Enable Governance Engine

Enable Governance Engine to manage third-party app entitlements in Okta.

Before you begin

  • Sign in as a super admin, an app admin, or an admin with the following permissions:

    • Manage applications

    • Edit application's user assignments

    • Edit groups' application assignments or Edit users' application assignments

  • Ensure that you're assigned to the Okta Entitlement Management application.

  • Create a new app instance and then enable Governance Engine to use entitlement policies effectively. Enabling Governance Engine for existing app instances marks the existing user's assignments as Custom. Policies that you create for an existing app instance only apply to new users assigned to the app.

  • Create a new app instance to use Entitlement Management for Box, Google Workspace, NetSuite, Microsoft Office 365, or Salesforce. Don't enable provisioning for these apps.

You can't enable Governance Engine for app instances that have provisioning enabled.

If you disable provisioning on an existing app instance to enable Governance Engine, you may lose all provisioning-related data, including relationships and rules.

Start this task

  1. In the Admin Console, go to ApplicationsApplications.

  2. Select the app that you want to enable Governance Engine for.

  3. Go to the General tab.

  4. Click Edit in the Identity Governance section.

  5. From the Governance Engine dropdown menu, select Enabled.

  6. Click Save. Refresh the page to view the Governance tab for the application.

To disable Governance Engine for an app, select Disabled from the Governance Engine dropdown list. When you enable or disable Governance Engine, the event appears in the System Log.

You can enable provisioning for a provisioning-enabled app instance after you enable Governance Engine for it.

Enable Create Users and Update User Attributes for an app that has Governance Engine and provisioning enabled to ensure that entitlements are assigned accurately. Set these options in the To App section under Settings on the Provisioning tab of the app instance.

Disable Governance Engine

To disable Governance Engine for an app, select Disabled.

For provisioning-enabled apps, you must disable provisioning before you disable Governance Engine.

When you disable Governance Engine for an app, all existing entitlements, bundles, and policies are deleted from the Okta org. There's no impact on the users in the downstream app. However, if you want to manage entitlements from Okta later, you must recreate entitlements after you enable Governance Engine.

The System Log records an event each time you enable or disable Governance Engine.

Related topics

Create entitlements

Provisioning-enabled app limits