Okta Identity Governance release notes (Archive)

Release 2024.11.2

Fixes

  • For access requests that were managed by conditions, some System Log events were duplicated.

Release 2024.11.1

Features and enhancements

Changes to access duration

For requests managed by access request conditions, the access duration is displayed more prominently in notifications.

Access Requests notification updates for Slack and email are available in Production environments

The notification experience for Access Requests has been updated to streamline the process for users:

  • Reduced the number of notifications throughout the process.

  • Removed unnecessary information from notifications.

  • Notifications are sent regardless of whether they've been viewed in the Access Requests web app.

Fixes

  • The requesterFieldValues field in the API response wasn't populated for requests made on behalf of another user. (OKTA-794990)

  • There was an issue with the Sync Entitlements button on the Governance tab for the (Header Auth) Governance with SCIM 2.0 app. (OKTA-814934)

  • Sometimes the email notifications for campaign launch didn't display the logo. (OKTA-819936)

  • The OIDC scopes required to use entitlement management in Okta weren't enabled in Coupa. (OKTA-825558)

  • Sometimes campaigns with a large number of entitlements failed to load. (OKTA-827565)

  • Some review items appeared as pending review even if the reviewer had completed their review. (OKTA-827711)

Release 2024.11.0

Features and enhancements

Access request conditions and resource catalog is available in Production environments

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app' s profile page in the Okta Admin Console.

As a super admin, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the resource catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

In addition, you can view and edit a user's access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

Sequence templates and out-of-the-box sequences

To make setting up approval sequences with access request conditions easier, you can now create sequences from a set of common templates. Once you select a template, you can modify it to fit your needs rather than starting a sequence from scratch.

In addition, all new orgs using access request conditions or access request conditions for admin roles are set up with an out-of-the box approval sequence with three sequential steps -- Business Justification, Manager Approval, and Manager Justification.

Changes to request assignee

For access requests that are managed by conditions, request assignees are no longer delegated automatically. Super admins and access request admins can view or modify the request assignee in the Access Requests web app. The name of the request assignee won't appear in notifications.

Discover inactive users and review admin access

You can now use preconfigured campaigns to discover inactive users who are assigned to apps and review their admin access. Preconfigured campaigns are a set of ready to use campaigns where the Okta presets some default settings. See Campaigns.

This is an Early Access feature. See Enable self-service features.

Enhanced group remediation

Remediate user access to group-assigned apps automatically from the campaign. This reduces the need for manual remediation. See Configure remediation settings.

This is an Early Access feature. See Enable self-service features.

Access Requests notification updates for Microsoft Teams is available in Production environments and for Slack in Preview environments

The notification experience for Access Requests has been updated to streamline the process for users:

  • Reduced the number of notifications throughout the process.

  • Removed unnecessary information from notifications.

  • Notifications are sent regardless of whether they've been viewed in the Access Requests web app.

Changes to Request Access button

The Request Access button only appears on the End-User Dashboard if you have one active condition setup in the org for an app. Additionally, if you use the Govern Okta admin roles feature, you must also be assigned to the Okta Access Request app for the button to appear.

Improved Access Requests error message

When you navigate to the Access Requests tab for an app, the resulting error message is now clearer.

Additional information in System Log events

The System Log events for creating, cancelling, and resolving requests now contain the following information in the DebugData field:

  • accessRequestMatchedConditionId
  • accessRequestApprovalSequenceId
  • requestedForId

This is only applicable for requests managed by access request conditions.

Updates to User Accounts report

The maximum number of rows in a CSV export has been increased from 1 million to 5 million.

Fixes

  • When a user requested access on behalf of another user, they couldn't select the user's name from the Request access for dropdown list. (OKTA-815894)

  • The Access Request conditions and Resource catalog feature wasn't turned on properly in some Preview environments. (OKTA-818226)

  • Admins couldn't edit a campaign if the user account for the Fallback reviewer was deleted. (OKTA-824673)

  • Review items sometimes reverted to the pending review state after the reviewer had made a decision. (OKTA-826795)

Release 2024.10.1

Features and enhancements

Access Requests notification updates for Microsoft Teams is now available in preview environments

The notification experience for Access Requests has been updated to streamline the process for users:

  • Reduced the number of notifications throughout the process.

  • Removed unnecessary information from notifications.

  • Notifications are sent regardless of whether they've been viewed in the Access Requests web app.

Approval sequences change

Approval sequences that are used for granting admin role bundles now require only one approver.

Fixes

  • Some information was missing or incorrect in the System Log events for creating, cancelling, and resolving requests that were managed by access request conditions. (OKTA-795862)

  • Sometimes you couldn't save changes to a scheduled campaign if it had 25 entitlements or more. (OKTA-812664)

  • The DebugData section in the System Log wasn't available for some access certification campaign events. (OKTA-815878)

  • On the Review details panel, the Application usage, Last access date, and Last certification date fields didn't have up to date information for active campaigns. (OKTA-821859)

Release 2024.10.0

Features and enhancements

Govern Okta admin roles

As a super admin, use this feature to adopt a zero standing privilege model for your org. This feature enables users to request time-bound access to Okta admin roles directly from their End-User Dashboard. It also enables you to periodically review their admin access.

The feature helps you streamline processes around requesting, approving, and certifying access to admin roles. It also enables you to control the level of access and its duration to your org's critical resources. In addition, you can audit user's existing admin role assignments using Access Certifications campaigns and specify reviewers who should approve or revoke user's access.

See Governance for Admin Roles.

Govern Okta admin roles might not be available for you depending on your org's eligibility. Contact your account executive or customer success manager for more information.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app' s profile page in the Okta Admin Console.

As a super admin, you can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard.

Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta to govern access instead of recreating these in Okta Access Requests. This feature also integrates the resource catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests.

In addition, you can view and edit a user's access duration for the app if the app has Governance Engine enabled. See Manage user entitlements.

New System Log events for access request conditions

access.request.sequence.create

access.request.sequence.delete

access.request.sequence.update

Group Owner assignments removed

The Group Owner assignment option has been removed from Access Requests for admin role sequences.

Fixes

  • On the Review details panel, the Application last accessed date and Application usage fields displayed incorrect information. (OKTA-820815)

Release 2024.09.3

Features and enhancements

Catalog name length increase

The catalog entry name length has increased to 255 characters.

Fixes

  • When a customizable attribute's default setting for alwaysExtracted was changed, the saved value wasn't retrieved. (OKTA-807998)

Release 2024.09.2

Features and enhancements

Request access on behalf of another user

Users can now request app access for other users from their own dashboard. See Submit requests from the End-User Dashboard.

Fixes

  • Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)

Release 2024.09.0

Features and enhancements

Multi-app entitlements and bundle awareness

Resource campaigns now allow reviewers to select up to 10 apps with entitlements. For each selected app, reviewers can also specify an entitlement and retrieve any bundle that contains the entitlement value. See Understand Disable self-review.

Time-bound access duration

For access request conditions, admins can now allow users to specify how long they need access, up to a predetermined maximum. See Create an access request condition.

OIN connector support for Entitlement Management

The Dropbox Business, ServiceNow, SmartRecruiters, and Tableau connectors have been updated to support Entitlement Management. See Apps with entitlement support.

Fixes

  • Creating or editing a request condition for an app with more than 100 access level groups resulted in an error. (OKTA-751305)
  • Sometimes users couldn't close an admin role campaign if their org wasn't subscribed to Okta Identity Governance. (OKTA-798572)
  • Campaigns didn't retrieve assignment types when the principal scope included a user group and active users only. (OKTA-800768)
  • Some admins saw duplicate API review items in their campaign results. (OKTA-790981)
  • In some orgs, campaign notifications included previous reviewers who had no action required. (OKTA-801284)
  • Some users couldn't open the Okta Access Requests app from their End-User Dashboard, despite the two apps having matching authentication policies. (OKTA-806140)

Release 2024.08.3

Fixes

  • Attempts to close Admin Role campaigns could fail for orgs that weren't subscribed to Okta Identity Governance. (OKTA-798572)

Release 2024.08.2

Features and enhancements

Updates to Access Requests UI

  • The Access Requests UI has been updated to improve the user experience. The user profile menu has been moved from the left side of the page to the right.

Release 2024.08.0

Features and enhancements

New Access Request System Log event

The following System Log event has been added:

  • /api/internal/v1/selfService/orgSettings/apps

New Self Service System Log event

The following System Log event has been added:

  • system.self_service.configuration.update

Release 2024.07.2

Fixes

  • Scheduled campaigns with a single reviewer couldn't be edited if the reviewer was deactivated. (OKTA-750734)

Release 2024.07.1

Features and enhancements

The @mention change included in the 2024.06.1 release is rolled back to its original functionality. All participants of a request ticket can now @mention users as they could prior to the change.

