Review campaigns
Use Access Certifications campaigns to periodically review users' access to resources. During a campaign, a campaign creator determines the users, resources, and reviewers that are part of the campaign.
If a reviewer is assigned one or more items in a campaign, they're granted access to the Okta Access Certification Reviews application in their End-User Dashboard. They can review and make decisions about a user's current access in the app.
Reviewers use the Okta Access Certification Review app to approve or revoke a user's access, or reassign the review item to another user if needed. Their decisions on review items are final and can't be changed.
When the campaign has self-reviews disabled, admins can't approve, revoke, or reassign their own review item.
Best practices for reviewers
-
If you or reviewers are reviewing user access to admin roles, see Review access to admin roles instead.
- Verify decisions before making them. When reviewers submit a decision for a review item, it's final and can't be changed.
- Add a business justification to provide context on the decision, whether that is to approve or revoke access. This note is visible to you, the campaign creator, and the reviewers. The justification also becomes visible to any user who gets reassigned the review item
- Reviewers can reassign a review item to another person if they think someone else is better suited to review a user's access. Reassigning a review item doesn't extend the campaign's end date. The new reviewer must approve or revoke access before the campaign ends. See Reassign review items.
-
For campaigns with multilevel reviews, keep the following considerations in mind:
-
Some review items are sent to second-level reviewers.
-
The second-level reviewer can take a decision only after the first-level review approves or revokes a review item. It's important for the first-level reviewers to finish the reviews on time to avoid blocking the campaign's progress.
-
The second-level reviewer can view the first-level reviewer's decision and the justification for a review item.
-
The final reviewer varies depending on the campaign's configuration.
-
Remediation occurs only for the decisions of the final reviewer. See Understand Disable self-review.
-
Start this task
- On the End-User Dashboard, reviewers click Okta Access Certification Reviews.
- On the My reviews page, they go to the Open tab, and select the access certification campaign that they want to begin reviewing.
- Optional. They select a review item to view more details about the user and resource they're reviewing, and the user's resource usage.
The Review details pane includes the following sections. Reviewers can sort, filter, or hide columns in this pane if you enabled the Customizable Reviewer Context feature.
- User Details: Information pulled directly from the user's profile in Okta.
- Resource Details: This section contains the following information:
- The app or group that they're reviewing.
- When the user last accessed the app and any previous reviews related to access. After they complete a review, as a super or access certifications admin, you can also review the decision and business justification they entered.
- When the user's access to the app or group was last reviewed.
- When the app was assigned to the user.
- The entitlements that the user has for the resources.
- History: This section contains useful information such as details about the initial assignment, business justification for the reassignment, details of the assigned reviewer, and the reviewers' decision.
- Optional. They can click Reassign to reassign a review item to another person. They can follow steps 3 - 6 listed in the Reassign review items topic.
- Reviewers click Approve or Revoke. They provide a business justification for their decision. When they approve or revoke access, the remediation process begins immediately.
- They click Submit.
If the campaign creator has allowed selecting multiple review items simultaneously, reviewers can also select multiple review items and approve or revoke access or reassign the reviews for the selected items. They can only take one action at a time and the business justification that they enter applies to the selected review items. Reviewers can always reassign multiple review items to another user but you must provide a justification for the reassignment.
Reviewers can also monitor their review metrics using the counts on the campaign page. In addition, they can reference the items that they've already reviewed from the Closed tab of the campaign's page. On the Closed tab, they can filter their reviews using various options or search for a specific user.