) need to do to manage an admin role bundle request. |
Review access | Understand how reviewers can review the items assigned to them. |