Release 2024.07.0

Features and enhancements

Customizable reviewer context

This feature gives admins the ability to customize the fields that are available for reviewers in their review table. Reviewers can then filter and sort the table in new ways to ensure that they have the information they need to make their decisions. See Customizable reviewer context.

Fixes

  • Users without the Okta Access Requests Admin app couldn't view any app instance pages. (OKTA-748462)

Release 2024.06.2

Features and enhancements

Just-In-Time user provisioning for access requests

When you associate a user with a request that's managed by a condition, Okta automatically assigns the Okta Access Requests app to the user. This means that you no longer need to assign the app to users manually to reference them in a step or request.

This functionality isn't available for requests managed by request types.

Deprecation of @mentions in requests for non-admin users

Beginning July 1, 2024, non-admin participants of a request can't @mention other users in the request's chat section. For normal access requests, admins (such as access request admins and super admins) are unaffected and can still @mention other users and add them as followers. For admin role access requests, super admins are unaffected and can still @mention other users and add them as followers.

Fixes

  • No events were recorded in the System Log when a user profile attribute was changed in Access Certification Settings. (OKTA-730538)
  • Group owners couldn't be assigned as approvers for access request conditions. (OKTA-738038)

  • Some users could start Access Certifications campaigns but couldn't perform any reviews. (OKTA-740083)

Release 2024.06.1

Features and enhancements

Deprecation of @mentions in requests for non-admin users

Beginning July 1, 2024, non-admin participants of a request can't @mention other users in the request's chat section. For normal access requests, admins (such as access request admins and super admins) are unaffected and can still @mention other users and add them as followers. For admin role access requests, super admins are unaffected and can still @mention other users and add them as followers.

Fixes

  • Links provided by an API response were different for orgs with only one custom domain. (OKTA-732994)

Release 2024.06.0

Features and enhancements

Govern Okta admin roles

Use this feature to adopt a zero standing privilege model for your org. Do this by allowing users to request time-bound access to Okta admin roles directly from their End-User Dashboard and by periodically reviewing their admin access.

The feature helps you streamline processes around requesting, approving, and certifying access to admin roles. It also enables you to control the level of access, and its duration, to your org's critical resources. In addition, you can audit existing user admin role assignments using Access Certifications campaigns and specify reviewers who should approve or revoke user access.

See Govern Okta admin roles.

Govern Okta admin roles might not be available for you depending on your org's eligibility. Contact your account executive or customer success manager.

Access request conditions and resource catalog

This feature provides a new method to streamline your access requests for apps, entitlements, and groups from the app's profile page in the Admin Console.

You can set up app-specific access request conditions that define requester scope, access level, expiration for the access level, and the approval sequence. Based on your active conditions, requesters can request access to an app or app access level directly from their End-User Dashboard. Compared to request types, this approach allows you to reuse existing relationships between users, groups, and apps defined in Okta. Reuse those relationships to govern access instead of recreating them in Okta Access Requests.

This feature also integrates the resource catalog in the End-User Dashboard with Access Requests to make the process of requesting access intuitive and user-friendly. See Access Requests and Create requests. In addition, you can view and edit a user's access duration for the app if the app has Governance Engine enabled. See Manage user entitlements

Access request conditions and resource catalog is an Early Access feature. See Enable self-service features.

Customizable reviewer context

This feature gives admins the ability to customize the fields that are available for reviewers in their review table. Reviewers can then filter and sort the table in new ways to ensure that they have the information they need to make their decisions. See Customizable reviewer context.

Customizable reviewer context is an Early Access feature. See Enable self-service features.

Use Disable bulk decisions

As a super admin, you can now clear the Disable bulk decisions checkbox for campaigns that govern admin roles. Clearing the checkbox allows reviewers to make decisions on multiple review items at once.

Pushed group limits updates

When pushing Okta groups to Access Requests, the group size is now limited to 25,000 users.

Fixes

  • Some resource campaigns for Admin Console entitlements didn't return all read-only admins. (OKTA-730577)

Release 2024.05.2

Features and enhancements

Manage requests associated with a delegated flow

If the delegated workflow initiated by the request type was disabled or deleted, the requests that are associated with the request type stay open unless request assignees act on it. Request assignees can use the Retry button in the request to run the workflow again or mark the action as complete to continue request processing.

Release 2024.05.1

Fixes

  • In certain circumstances, not all available feature licenses were imported when an admin imported entitlements from Salesforce. (OKTA-724915)

  • If a certification contained the user.getLinkedObject("manager").id expression and a user didn't have the manager set as a LinkedObject, the campaign failed. (OKTA-725298)

Release 2024.05.0

Features and enhancements

App tile update

The Okta Access Requests app tile has been updated to display the Okta logo.

Fixes

  • When creating a resource campaign for Salesforce entitlements, some admins received timeout errors if they added the Role entitlement. (OKTA-723680)

Release 2024.04.3

Fixes

  • Admins weren't notified when they needed to manually revoke entitlement access. (OKTA-670398)

  • The users and reviewers search field for active campaigns didn't accept full usernames as search criteria. (OKTA-698900)

Release 2024.04.2

Fixes

  • Read-only admins could see the Edit button in the Identity Governance section of an app's General tab. (OKTA-703510)

  • The Identity Governance section wasn't always visible for new app instances on the app's General tab. (OKTA-716646)

Release 2024.04.1

Features and enhancements

Email functionality removed

Email addresses associated with Access Requests teams are no longer available. This means that users can't request access or respond to requests through email. However, they still receive email notifications based on their notification preferences.

UI improvements

The Cancel button to cancel requests is now available in the request status dropdown, along with other options like Mark as pending and Mark as done.

Release 2024.04.0

Features and enhancements

Govern Okta admin roles

As a super admin, you can use this feature to adopt a zero standing privilege model for your org by allowing users to request time-bound access to Okta admin roles directly from their End-User Dashboard and periodically reviewing their admin access.

The feature helps you streamline processes around requesting, approving, and certifying access to admin roles and allows you to control the level of access and its duration to your org's critical resources. In addition, you can audit users' existing admin role assignments using Access Certifications campaigns and specify reviewers who should approve or revoke users' access.

See Govern Okta admin roles.

Govern Okta admin roles might not be available for you depending on your org's eligibility. Contact your account executive or customer success manager.

Export steps

Super admins and access request admins can now export list of steps and the requests they're associated with. A step is any item that you can add to a request type, such as questions, tasks (approval, action, or custom), and timer setting. See Export data from Access Requests.

Sync entitlements

You can now manually sync entitlements to Okta for provisioning-enabled apps to refresh a user's entitlements. See Sync entitlements from provisioning-enabled apps.

Release 2024.03.2

Features and enhancements

Submit requests for another user

Users can now request access to a resource on behalf of another user from the Access Requests web app if both, the request creator and the person they're creating the request for, are in the Request Type's audience. Request approvers and assignees also have visibility if a user made a request on behalf of another user. See Create requests.

Fixes

  • Admins couldn't change the end date of a campaign if it was the last one in a recurring campaign series. (OKTA-709708)

Release 2024.03.0

Features and enhancements

Removed request list filters

The following filters are no longer supported on the All Requests page of the Okta Access Requests web app and console:

  • Task assignee
  • Task status
  • Field assignee
  • Field value

All existing lists that use these filters will be deleted.

Fixes

  • Some review items weren't listed in closed Access Certifications campaigns or in the Campaign Details report. (OKTA-701322)

  • Apps weren't unassigned upon user account deactivation. (OKTA-666296)

  • User campaigns included groups assigned by group rules in the review even if the campaign creator selected the Only include individually assigned groups checkbox. (OKTA-682664)

Release 2024.02.1

Fixes

  • Sometimes the Okta Expression Language in the User Scope field cleared when admins edited it. (OKTA-694122)

Release 2024.02.0

Features and enhancements

Govern Okta admin roles with Access Certifications

Super admins can use this feature to review users' admin role assignments using Access Certifications campaigns. Prevent accumulation of elevated levels of access and improve the security of your org with this feature. See Campaigns.

Govern Okta admin roles with Access Certifications is an Early Access feature. See Enable self-service features.

New options to define user scope

When creating or editing a rule for entitlement policy, you now have two ways of defining user scope. The Use basic conditions option helps you define user scope without using Okta Expression Language. The Use Okta Expression Language (advanced) option helps you define a more customized user scope with Okta Expression Language. See Create an entitlement policy.

Invalidate user sessions

The Access Requests console now invalidates a user's session if the user's session is used from a different IP address than the IP address it was created from. Contact Support if you want to opt out of IP session binding enforcement within Access Requests.

