Create campaigns to review admin roles

Early Access release. See Enable self-service features.

Create preconfigured, resource, or user campaigns to help ensure that your users have the right level of access. You must be a super admin who's assigned to the Okta Access Certifications app to create and manage campaigns that govern admin roles. The app provides access to the Access Certifications section of the Admin Console.

Preconfigured campaigns

You can create the Okta administrator review campaign using the steps listed in Create preconfigured campaigns.

If you aren't subscribed to Okta Identity Governance, the Discover inactive users campaign is also available with limited functionality. Keep in mind that this campaign doesn't review user's admin role assignments.

Resource and user campaigns

Use the steps listed in Create resource campaigns or Create user campaigns but keep these considerations in mind:

  • User campaigns are available for governing admin roles only if you're subscribed to Okta Identity Governance.

  • For resource campaigns, make the following selections on the Resources page:

    1. Select Applications as the resource type and Okta Admin Console as the app. The Review entitlements checkbox is selected by default.

    2. Select Specific entitlements and bundles.

    3. Select Entitlements to certify admin roles assigned directly from the Admin Console. Alternatively, select Bundles to certify admin roles that were assigned using access request conditions.

  • For user campaigns, make the following selections on the Resources page:

    1. Select the Resource scope as All apps or All apps and groups.

    2. Select the Include Okta admin roles to include the user's admin role assignments.

  • For both resource and user campaigns, the following checkboxes are selected by default on the Reviewers page. You can't clear the selections.

    • Disable self-review: Reviewers can't approve or revoke their own access to resources.

    • Require business justification: Reviewers must provide a reason for their decision to approve or revoke user access to a resource.

    • Disable reassigments: Reviewers can't reassign review items to another user. However, as a super admin, you can still reassign review items to another reviewer after the campaign is active.

  • If your own admin assignments are reviewed in a campaign, ensure that you aren't a reviewer for that campaign. This is to avoid errors at the time of campaign launch.

  • Select reviewers carefully for campaigns that govern admin roles. Regardless of whether a reviewer is an admin or not, they can approve or revoke access for review items assigned to them. They can do this even if the user whose access they're reviewing is an admin. The remediation happens immediately.

Related topics

Create resource campaigns

Create user campaigns

Manage campaigns