Create campaigns

Create campaigns to periodically review your users’ access to applications and groups within Okta. You can schedule campaigns in advance and modify them before they launch.

A campaign becomes active on the start date and is marked as closed on the end date. You can launch a campaign before its start date and end an active campaign before its scheduled end date. After a campaign launches, you can reassign review items or end the campaign. You can’t modify a campaign after it ends.

Best practices

  • Select a campaign name that is self-explanatory. Campaign names are visible to your reviewers. We recommend using unique names that include the month and year.
  • For the campaign description, include information that can help a reviewer understand the purpose of the campaign. For example, if you have set up a campaign to review Salesforce permissions of users, you can add that as the campaign description to provide the context to the reviewers.
  • Ensure that the resource associated with the campaign exists in Okta and isn’t deactivated or deleted.
  • The number of review items in a campaign must be between 1 and 100,000. To better manage large campaigns, we recommend that you split reviews in to multiple campaigns.
  • Don’t rename, modify, or delete the Access Certification Reviewer group. Reviewers are automatically added to this group when review items are assigned to them. Modifying this group in any way can result in reviewers losing access to the campaign and may not be able to complete their reviews. If you accidentally delete the group, contact Okta Support.
  • Ensure that the fallback reviewer you select is active in Okta.
  • Currently, you can only have 500 active campaigns for an org. If you reach that limit, you may have to end some active campaigns before creating new campaigns.

Start this task

Ensure that you’re signed in as a super admin before doing the following steps.

  1. In the Admin Console, go to Identity Governance > Access certifications.
  2. Click + Create campaign. The Create campaign wizard launches.
  3. On the General pane, enter values for the following details:

    Field

    Value

    Campaign nameEnter a name for the campaign. Ideally, enter a name that is easy to understand for your reviewers.
    DescriptionDescribe the purpose of the campaign.
    Start dateSelect a start date for the campaign.

    Start time

    Select a start time and the timezone for the campaign.

    Duration

    Select the duration for which the campaign should run.

    Campaigns begin at 12 am. on the start date and close at 11:59 pm. on the end date in the timezone of the admin who configured the campaign.

  4. If you want the campaign to repeat after a specific interval, select the Make this recurring checkbox. If you only want to set up the single campaign at this time, skip the next two steps.

  5. Enter or select the appropriate values in the Repeats every section to configure the frequency of the recurring campaigns.

  6. In the Recurrence ends section, select either Never or On a specific date option based on your requirements.

  7. Click Next.
  8. On the Resources pane, select the resource type as Applications or Groups.
  9. Select the applications or groups that you want to include the campaign. You can add up to 50 resources in a campaign.
  10. Click Next.
  11. On the Users pane, select All users assigned to the resource or Specify user scope.
    • All users assigned to the resource: Users assigned to at least one of the resources selected are included in the campaign.
    • Specify user scope: Restricts the user scope to a specific set of users. Enter a valid Okta Expression Language (EL) expression to specify the user scope. The expression should result in true to include the user in the campaign or false to exclude from the campaign. See Define user scope.
  12. Recommended. In the Previewer reviewer field, enter a user’s name to check if they’re included in the campaign. Click Preview. You get a message stating whether the user is a part of the campaign or not.

    If you preview a user that isn’t assigned to a resource in the campaign, the preview indicates that they aren't a part of the campaign, even if the EL expression includes them.

  13. To exclude specific users from the campaign, select the Exclude users from the campaign checkbox and enter names of the users who should be excluded from the campaign.
  14. Click Next.
  15. On the Reviewer pane, select Static reviewer or Dynamic reviewer. The reviewers you select here are automatically added to the Access Certification Reviewer group. Don’t rename, modify, or delete the Access Certification Reviewer group. If you accidentally delete the group, contact Okta Support.
    • Static reviewer: Enter the name of the reviewer who should review access certifications of all users in the campaign. This reviewer is responsible for all reviewing all review items.
    • Dynamic reviewer:
      1. Enter a valid Okta EL expression to specify the reviewer. The expression should return the Okta User ID or username of the user who should be assigned as the reviewer. See Define dynamic reviewers.
      2. Recommended. In the Preview a user’s reviewer field, enter the name of a user to check who their reviewer is. Click Preview.
      3. In the Fallback reviewer field, enter the name of the user who should act as a reviewer if a reviewer isn’t assigned by the EL expression.

        The campaign won’t launch if the reviewers included in the campaign are in a deactivated or deleted status at the time the campaign is set to begin.

  16. In the Notifications section, select one or more of the following options:

    • Reviews assigned - Reviewers receive an email notification when review items are assigned to them at the time of campaign launch and when a review item gets reassigned.
      As an admin, you can customize the email that the reviewers receive at time of campaign launch. See Customize an email template

    • Reminder for pending reviews (before a campaign closes) - Reviewers who have pending review items receive an email notification a few days before the campaign closes. You can select how many days before the campaign's end date a reminder should be sent.
      As an admin, select this option if you also want to receive a reminder email prior to a campaign’s scheduled end date.

    • Campaign ended - Reviewers receive an email notification when the campaign closes.
      As an admin, you’re auto-subscribed for email notifications when a campaign you created launches or ends. You also get an email notification with a link to the campaign's page when a campaign fails to launch.

  17. Click Next.
  18. On the Remediation pane, select what happens when:
    • The reviewer approves or revokes a user’s access.
    • The reviewer doesn’t respond.
  19. Click Schedule campaign.

You can view the campaign you just created on the Scheduled tab of the Access certification campaigns page. You can modify a scheduled campaign at any time before the campaign becomes active but not after it has become active or has closed. See Modify a scheduled campaign and End an active campaign.

As an admin, you can reassign review items to a different reviewer even when the campaign is active.

After you schedule a campaign, it becomes active on the scheduled start date. Your reviewers can access the review items assigned to them from the Okta Access Certification Reviews app tile on their dashboard. They can approve, revoke, or reassign the review items.

If a scheduled campaign fails to launch, you’re notified by email. To view errors, you can do any of the following steps:

  • Click the View Campaign button from the email notification.
  • Open the campaign from the Closed tab of the Access certification campaigns page.
  • Go to the System Log.

Resolve the errors before you recreate the campaign. You may want to note down the Okta Expression Language expressions for users and reviewers, from the Overview section for recreating the campaign. You can delete a campaign that failed to launch from the Actions menu.

You can also view any active and closed campaigns on the Access certification campaigns page. Recurring campaigns are marked with the Recurring label on the Scheduled tab to indicate that they are a part of a series of recurring campaigns. Closed campaigns are stored for 12-months.

Currently, you can only have 500 active campaigns for an org. You may have to end some active campaigns if you reach that limit.

Related topics

Examples of Okta Expression Language

About remediation

View the progress of an active campaign

Modify a scheduled campaign

End an active campaign