Updated list of unsupported first-party apps

The list of first-party apps that can't be requested using Access Requests now includes the following:

  • Okta Access Certifications Reviews

  • Okta Entitlement Management

  • Okta Access Requests Admin

  • Okta Privileged Access

  • Okta Account Service SSO

Release 2024.01.2

Fixes

  • The Campaign Summary report incorrectly listed some campaign reviews twice. (OKTA-682639)

  • Recurring campaigns weren't listed in the Past Campaign Summary and Past Campaign Details reports if you modified their end dates. (OKTA-686465)

Release 2024.01.0

Features and enhancements

Team privacy default setting

When you create teams, the Request Privacy option is now on by default. See Create an Access Requests team.

Entitlement Management

Entitlement Management offers you a simple and powerful way to ensure that users in an org have the right permissions for each resource. With Entitlement Management, you can create, store, and manage your application entitlements in Okta. Assign entitlements using a policy or individually from the Admin Console.

The feature is integrated with Access Requests and Access Certifications to help you manage and monitor users' access to resources. You can also manage their level of access within these resources and how the access was granted from the Admin Console. Use Entitlement Management to help meet your audit and compliance requirements for professional standards like SOC2, SOX, and others. See Entitlement Management.

Release: 2023.12.2

Fixes

Access Certifications
  • Apps weren't unassigned from a user when their account was deactivated. (OKTA-666296)

  • When reviewing a campaign, the Application last accessed date in the Review details panel didn't match the Last Login Date in the Current Assignments report. (OKTA-670107)

Release: 2023.12.0

Features and enhancements

Entitlement Management
  • Entitlement Management

    Entitlement Management offers you a simple and powerful way to ensure that users in an org have the right permissions for each resource. With Entitlement Management, you can create, store, and manage your application entitlements in Okta. Assign entitlements using a policy or individually from the Admin Console.

    The feature is integrated with Access Requests and Access Certifications to help you manage and monitor users' access to resources. You can also manage their level of access within these resources and how the access was granted from the Admin Console. Use Entitlement Management to help meet your audit and compliance requirements for professional standards like SOC2, SOX, and others. See Entitlement Management.

Release: 2023.11.1

Features and enhancements

Access Requests
  • Teams setting removed

    On the Access Requests Teams page, the Invite Only setting is removed. Previously, users could change the setting to False. Now Access Requests teams are always invite-only.

Release: 2023.11.0

Features and enhancements

Access Certifications

Release: 2023.10.2

Fixes

Access Certifications
  • Admins couldn't preview reviewers if the first-level reviewer was set as Manager for User campaigns with user scope defined as Individual users and resource scope defined as All Apps. (OKTA-656407)

Release: 2023.10.1

Fixes

Access Requests
  • Request assignees couldn't run a delegated flow manually if any information was missing from the task. See Manage tasks.

Release: 2023.10.0

Features and enhancements

Access Certifications
  • Campaign violation warnings

    A warning message now appears instead of a campaign launch failure when an admin launches a campaign that includes invalid or missing resources.

  • Admin experience enhancements

    Campaigns now end when all reviewers in the campaign complete their reviews. See Campaigns.

    The following options now are available when creating or modifying a campaign:

    • Users: Only include active Okta users in this campaign: This option is only available for resource campaigns that include groups as resources. See Understand Disable self-review

    • Reviewers:

      1. Require justification: This option makes it mandatory for reviewers to enter a justification for their decision to approve or revoke a user's access to a resource.

      2. Disable bulk edit: This option prevents reviewers from selecting multiple reviews to approve or revoke. Reviewers can still reassign multiple reviews to another user.

    See Understand Disable self-review.

Fixes

Access Certifications
  • When an admin used the Okta Expression Language to scope users to the dateValue profile attribute on a campaign, an warning appeared if the attribute was set to less than or equal to three days from the current date. (OKTA-645299)

Release: 2023.09.0

Features and enhancements

Access Requests
  • Changes to the request UI

    The UI for requests in the Access Requests web app has been updated to improve the user experience for approvers and request assignees:

    • Request details such as the request type, team, assignee, and tags are now located on the center panel instead of the right panel.

    • Actions and Activity tabs have been added to the center panel.

      • The Actions tab contains Tasks and Questions sections. See Manage tasks.

      • The Activity tab contains a log of changes or events for the request.

    • The chat has been decoupled from Activity and is now located on the right panel.

  • Sync Okta groups and apps automatically

    Now applications and groups on the Resources tab sync automatically with Okta. You don't need to click Update now before using the app or group that you recently created in Okta.

Release: 2023.08.2

Fixes

Access Certifications
  • When editing a scheduled resource campaign, admins received an error and couldn't save their changes if a resource included in the campaign was deleted from Okta. (OKTA-637849)

Release: 2023.08.0

Features and enhancements

Access Certifications
  • Disable self-review

    Admins now have the ability to disable self-review for campaigns while defining campaign reviewers. This option provides you the flexibility to allow or disallow self-reviews for each campaign. See Understand Disable self-review.

  • User campaigns are now available in Production environments

    User campaigns provide you with a comprehensive view of users' access to resources. They help you tackle elevated access challenges that arise when users' relationship with the organization changes due to events such as role, department, or project change. You can configure these campaigns to only include individually assigned resources, thereby reducing the need for reviewers to review group-assigned resources governed by group membership and rules. See Campaigns.

Access Requests
  • Past Access Requests report improvements

    The Past Access Requests report now displays requests that were approved automatically. In addition, you can also filter the report using Auto approved as a value for the Decision filter.

  • Contextual information for requests

    The contextual data for actions is now available to Access requests administrators and to all members of the team that owns the request type but is unavailable to requesters. In addition, the link to Okta Workflows console is included as contextual data for the Run a workflow action.

Fixes

Access Certifications
  • The Past Campaign Details report didn't always display the reviewer's name. (OKTA-630255)

Access Requests
  • Approvers didn't receive Slack notifications when they or a request assignee completed a task assigned to them.

Release: 2023.07.2

Fixes

Access Certifications
  • The Past Campaign Details report didn't always display the reviewer's name. (OKTA-630255)

Access Requests
  • Approvers didn't receive Slack notifications when they or a request assignee completed a task assigned to them.

Release: 2023.07.1

Fixes

Access Certifications
  • Scheduled campaigns failed to launch if the reviewer type was User's manager and a user's manager was deleted from Okta. (OKTA-628087)

  • While previewing users, admins received an incorrect error message if the Okta Expression Language expression couldn't find the referenced object. (OKTA-628105)

  • Admins couldn't view a campaign's details if they specified a group that should be excluded from the User campaign and then deleted the group in Okta. (OKTA-629574)

Release: 2023.07.0

Features and enhancements

Access Certifications
  • Review details panel enhancement

    When reviewing items, the group description is now visible to reviewers (if one exists for the group). This helps reviewers make an informed decision to approve or deny user's access to the group.

  • User campaigns is now available in Preview environments

    User campaigns provide you with a comprehensive view of users' access to resources. They help you tackle elevated access challenges that arise when users' relationship with the organization changes due to events such as role, department, or project change. You can configure these campaigns to only include individually assigned resources, thereby reducing the need for reviewers to review group-assigned resources governed by group membership and rules. See Campaigns.

Access Requests
  • Okta Workflows actions for Access Requests

    Adding a Run a workflow action task in a Request Type allows requests to run a delegated flow automatically. This feature lets you use your existing Workflows connectors and flows in Access Requests to further automate requests. See Before you begin.

  • Removed ability to change the requester

    Admins and request assignees can no longer change the requester after the request is submitted. They can either reject the tasks for the request or ask the requester to cancel the request.

Release: 2023.06.2

Features and enhancements

Access Requests
  • Just-in-time assignments

    When Request Types have conditional logic for tasks and questions, users are now assigned tasks and questions only after the prerequisite dependencies are fulfilled. This reduces confusion for users because they're only assigned tasks or questions that they can take action on.

Fixes

Access Certifications
  • When reassigning review items, reviewers were unable to search for the new reviewer using their first and last name. (OKTA-443831)

  • The resource's assignment date was checked at the time of remediation, which slowed the remediation process. (OKTA-582449)

  • You could only have either a user or a group as the Group owner reviewer type. (OKTA-587264)

Access Requests
  • Admins and team members could view and click the Edit draft button for Requests Types that they didn't own.

Release: 2023.06.1

Features and enhancements

Access Requests
  • New operator for Request Type

    The includes operator provides more flexibility in the conditional logic that references a Dropdown input type. This is useful when configuring Request Types that reference multiple resources.

  • Cancel requests

    Requesters now have the flexibility to cancel a request if a team member or approver hasn't taken any action on it. They can only cancel the request from the Access Requests web app. Access Requests cancels a request if the user's access to the Access Requests web app is revoked or their status in Okta changes to suspended or deactivated. This feature improves productivity for team members and approver by reducing the incorrect requests that they need to manage.

