As an admin, you can decide what happens when a reviewer approves or revokes a user’s access to a resource and also what happens when a reviewer doesn’t complete a review. You can also customize the remediation using Okta Workflows. Note that if an app or a group was assigned to the user through group rules or group membership, you may have to remediate manually.
- Select a reviewer action on the Remediation pane
- Customize remediation
- Handle remediation manually
While creating or modifying a campaign, on the Remediation pane, you can select one of the following remediation options for a reviewer action:
|Reviewer action||Available options|
|Approve access||The default remediation is set to Don’t take any action.|
Customize remediation using Okta Workflows
Okta Workflows enables you to automate otherwise manual remediation tasks such as:
Trigger a ticket to your ITSM, such as ServiceNow, to manually deprovision accounts from your application.
Delay remediation events for a certain number of days or until the campaign has closed.
Send custom notifications to users who have had their access removed, so they are aware and can request access again if they think it should be restored.
You can use all access certification decisions as events to build custom workflows. See Access Certification Decision Submitted in the Okta Connector.
For more information on configuring Okta Workflows, see Build Flows.
Handle remediation manuallyIf you have set Remove user from the resource as a remediation option, you may see the remediation status as Manual Remediation Required when:
The user was assigned to an application through a group.
The user was added to a group through group rules.
The user is a member of an app-sourced group.
Considerations for manual remediation
Before removing a user from a group, check the assignments that the user gets from a group. Apps, admin roles, sign-on policies, and other privileges are often assigned through groups. Removing a user from a group will revoke all assignments that the user gets through that group.
Check if a user has multiple group memberships that could assign them to an application. To remove access, you must remove the user from all groups through which they get access to an application.
Check how an app-sourced group is used in the source application before removing it to ensure there aren’t any unintended consequences.
Remediate access by taking the following recommended actions:
Okta-sourced group membership
Remove the user from the Okta-sourced group using Workflows.
App-sourced group membership (For example, AD group)
Remove the user from the App-sourced group. For example, remove the user from the group in AD.
Remove user from the group and add user as an exception to the group rule.
Remove the user from the app-sourced group. For example, remove the user from the group in AD.