Create campaigns

Create campaigns to periodically review your users' access to resources and associated entitlements (including standard and custom admin roles).

Best practices

  • If you enabled Govern Okta admin roles, you can use a resource campaign to review user admin role assignments.

    Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.

  • Select a campaign name that is self-explanatory. Campaign names are visible to your reviewers.
  • For the campaign description, include information that can help a reviewer understand the purpose of the campaign. For example, if you have set up a campaign to review Salesforce permissions of users, you can add that as the campaign description to provide the context to the reviewers.
  • Ensure that the resource associated with the campaign exists in Okta and isn’t deactivated or deleted.
  • Keep Known issues and limits in mind.
  • See Recurring campaign considerations.
  • Ensure that the fallback reviewer that you select is active in Okta.
  • Ensure that the managerId user attribute is set as the Okta username or email address of the user's manager to use the Manager reviewer type. Otherwise, the campaign fails to identify the manager and the review gets assigned to the fallback reviewer.
  • To review entitlements for an app in a campaign, ensure that you have Governance Engine enabled for the app and you've created entitlements. See Get started with Entitlement Management.
  • To use the Group Owner reviewer type, ensure that you have group owners configured in Okta. See Configure Okta group owners.

  • While defining reviewers, select the Disable self-review checkbox to ensure that users don’t review and approve their own access to critical resources.

  • For campaigns with multilevel reviews, keep the following considerations in mind:

    • You can set up two levels of review in a single campaign.

    • Review items are sent to the second-level reviewer only after the first-level reviewer approves or revokes them. It’s important for the first-level reviewers to take decisions on review items on time to avoid blocking the campaign’s progress.

    • The second-level reviewer can view the first-level reviewer’s decision and the justification for a review item.

    • The final reviewer varies depending on the campaign’s configuration.

    • The remediation options that you configure for a campaign are applicable to the decisions made by the final reviewer. See Remediation settings.

Before you begin

  • Ensure that you’re signed in as a super admin or an access certifications admin.

  • If you're creating a campaign to govern admin roles, ensure that you're signed in as a super admin and have the feature enabled. Also, read the considerations listed in the Create a campaign for governing admin roles topic.

  • If you want to restrict the campaign to include users from a specific realm using Okta Expression Language, ensure that you have the Realms feature enabled.

Start this task

  1. In the Admin Console, go to Identity GovernanceAccess Certifications.
  2. Click Create campaign.

  3. Select a campaign type from the Create campaign dropdown menu.

    • Resource campaign: Resource campaigns focus on setting the resource scope for your campaign so that you can review all users who have access to those resources. This campaign type helps you review access to sensitive resources and helps you meet compliance requirements. Use this campaign type if you want to specifically review user’s admin role assignments.

    • User campaign: User campaigns focus on defining the user scope for your campaign so that you can do a comprehensive review of all resources assigned to those users. This campaign type helps you review users’ access to resources when specific events happen, such as a department, role, or project change.

      User's admin roles assignments aren't included for review in a user campaign.

  4. Configure your requirements in the wizard. The configuration for Users and Resources pages varies depending on your campaign type.

    Resource campaigns

    1. General settings

    2. Resource settings

    3. User settings

    4. Reviewer settings

    5. Remediation settings

    User campaigns

    1. General settings

    2. User settings

    3. Resource settings

    4. Reviewer settings

    5. Remediation settings

  5. Optional. Add or change the campaign's contextual information to help your reviewers. See Customizable reviewer context.

  6. Click Schedule campaign.

Related topics

Campaign wizard fields

Examples of Okta Expression Language

View the progress of an active campaign

Modify a scheduled campaign

Modify campaign's end date