  • New System Log event for canceled requests

    The System Log now records an access.request.cancel event when a request is canceled.

Fixes

Identity Governance
  • Okta Workflows failed to invoke some Access Certifications and Access Requests API endpoints. (OKTA-618561)

Release: 2023.06.0

Features and enhancements

Access Certifications
  • Multilevel Reviews is now available in Production environments

    Use this feature to set up two levels of approval within a single campaign. You can select which review items go to the second level. You can also view the information for closed multilevel review campaigns from the Past Campaign Details and Past Campaign Summary reports.

    This feature allows you to collect decisions from different sets of relevant stakeholders to ensure accurate decisions are made for your users' access to resources. See Create resource campaigns.

  • API support for features

    Recurring campaigns, Additional reviewer type options, Multilevel reviews, and User campaigns features are now supported by APIs.

Access Requests
  • Supported file types

    You can now upload and download all file types in the Access Requests web app chat. When you download a file from the chat, the original name and file type are retained.

Fixes

Access Requests
  • The new name of the team was reflected only after you refreshed the team's page.

  • The conditional logic for new approval tasks defaulted to is completed instead of is approved.

Release: 2023.05.3

Features and enhancements

Access Certifications
  • User campaigns

    User campaigns provide you with a comprehensive review of users' access to resources. They help you tackle elevated access challenges that arise when users' relationship with the organization changes due to events such as, role, department, or project change. You can configure these campaigns to only include individually assigned resources, thereby reducing the need for reviewers to review group-assigned resources governed by group membership and rules. See Campaigns.

    Note: User campaigns is an Early Access feature. To learn how to enable it, see Enable self-service features.

Fixes

Access Certifications
  • Campaigns on the Active, Scheduled, and Closed tabs weren't sorted in the default order of the most recent campaign first. (OKTA-607347)

  • The Past Campaign Details report didn't display the reviewer name. (OKTA-613193)

  • Reviewers were unable to take any action on their pending review items if the user who created the campaign was deleted from Okta. (OKTA-613929)

Access Requests
  • Approvers didn't receive email notifications about their open tasks if they weren't a team member or request assignee, if they'd previously viewed the request, or if the request had interdependent tasks. (OKTA-608756)

  • When users requested access, the response dropdown menus associated with questions didn't render properly in the Access Requests web app. (OKTA-613362)

Release: 2023.05.1

Fixes

Access Certifications
  • Some campaign pages were rendered blank if you edited a campaign after deleting or deactivating a critical resource, such as an excluded user or a reviewer group. (OKTA-594828 and OKTA-604498)

  • Reviewers didn't receive email notifications if a campaign with a high volume of reviewer items had Groups as the reviewer type. (OKTA-608517)

Access Requests
  • When filing a request in the Access Requests console, users couldn't view some Request Type questions.

Release: 2023.05.0

Features and enhancements

Access Certifications
  • Multilevel Reviews is now available in Preview environments

    Use this feature to set up two levels of approval within a single campaign. You can select which review items go to the second level. You can also view the information for closed multilevel review campaigns from the Past Campaign Details and Past Campaign Summary reports.

    This feature allows you to collect decisions from different sets of relevant stakeholders to ensure accurate decisions are made for your users' access to resources. See Create resource campaigns.

Fixes

Access Certifications
  • Reviewers received some email notifications with incorrect campaign due date timestamps. (OKTA-602462)

Release: 2023.04.3

Fixes

Access Requests
  • Some users didn't receive email notifications for pending approval requests. (OKTA-604594)

Release: 2023.04.2

Fixes

Access Requests
  • When a Request Type with multiple tasks was used for submitting requests, users received multiple duplicate messages and errors. (OKTA-591260)

  • Access request admins who had a custom user type were unable to perform certain tasks in Access Requests. (OKTA-599130)

  • Requests weren't marked as Done automatically when the questions and tasks were completed. (OKTA-602191)

Release: 2023.03.3

Features and enhancements

Access Certifications
  • Multilevel Reviews

    Use this feature to set up two levels of approval within a single campaign. You can select which review items go to the second level. You can also view the information for closed multilevel review campaigns from the Past Campaign Details and Past Campaign Summary reports.

    This feature allows you to collect decisions from different sets of relevant stakeholders to ensure accurate decisions are made for your users' access to resources. See Create resource campaigns.

    Note: Multilevel Reviews is an Early Access feature for orgs with Identity Governance enabled. Use the Early Access Feature Manager as described in Enable self-service features to enable the feature.

Access Requests
  • Improved UI for Settings page

    The SettingsIntegrations page in the Access Request console has been updated to improve clarity and enhance user experience. Your integrations are now grouped by their integration type.

Release: 2023.03.2

Features and enhancements

Access Requests
  • Impact of team deletion

    When you delete a team, all Request Types and associated requests are also deleted from the Access Requests console. You can no longer view the deleted requests in the Access Requests console. You can only view them from the Past Access Requests report.

Fixes

Identity Governance
  • An error occurred when importing group owners for AD groups if queries exceeded a maximum number of entities. (OKTA-540040)

Access Requests
  • Some customers were unable to edit or save Request Types.

  • When users were assigned the access requests administrator role through group assignments, they were unable to perform admin-specific tasks. (OKTA-581692)

Release: 2023.03.1

Features and enhancements

Access Requests
  • Settings page update

    The Settings page user interface has been updated to improve user experience and the following tabs have been added:

    • Resources

    • Configuration lists

    • Pushed groups

    The following terms have also been updated to improve clarity and reduce confusion:

    • Resource lists synced directly from an integration are called Resources.

    • Sublists and admin-defined configuration lists are called Configuration lists.

    See Access Requests and Create a configuration list.

Fixes

Access Requests
  • Some group owners didn't receive an email notification when they were assigned an approval task in a Request Type.

Release: 2023.03.0

Features and enhancements

Identity Governance
  • Group owner functionality for Universal Directory available in Production environments

    Admins can now view and manage the owners of a group in Okta Universal Directory. A group can have a maximum of 10 owners. This feature allows you to manage resource owners centrally when the resource ownership changes, and reduces the need to update your configurations manually. See Group ownership.

  • Import group owner information from AD available in Production environments

    Admins can now import the group ownership information from AD to Okta Directory using full or incremental imports. The group owner is extracted from a managedBy attribute in AD user profile.

    This feature reduces the need to manually define group owners for AD-sourced groups that have been imported to Okta. See Import group owner from Active Directory.

Access Certifications

  • Additional reviewer type options available in Preview environments

    While creating or editing an Access Certification campaign, now you can select one of the following options from the Select reviewer type dropdown menu.

    • A specific user

    • User's manager

    • Group

    • Group owner
    • Define using Okta Expression Language

    This feature allows you to select a Group and Group owner as reviewer types. As a result, you can take the following actions:

    • Assign reviews to multiple users at the same time to make review decisions when you have multiple application owners or a reviewer might be out of office.

    • Leverage the same Okta group that you use in Access Requests in Access Certifications as well. This also minimizes the need to manually update reviewers in campaigns when the reviewers change.

    See Create resource campaigns.

Access Requests
  • Group owner approvals for Access Requests

    Now you can assign group owners as task assignees or approvers in a Request Type. This feature allows you to create a single Request Type instead of multiple Request Types when you need to reference groups with different group owners as approvers. See Create a request type and Group ownership.

Release: 2023.02.1

Features and enhancements

Access Requests
  • Change to new Request Types

    For new Request Types, you can no longer select an integration's source list as a Configuration items value for questions and conditional logic. While it's not recommended, you can still use source lists for tasks in a Request Type.

    Existing Request Types that use source lists are unaffected with this change because the system creates reusable sublists for them.

Fixes

Access Requests
  • You could configure a Request Type to use applications and groups that weren't available for your team.

Release: 2023.02.0

Features and enhancements

Identity Governance
  • Group owner functionality for Universal Directory available in Preview environments

    Admins can now view and manage the owners of a group in Okta Universal Directory. A group can have a maximum of 10 owners. This feature allows you to manage resource owners centrally when the resource ownership changes, and reduces the need to update your configurations manually. See Group ownership.

  • Import group owner information from AD available in Preview environments

    Admins can now import the group ownership information from AD to Okta Directory using full or incremental imports. The group owner is extracted from a managedBy attribute in AD user profile.

    This feature reduces the need to manually define group owners for AD-sourced groups that have been imported to Okta. See Import group owner from Active Directory.

Access Certifications

  • UI enhancements

    For active campaigns, the Review details view is now available as a panel next to the review item. As well, the Reviewer and status details section has been updated and split into Reviewer details and Certification details sections. See View the progress of an active campaign.

