Remediation
You can decide what happens when a reviewer approves or revokes a user’s access to a resource, or doesn’t complete a review. You can also customize the remediation using Okta Workflows. You must remediate reviews manually if a user's app or a group assignment is through group rules or group membership.
Select a reviewer action
While creating or editing a campaign, you can select one of the following remediation options for a reviewer action:
| Reviewer action | Available options |
|---|---|
| Approve access | The default remediation is Don’t take any action. |
|
Revoke access |
|
| Doesn't respond |
|
For multilevel reviews, reviews are sent to the second-level reviewer only after the first-level reviewer has approved or revoked them. If the first-level reviewer doesn’t respond and the campaign ends, your remediation configuration for reviewer Doesn’t respond takes effect.
The first-level reviewer decisions that are sent to the second-level reviewer determines the final reviewer for those items and the subsequent remediation:
Only approved decisions: The second-level reviewer is the final reviewer for the approved reviews. If they don’t respond and the campaign ends, your remediation configuration for reviewer Doesn’t respond takes effect.
For example, you selected that Only approved decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for all approved review items, but not for the revoked ones. Your remediation configuration applies to the decisions made by the second-level reviewer.
However, for the review items that the first-level reviewer revoked, the first-level reviewer is the final reviewer. Your remediation configuration for Revoke access applies for those reviews.
Both approved and revoked decisions: The second-level reviewer is the final reviewer for all approved and revoked reviews. If the second-level reviewer doesn’t respond and the campaign ends, your remediation configuration for reviewer Doesn’t respond takes effect.
For example, you selected that Both approved and revoked decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for those review items. Your remediation configuration applies to the decisions made by the second-level reviewer. If they don’t respond, then your remediation configuration for reviewer Doesn’t respond takes effect.
Note: Multilevel Reviews is an Early Access feature for orgs with Identity Governance enabled. Use the Early Access Feature Manager as described in Manage Early Access and Beta features to enable the feature.
Customize remediation using Okta Workflows
Okta Workflows enables you to automate the following remediation tasks:
-
Trigger a ticket to your IT service management (ITSM), such as ServiceNow, to deprovision accounts from your application manually.
-
Delay remediation events by a few days or until the campaign has closed.
-
Send custom notifications to users who have had their access removed, so they’re aware and can request access again if needed.
You can use all access certification decisions as events to build custom workflows. See Access Certification Decision Submitted in the Okta Connector.
For more information on configuring Okta Workflows, see Build Flows.
Handle remediation manually
If you have set Remove user from the resource as a remediation option, you may see the remediation status as Manual Remediation Required in the following situations:
-
The user was assigned to an application through a group.
-
The user was added to a group through group rules.
-
The user is a member of an app-sourced group.
Considerations for manual remediation
-
Before removing a user from a group, check the assignments that the user gets from a group. Apps, admin roles, sign-on policies, and other privileges are often assigned through groups. Removing a user from a group revokes all assignments that the user gets through that group.
-
Check if a user has multiple group memberships that could assign them to an app. To remove access, you must remove the user from all groups that give them access to an app.
-
Before removing an app-sourced group, check its usage in the source app.
Remediate access by taking the following recommended actions:
|
Resource |
Assigned through |
Recommended action |
|---|---|---|
|
Application |
Okta-sourced group membership |
Remove the user from the Okta-sourced group using Workflows. |
|
Application |
App-sourced group membership (for example, Active Directory (AD) group) |
Remove the user from the app-sourced group. |
|
Okta-sourced group |
Group rules |
Remove the user from the group and add them as an exception to the group rule. |
|
App-sourced group |
Imports |
Remove the user from the app-sourced group. |