Release: 2023.01.2

Fixes

Access Requests
  • Some requests didn't resolve automatically when access was granted to two apps or groups at the same time.

  • Some task approvers couldn't take action from the email notification because the email didn't contain the Open Tasks section.

  • Sometimes second-level approvers didn't receive a Slack notification when a request was assigned to them.

Release: 2023.01.1

Features and enhancements

Access Requests
  • Remove Request Action menu

    Admins can no longer manually overwrite the original request using the Request Action menu in the header panel.

Release: 2023.01.0

Features and enhancements

Access Certifications
  • UI enhancements

    For Access Certifications campaigns, the user, group, and app dropdown menus now display an icon next to each selection. In addition, the group dropdown menu now displays the number of assigned users and apps, and the app dropdown menu now displays the app status and the app ID.

    Since a user, group, or an app name isn't always unique, this enhancement provides more context to you for the resources you select. As well, these enhancements allow you to configure campaigns for the correct users, groups, and apps.

  • Additional reviewer type options available in Preview environment

    While creating or editing an Access Certification campaign, now you can select one of the following options from the Select reviewer type dropdown menu.

    • A specific user

    • User's manager

    • Group

    • Group owner
    • Define using Okta Expression Language

    This feature allows you to select a Group and Group owner as reviewer types. As a result, you can take the following actions:

    • Assign reviews to multiple users at the same time to make review decisions when you have multiple application owners or a reviewer might be out of office.

    • Leverage the same Okta group that you use in Access Requests in Access Certifications as well. This also minimizes the need to manually update reviewers in campaigns when the reviewers change.

    See Create resource campaigns.

Access Requests
  • View user's email address

    When adding users to a team, you can now view a user's email address in addition to their name in the Add team members dialog. This allows you to pick the correct user when you have multiple users with the same name.

Release: 2022.12.3

Fixes

Access Certifications When reviewers clicked View Assigned Reviews from an email notification and signed in to Okta, they were redirected to their End-User Dashboard instead of the campaign review page. (OKTA-560171)

Release: 2022.12.2

Features and enhancements

Access Certifications
  • Campaign violation warnings

    A warning message now appears instead of a campaign launch failure when an admin launches a campaign that includes invalid or missing resources.

  • Admin experience enhancements

    Campaigns now end when all reviewers in the campaign complete their reviews. See Campaigns.

    The following options now are available when creating or modifying a campaign:

    • Users: Only include active Okta users in this campaign: This option is only available for resource campaigns that include groups as resources. See Understand Disable self-review

    • Reviewers:

      1. Require justification: This option makes it mandatory for reviewers to enter a justification for their decision to approve or revoke a user's access to a resource.

      2. Disable bulk edit: This option prevents reviewers from selecting multiple reviews to approve or revoke. Reviewers can still reassign multiple reviews to another user.

    See Understand Disable self-review.

Fixes

Access Certifications
  • When an admin used the Okta Expression Language to scope users to the dateValue profile attribute on a campaign, an warning appeared if the attribute was set to less than or equal to three days from the current date. (OKTA-645299)

Release: 2023.09.0

Features and enhancements

Access Requests
  • Changes to the request UI

    The UI for requests in the Access Requests web app has been updated to improve the user experience for approvers and request assignees:

    • Request details such as the request type, team, assignee, and tags are now located on the center panel instead of the right panel.

    • Actions and Activity tabs have been added to the center panel.

      • The Actions tab contains Tasks and Questions sections. See Manage tasks.

      • The Activity tab contains a log of changes or events for the request.

    • The chat has been decoupled from Activity and is now located on the right panel.

  • Sync Okta groups and apps automatically

    Now applications and groups on the Resources tab sync automatically with Okta. You don't need to click Update now before using the app or group that you recently created in Okta.

Release: 2023.08.2

Fixes

Access Certifications
  • When editing a scheduled resource campaign, admins received an error and couldn't save their changes if a resource included in the campaign was deleted from Okta. (OKTA-637849)

Release: 2023.08.0

Features and enhancements

Access Certifications
  • Disable self-review

    Admins now have the ability to disable self-review for campaigns while defining campaign reviewers. This option provides you the flexibility to allow or disallow self-reviews for each campaign. See Understand Disable self-review.

  • User campaigns are now available in Production environments

    User campaigns provide you with a comprehensive view of users' access to resources. They help you tackle elevated access challenges that arise when users' relationship with the organization changes due to events such as role, department, or project change. You can configure these campaigns to only include individually assigned resources, thereby reducing the need for reviewers to review group-assigned resources governed by group membership and rules. See Campaigns.

Access Requests
  • Past Access Requests report improvements

    The Past Access Requests report now displays requests that were approved automatically. In addition, you can also filter the report using Auto approved as a value for the Decision filter.

  • Contextual information for requests

    The contextual data for actions is now available to Access requests administrators and to all members of the team that owns the request type but is unavailable to requesters. In addition, the link to Okta Workflows console is included as contextual data for the Run a workflow action.

Fixes

Access Certifications
  • The Past Campaign Details report didn't always display the reviewer's name. (OKTA-630255)

Access Requests
  • Approvers didn't receive Slack notifications when they or a request assignee completed a task assigned to them.

Release: 2023.07.2

Fixes

Access Certifications
  • The Past Campaign Details report didn't always display the reviewer's name. (OKTA-630255)

Access Requests
  • Approvers didn't receive Slack notifications when they or a request assignee completed a task assigned to them.

Release: 2023.07.1

Fixes

Access Certifications
  • Scheduled campaigns failed to launch if the reviewer type was User's manager and a user's manager was deleted from Okta. (OKTA-628087)

  • While previewing users, admins received an incorrect error message if the Okta Expression Language expression couldn't find the referenced object. (OKTA-628105)

  • Admins couldn't view a campaign's details if they specified a group that should be excluded from the User campaign and then deleted the group in Okta. (OKTA-629574)

Release: 2023.07.0

Features and enhancements

Access Certifications
  • Review details panel enhancement

    When reviewing items, the group description is now visible to reviewers (if one exists for the group). This helps reviewers make an informed decision to approve or deny user's access to the group.

  • User campaigns is now available in Preview environments

    User campaigns provide you with a comprehensive view of users' access to resources. They help you tackle elevated access challenges that arise when users' relationship with the organization changes due to events such as role, department, or project change. You can configure these campaigns to only include individually assigned resources, thereby reducing the need for reviewers to review group-assigned resources governed by group membership and rules. See Campaigns.

Access Requests
  • Okta Workflows actions for Access Requests

    Adding a Run a workflow action task in a Request Type allows requests to run a delegated flow automatically. This feature lets you use your existing Workflows connectors and flows in Access Requests to further automate requests. See Before you begin.

  • Removed ability to change the requester

    Admins and request assignees can no longer change the requester after the request is submitted. They can either reject the tasks for the request or ask the requester to cancel the request.

Release: 2023.06.2

Features and enhancements

Access Requests
  • Just-in-time assignments

    When Request Types have conditional logic for tasks and questions, users are now assigned tasks and questions only after the prerequisite dependencies are fulfilled. This reduces confusion for users because they're only assigned tasks or questions that they can take action on.

Fixes

Access Certifications
  • When reassigning review items, reviewers were unable to search for the new reviewer using their first and last name. (OKTA-443831)

  • The resource's assignment date was checked at the time of remediation, which slowed the remediation process. (OKTA-582449)

  • You could only have either a user or a group as the Group owner reviewer type. (OKTA-587264)

Access Requests
  • Admins and team members could view and click the Edit draft button for Requests Types that they didn't own.

Release: 2023.06.1

Features and enhancements

Access Requests
  • New operator for Request Type

    The includes operator provides more flexibility in the conditional logic that references a Dropdown input type. This is useful when configuring Request Types that reference multiple resources.

  • Cancel requests

    Requesters now have the flexibility to cancel a request if a team member or approver hasn't taken any action on it. They can only cancel the request from the Access Requests web app. Access Requests cancels a request if the user's access to the Access Requests web app is revoked or their status in Okta changes to suspended or deactivated. This feature improves productivity for team members and approver by reducing the incorrect requests that they need to manage.

  • New System Log event for canceled requests

    The System Log now records an access.request.cancel event when a request is canceled.

Fixes

Identity Governance
  • Okta Workflows failed to invoke some Access Certifications and Access Requests API endpoints. (OKTA-618561)

Release: 2023.06.0

Features and enhancements

Access Certifications
  • Multilevel Reviews is now available in Production environments

    Use this feature to set up two levels of approval within a single campaign. You can select which review items go to the second level. You can also view the information for closed multilevel review campaigns from the Past Campaign Details and Past Campaign Summary reports.

    This feature allows you to collect decisions from different sets of relevant stakeholders to ensure accurate decisions are made for your users' access to resources. See Create resource campaigns.

  • API support for features

    Recurring campaigns, Additional reviewer type options, Multilevel reviews, and User campaigns features are now supported by APIs.

Access Requests
  • Supported file types

    You can now upload and download all file types in the Access Requests web app chat. When you download a file from the chat, the original name and file type are retained.

Fixes

Access Requests
  • The new name of the team was reflected only after you refreshed the team's page.

  • The conditional logic for new approval tasks defaulted to is completed instead of is approved.

Release: 2023.05.3

Features and enhancements

Access Certifications
  • User campaigns

    User campaigns provide you with a comprehensive review of users' access to resources. They help you tackle elevated access challenges that arise when users' relationship with the organization changes due to events such as, role, department, or project change. You can configure these campaigns to only include individually assigned resources, thereby reducing the need for reviewers to review group-assigned resources governed by group membership and rules. See Campaigns.

    Note: User campaigns is an Early Access feature. To learn how to enable it, see Enable self-service features.

Fixes

Access Certifications
  • Campaigns on the Active, Scheduled, and Closed tabs weren't sorted in the default order of the most recent campaign first. (OKTA-607347)

  • The Past Campaign Details report didn't display the reviewer name. (OKTA-613193)

  • Reviewers were unable to take any action on their pending review items if the user who created the campaign was deleted from Okta. (OKTA-613929)

Access Requests
  • Approvers didn't receive email notifications about their open tasks if they weren't a team member or request assignee, if they'd previously viewed the request, or if the request had interdependent tasks. (OKTA-608756)

  • When users requested access, the response dropdown menus associated with questions didn't render properly in the Access Requests web app. (OKTA-613362)

Release: 2023.05.1

Fixes

Access Certifications
  • Some campaign pages were rendered blank if you edited a campaign after deleting or deactivating a critical resource, such as an excluded user or a reviewer group. (OKTA-594828 and OKTA-604498)

  • Reviewers didn't receive email notifications if a campaign with a high volume of reviewer items had Groups as the reviewer type. (OKTA-608517)

Access Requests
  • When filing a request in the Access Requests console, users couldn't view some Request Type questions.

Release: 2023.05.0

Features and enhancements

Access Certifications
  • Multilevel Reviews is now available in Preview environments

    Use this feature to set up two levels of approval within a single campaign. You can select which review items go to the second level. You can also view the information for closed multilevel review campaigns from the Past Campaign Details and Past Campaign Summary reports.

    This feature allows you to collect decisions from different sets of relevant stakeholders to ensure accurate decisions are made for your users' access to resources. See Create resource campaigns.

Fixes

Access Certifications
  • Reviewers received some email notifications with incorrect campaign due date timestamps. (OKTA-602462)

Release: 2023.04.3

Fixes

Access Requests
  • Some users didn't receive email notifications for pending approval requests. (OKTA-604594)

Release: 2023.04.2

Fixes

Access Requests
  • When a Request Type with multiple tasks was used for submitting requests, users received multiple duplicate messages and errors. (OKTA-591260)

  • Access request admins who had a custom user type were unable to perform certain tasks in Access Requests. (OKTA-599130)

  • Requests weren't marked as Done automatically when the questions and tasks were completed. (OKTA-602191)

Release: 2023.03.3

Features and enhancements

Access Certifications
  • Multilevel Reviews

    Use this feature to set up two levels of approval within a single campaign. You can select which review items go to the second level. You can also view the information for closed multilevel review campaigns from the Past Campaign Details and Past Campaign Summary reports.

    This feature allows you to collect decisions from different sets of relevant stakeholders to ensure accurate decisions are made for your users' access to resources. See Create resource campaigns.

    Note: Multilevel Reviews is an Early Access feature for orgs with Identity Governance enabled. Use the Early Access Feature Manager as described in Enable self-service features to enable the feature.

Access Requests
  • Improved UI for Settings page

    The SettingsIntegrations page in the Access Request console has been updated to improve clarity and enhance user experience. Your integrations are now grouped by their integration type.

Release: 2023.03.2

Features and enhancements

Access Requests
  • Impact of team deletion

    When you delete a team, all Request Types and associated requests are also deleted from the Access Requests console. You can no longer view the deleted requests in the Access Requests console. You can only view them from the Past Access Requests report.

Fixes

Identity Governance
  • An error occurred when importing group owners for AD groups if queries exceeded a maximum number of entities. (OKTA-540040)

Access Requests
  • Some customers were unable to edit or save Request Types.

  • When users were assigned the access requests administrator role through group assignments, they were unable to perform admin-specific tasks. (OKTA-581692)

Release: 2023.03.1

Features and enhancements

Access Requests
  • Settings page update

    The Settings page user interface has been updated to improve user experience and the following tabs have been added:

    • Resources

    • Configuration lists

    • Pushed groups

    The following terms have also been updated to improve clarity and reduce confusion:

    • Resource lists synced directly from an integration are called Resources.

    • Sublists and admin-defined configuration lists are called Configuration lists.

    See Access Requests and Create a configuration list.

Fixes

Access Requests
  • Some group owners didn't receive an email notification when they were assigned an approval task in a Request Type.

Release: 2023.03.0

Features and enhancements

Identity Governance
  • Group owner functionality for Universal Directory available in Production environments

    Admins can now view and manage the owners of a group in Okta Universal Directory. A group can have a maximum of 10 owners. This feature allows you to manage resource owners centrally when the resource ownership changes, and reduces the need to update your configurations manually. See Group ownership.

  • Import group owner information from AD available in Production environments

    Admins can now import the group ownership information from AD to Okta Directory using full or incremental imports. The group owner is extracted from a managedBy attribute in AD user profile.

    This feature reduces the need to manually define group owners for AD-sourced groups that have been imported to Okta. See Import group owner from Active Directory.

Access Certifications

  • Additional reviewer type options available in Preview environments

    While creating or editing an Access Certification campaign, now you can select one of the following options from the Select reviewer type dropdown menu.

    • A specific user

    • User's manager

    • Group

    • Group owner
    • Define using Okta Expression Language

    This feature allows you to select a Group and Group owner as reviewer types. As a result, you can take the following actions:

    • Assign reviews to multiple users at the same time to make review decisions when you have multiple application owners or a reviewer might be out of office.

    • Leverage the same Okta group that you use in Access Requests in Access Certifications as well. This also minimizes the need to manually update reviewers in campaigns when the reviewers change.

    See Create resource campaigns.

Access Requests
  • Group owner approvals for Access Requests

    Now you can assign group owners as task assignees or approvers in a Request Type. This feature allows you to create a single Request Type instead of multiple Request Types when you need to reference groups with different group owners as approvers. See Create a request type and Group ownership.

Release: 2023.02.1

Features and enhancements

Access Requests
  • Change to new Request Types

    For new Request Types, you can no longer select an integration's source list as a Configuration items value for questions and conditional logic. While it's not recommended, you can still use source lists for tasks in a Request Type.

    Existing Request Types that use source lists are unaffected with this change because the system creates reusable sublists for them.

Fixes

Access Requests
  • You could configure a Request Type to use applications and groups that weren't available for your team.

Release: 2023.02.0

Features and enhancements

Identity Governance
  • Group owner functionality for Universal Directory available in Preview environments

    Admins can now view and manage the owners of a group in Okta Universal Directory. A group can have a maximum of 10 owners. This feature allows you to manage resource owners centrally when the resource ownership changes, and reduces the need to update your configurations manually. See Group ownership.

  • Import group owner information from AD available in Preview environments

    Admins can now import the group ownership information from AD to Okta Directory using full or incremental imports. The group owner is extracted from a managedBy attribute in AD user profile.

    This feature reduces the need to manually define group owners for AD-sourced groups that have been imported to Okta. See Import group owner from Active Directory.

Access Certifications

  • UI enhancements

    For active campaigns, the Review details view is now available as a panel next to the review item. As well, the Reviewer and status details section has been updated and split into Reviewer details and Certification details sections. See View the progress of an active campaign.

Release: 2023.01.2

Fixes

Access Requests
  • Some requests didn't resolve automatically when access was granted to two apps or groups at the same time.

  • Some task approvers couldn't take action from the email notification because the email didn't contain the Open Tasks section.

  • Sometimes second-level approvers didn't receive a Slack notification when a request was assigned to them.

Release: 2023.01.1

Features and enhancements

Access Requests
  • Remove Request Action menu

    Admins can no longer manually overwrite the original request using the Request Action menu in the header panel.

Release: 2023.01.0

Features and enhancements

Access Certifications
  • UI enhancements

    For Access Certifications campaigns, the user, group, and app dropdown menus now display an icon next to each selection. In addition, the group dropdown menu now displays the number of assigned users and apps, and the app dropdown menu now displays the app status and the app ID.

    Since a user, group, or an app name isn't always unique, this enhancement provides more context to you for the resources you select. As well, these enhancements allow you to configure campaigns for the correct users, groups, and apps.

  • Additional reviewer type options available in Preview environment

    While creating or editing an Access Certification campaign, now you can select one of the following options from the Select reviewer type dropdown menu.

    • A specific user

    • User's manager

    • Group

    • Group owner
    • Define using Okta Expression Language

    This feature allows you to select a Group and Group owner as reviewer types. As a result, you can take the following actions:

    • Assign reviews to multiple users at the same time to make review decisions when you have multiple application owners or a reviewer might be out of office.

    • Leverage the same Okta group that you use in Access Requests in Access Certifications as well. This also minimizes the need to manually update reviewers in campaigns when the reviewers change.

    See Create resource campaigns.

Access Requests
  • View user's email address

    When adding users to a team, you can now view a user's email address in addition to their name in the Add team members dialog. This allows you to pick the correct user when you have multiple users with the same name.

Release: 2022.12.3

Fixes

Access Certifications When reviewers clicked View Assigned Reviews from an email notification and signed in to Okta, they were redirected to their End-User Dashboard instead of the campaign review page. (OKTA-560171)

Release: 2022.12.2

Features and enhancements

Access Requests Updates to request requirements
  • Requests submitted using email or the Access Requests Console must include a Request Type. This is to enable a smoother request approval flow. See Create requests.

  • Only team members can edit requests associated with that team. This also applies to super administrators and access requests administrators.

  • Team members can't remove a team or assignee from a request. They can only update the assignee.

Fixes

Access Certifications While approving or revoking access, reviewers had to click the textbox multiple times to enter a business justification. (OKTA-535909)

Release: 2022.12.1

Fixes

Access Requests When a Jira ticket was created automatically for a team, its issue type was set to the first issue type configured in the Jira integration. (OKTA-554537)

Release: 2022.12.0

Access Certifications

Features

  • Additional reviewer type options

    While creating or editing an Access Certification campaign, now you can select one of the following options from the Select reviewer type dropdown menu.

    • A specific user

    • User's manager

    • Group

    • Group owner
    • Define using Okta Expression Language

    This feature allows you to select a Group and Group owner as reviewer types. As a result, you can take the following actions:

    • Assign reviews to multiple users at the same time to make review decisions when you have multiple application owners or a reviewer might be out of office.

    • Leverage the same Okta group that you use in Access Requests in Access Certifications as well. This also minimizes the need to manually update reviewers in campaigns when the reviewers change.

    See Create resource campaigns.

    This is an Early Access feature for orgs with Identity Governance enabled. Use the Early Access Feature Manager as described in Enable self-service features to enable the feature.

Fixes

  • The message There are no more pending reviews for this campaign was displayed when you searched for a user or reviewer's pending review items in an active campaign. (OKTA-549609)

Access Requests

Enhancements

  • Improvements to Access Requests

    • When you sign in after your session expires, you are now taken to the last page that you visited instead of being taken to your requests Inbox.

    • When you click the email action link without signing in, you're now asked to sign in instead of displaying an error.

    • Date fields are now localized properly even when you can't edit the field.

Release: 2022.11.1

Deployment date: Nov 30, 2022

Identity Governance

Access Requests

Enhancements

  • Update to request requirements

    Requests submitted using Slack or Microsoft Teams must include a request type. This is to enable a smoother request approval flow.

  • Add Task button removed

    Approvers can't add custom tasks to a request.

  • Remove ability to archive items

    You can no longer archive items from configuration lists and sublists. However, you can now delete items from the sublists.

Fixes

  • After syncing a configuration list, items archived from a sublist didn't stay in the archive.

Release: 2022.11.0

Deployment date: Nov 3, 2022

Identity Governance

Access Requests

Enhancements

  • New System Log events for access requests
    A new System Log event appears when an access request is created and also when it is resolved.


  • Autopopulate groups
    Based on the requester's responses in the Teams and Request Type fields in a request, a group is automatically populated using AI prediction models. This is only applicable if the following conditions are met:

    • The question in a Request Type has Dropdown as the input type.
    • The selected Dropdown option is associated with an Okta resource list that contains groups only.

Reports

Enhancements

  • New column for the Past Campaign Details report
    The CSV export of the Past Campaign Details report now contains a reviewItem.revoked column. The column contains a time stamp for when a user's access to a resource was revoked. This functionality provides visibility into the remediation time frame of a campaign and helps you meet audit requirements.

Release: 2022.10.2

Deployment date: Oct 26, 2022

Identity Governance

Access Requests

Enhancements

  • Enhancements for Jira and ServiceNow integrations
    If you have integrated Jira or ServiceNow with Access Requests, you can now create sublists for these integrations. This allows you to control the options available to users when processing requests. See Create a configuration list.

Release: 2022.10.0

Deployment date: Oct 5, 2022

Identity Governance

Access Certifications

Production features

The following features are now generally available on Production environments.

  • Access certifications administrator role

  • Recurring campaigns

Enhancements

  • Enhancements to the Review Details pane

    In the Resource details section of the Review details pane, reviewers can now see when an application was assigned to the user and when the user's access to an application or group was last reviewed. This provides historical context for the resource being reviewed across campaigns.

Access Requests

Production features

The following features are now generally available on Production environments.

  • Access requests administrator role

Enhancements

  • Deprecate some actions for Okta integration

    For the Okta integration in the Access Requests console, the following actions are now deprecated for new Requests and Request Types:

    • Reset user password

    • Unlock user

    • Activate user

    • Deactivate user

    • Suspend user

    • Unsuspend user

    • List enrolled MFA for user

    • Reset all user MFA

    • Clear all user sessions

  • Security enhancement for email

    As an increased security measure, now you must be signed in to Access Requests to approve, deny, and complete a task for a request using the action link in email notification. In addition, these action links in the emails from before October 3, 2022, will no longer work even if you're signed in.

Fixes

  • Admins couldn't disable the Create issue toggle when they attempted to edit the Jira connection.

  • The Jira resource list option wasn't available on the SettingsConfiguration page of the Access Requests console. Consequently, the Jira projects option wasn't available in the list of configuration options when admins attempted to automate Jira issue creation.

Reports

Production features

The following features are now generally available on Production environments.

  • Past Access Requests report

Release: 2022.09.3

Deployment date: Sep 28, 2022

Identity Governance

Access Certifications

Fixes

  • Users received email notifications for Access Certifications campaigns on both their primary and secondary email addresses. (OKTA-530589)

Release: 2022.09.1

Deployment date: Sep 14, 2022

Identity Governance

Access Certifications

Fixes

  • Campaigns launched successfully even when the user scope was defined using Okta Expression Language and no users met the expression criteria. (OKTA-518924)

  • The wrong campaign opened occasionally when admins attempted to edit a scheduled campaign immediately after editing another scheduled campaign. (OKTA-527511)

Access Requests

Enhancements

  • Prevent changes after submitting requests
    • Now requesters can't modify the questions after they submit a Request Type.

    • Only request assignees can update answers after submission.

    • Admins can only assign requests to members of team, which owns the Request Type.

  • Disable Request Types and notify admins

    A Request Type is disabled in the following scenarios:

    • When you remove an item from a list that is associated with an active Request Type.

    • When you delete a team that is associated with a Request Type.

    Admins now receive an email notification when the Request Type is disabled to make the required modifications. See Modify a list.

Release: 2022.09.0

Deployment date: Aug 31, 2022

Identity Governance

Features

  • Group owner functionality for Universal Directory

    Admins can now view and manage the owners of the group in Okta Universal Directory. A group can have a maximum of 10 owners. See Group ownership.

    With this feature, you can use Okta Expression Language expressions to specify group owners as reviewers for an Access Certifications campaign. This allows you to centrally manage reviewers for a resource associated with a campaign without updating the campaign configuration when the resource ownership changes. See Define dynamic reviewers.

    This is a self-service early access feature for Okta Identity Governance customers. To enable it, use the Early Access Feature Manager as described in Enable self-service features.

  • Import group owner information from AD

    Admins can now import the group ownership information from AD to Okta Directory using full or incremental imports. The group owner is extracted from a managedBy attribute in AD user profile. Note that AD can have only one owner for a group, either a group or a user, so the imported group can also have only one owner. See Import group owner from Active Directory.

    This is a self-service early access feature for Okta Identity Governance customers. To enable it, use the Early Access Feature Manager as described in Enable self-service features.

Access Certifications

Features

  • Automatically assign the Access Certifications app

    When you assign the access certifications administrator role to a user or group, they're automatically assigned to the Access Certifications app. This is available to orgs with the access certifications administrator role enabled. See Access certifications administrators.

Preview features

The following features are now generally available on Preview environments.

  • Access certifications administrator role

  • Recurring campaigns

Fixes

  • OKTA-525684

    When reviewers bulk approved or revoked review items that had different groups associated with them, System.DebugContext.DebugData in System Log events displayed the first group for all items.

Access Requests

Features

  • Automatically assign the Request Access app

    When you assign the access requests administrator role to a user or group, they're automatically assigned to the Request Access app. This is available to orgs with the access requests administrator role enabled. See Access requests administrators.

Preview features

The following features are now generally available on Preview environments.

  • Access requests administrator role

Reports

Enhancements

  • UI text update

    For the Past Access Requests report, the column header and filter labels have been changed from Requester Name to Requester and Approver Name to Approver.

Preview features

The following features are now generally available on Preview environments.

  • Past Access Requests report

Release: 2022.08.0

Deployment date: Aug 03, 2022

Identity Governance

Okta Identity Governance is now generally available on Production environments.

Access Certifications

Features

  • Access certifications admin role

    You can now assign the access certifications standard admin role to your users instead of the super admin role. An access certifications admin can create and manage campaigns for Okta resources, such as users, groups, and applications. This role helps you control the level of access a user needs to perform their tasks. See Access certifications administrators.

    This is an early access feature. To enable it for your org, contact Okta Support.

  • Recurring campaigns
    You can now set up a recurrence schedule for campaigns to allow them to run periodically. This helps you save time and increases productivity. You now have the flexibility to set up a specific start time when you create a campaign instead of having it launch at midnight by default. See Create resource campaigns.

    This is a self-service early access feature. To enable it, use the Early Access Feature Manager as described in Enable self-service features.

Production features

The following features are now generally available on Production environments.

  • View known entitlements

  • Campaign history

Access Requests

Features

  • Access Requests admin role

    Orgs can assign the Access Requests standard admin role to users instead of the super admin role. This role allows a user to view all Okta users and groups, manage app permissions and assignments within Access Requests, and act as an admin within the Access Requests Console. Using this role helps orgs to better control which actions are available to users. See Access requests administrators.

    This is an early access feature. To enable it, contact Okta Support.

  • Export data feature
    The Export feature allows Access Requests admins can export data from the Access Requests Console. Exports can define how Request Types are organized, log which data is available in a configuration list, or list the specific actions taken for individual requests. This data helps orgs retain a clear record of the information available to Access Requests and how requests are processed. See Export data from Access Requests.
  • Time-Bound tasks
    Time-Bound tasks allow orgs to control the flow and timing of actions within a request. These tasks are available when a team creates a Request Type, and can schedule follow-up actions on a specific date, or after a specific duration of time. These tasks allow teams to better schedule how the system processes requests. See Create a request type.

Enhancements

Access Requests Workflows are now called Request Types.

Reports

Features

  • New Identity Governance report
    To aid with compliance and audits, the Past Access Requests report provides information on users that have requested access to org resources, and details related to the outcome of the request. See Past Access Requests report.
    This is a self-service early access feature. To enable it, see Enable self-service features.

Release: 2022.07.0

Deployment date: Jul 07, 2022

Identity Governance

Okta Identity Governance is a SaaS-delivered, converged, and intuitive Identity and Access management platform. Use it to simplify and manage your identity and access lifecycles across multiple systems and improve the overall security of your company.

Use Okta Identity Governance solutions, such as Access Certifications, Access Requests, and Reports to:

  • Efficiently create, protect, and audit access to critical resources.
  • Improve your company's security.
  • Increase employee productivity.
  • Improve IT efficiency by automating tasks to reduce the time taken and errors associated with manual data entry and provisioning tasks.

Access Certifications

Use Access Certifications to periodically create reviews of your users' access to applications or groups in Okta. Reviewers can approve or revoke access or reassign the review item to another user directly in the Okta Admin Console. Once the reviewer makes a decision, the remediation of a user's access begins automatically. This ensures that only users who need a resource have access to it and there is no accumulation of elevated or privileged access to a resource.

See Access Certifications.

Features

  • View known entitlements feature

    The View known entitlements self-service feature identifies the groups, licenses, permissions, and roles assigned to specific users within an Access Certification campaign. Currently this feature only syncs data from a limited number of apps: AWS, Box, Netsuite, Office 365, and Salesforce. See Review campaigns.

  • Campaign history

    For each review item, admins and reviewers can now see a history for that item, which includes details about the assignment, business justification for reassignment, details of the assigned reviewer, and the final decision of the reviewer. This information is available on the Review details pane of a review item.

Enhancements

  • Remediation actions for unreviewed users

    When an Access Certification campaign ends early, the End Campaign dialog allows admins to specify if an action is performed on unreviewed users. See Modify campaign's end date .

Access Requests

Use Access Requests to automate the process of requesting access to applications and resources. Access Requests delivers a streamlined and frictionless approach that automatically routes user requests to one or more reviewers for action.

See Access Requests

Reports

Use Access Certifications Campaigns reports, such as, Campaign Details and Campaign Summaries to obtain information on previously completed campaigns. You can also export the reports from Okta.

See Identity Governance Reports.

Date: June 15, 2022

Access Certifications

  • Improved visibility into campaign launch errors

    You can now view campaigns that failed the pre-launch check or failed to launch on the Closed tab of the Access Certification campaigns page and in the System Log. Select and open the campaign to view reasons for failure. This helps you identify and fix errors in the campaign.

  • OKTA-467193

    Some of the buttons in the Create campaigns dialog were confusing and didn't function as expected. The buttons have been renamed for clarity.

    1. When you create a campaign, the Exit button is now labeled Cancel.
    2. When you edit a scheduled campaign:
      • The Next button is now labeled Save and continue.
      • The Schedule campaign button is now labeled Update campaign.

  • OKTA-508375

    Uncertified review items were marked as Reassigned instead of Not certified on the Closed tab of the Access certification campaigns page.

Date: June 8, 2022

Access Certifications

  • Visibility into campaign launch failures in System Log

    When a campaign fails to launch or doesn't pass the pre-launch check, the System Log now displays the reason for failure. This helps you identify and correct the issue.

Date: May 4, 2022

Access Certifications

  • Email notification for campaign launch errors

    Admins now get an email notification with a link to the campaign's page when the following errors occur at launch:

    • The number of review items is more than 10,000.

    • The fallback reviewer has been deactivated or deleted in Okta.

    • The resource (application or group) associated with the campaign has been deleted in Okta.

    • The campaign doesn't have any review items.

    Use the link in the email notification to view errors. You can also get a head start on recreating the campaign by copying your campaign configuration, including the Okta Expression Language expressions for users and reviewers, from the Overview section. This functionality provides visibility in to campaigns that fails to launch. It also helps you identify and troubleshoot errors.

Date: March 30, 2022

Access Requests

  • Some orgs encountered issues while syncing Okta groups to Access Requests.

Date: March 23, 2022

Access Certifications

  • Third-party apps as a resource

    Admins can only include third-party apps as a resource when creating or modifying an Access Certifications campaign. This prevents reviewers from accidentally revoking an admin's access to the following first party apps:

    • Okta Workflows
    • Okta Admin Console
    • Okta Browser Plugin
    • Okta Admin Dashboard
    • Okta Access Certification
    • Okta Access Certification Reviews

Date: March 2, 2022

Identity Governance

Okta Identity Governance is a SaaS-delivered, converged, and intuitive Identity and Access management platform. Use it to simplify and manage your identity and access lifecycles across multiple systems and improve the overall security of your company.

Use Okta Identity Governance solutions, such as Access Certifications, Access Requests, and Reports to:

  • Efficiently create, protect, and audit access to critical resources.
  • Improve your company's security.
  • Increase employee productivity.
  • Improve IT efficiency by automating tasks to reduce the time taken and errors associated with manual data entry and provisioning tasks.

Access Certifications

Use Access Certifications to periodically create reviews of your users' access to applications or groups in Okta. Reviewers can approve or revoke access or reassign the review item to another user directly in the Okta Admin Console. Once the reviewer makes a decision, the remediation of a user's access begins automatically. This ensures that only users who need a resource have access to it and there is no accumulation of elevated or privileged access to a resource.

See Access Certifications.

Access Requests

Use Access Requests to automate the process of requesting access to applications and resources. Access Requests delivers a streamlined and frictionless approach that automatically routes user requests to one or more reviewers for action.

See Access Requests

Reports

Use Access Certifications Campaigns reports, such as, Campaign Details and Campaign Summaries to obtain information on previously completed campaigns. You can also export the reports from Okta.

See Identity Governance Reports.