Access Certifications
As an organization, it's important to periodically identify and review users who have access to your critical resources. This ensures that only users who need a resource have access to it and avoid accumulation of elevated or privileged access to a resource.
Use Access Certifications to create audit campaigns to review your users' access to resources periodically and approve or revoke access automatically when required. In each campaign, you can specify the following items:
- The start date and duration of the campaign.
- The resources (apps or groups) that you want to include in the review.
- The users or teams that you want to include in the campaign.
- The reviewers who must review the access for each user and resource.
You can also view previously closed campaigns and generate reports.
The Access Certifications process helps your company meet the following requirements:
- Secure critical resources by reducing risk of inappropriate access to these resources.
- Pass industry audits by being able to verify access and provide evidence to auditors that only the right users have access to the right resources.
- Reduce license costs related to license sprawl from temporary projects or users changing teams within an organization.
- Use existing Okta configurations and app integrations to easily create campaigns and automate removal in third-party apps.
Known issues and limits
-
The campaign launch fails if the resources or reviewers included in the campaign are in a deactivated or deleted status at the start time of the campaign. You receive an email notification containing a list of errors when a campaign fails to launch. You can also check the Closed tab of the Access certification campaigns page or the Events table in the System Log for more information on the error.
- Automated access revocation is limited to resources (groups or applications) that were individually assigned to a user. You need to remediate manually in other situations wherein a user was assigned access to a resource through group membership or group rules. See Understand remediation for more information on identifying these cases and how to manually resolve them.
The following limits are applicable for your org:
Limit type |
Limit | Maximum |
---|---|---|
General
|
Active campaigns in an org | 500 |
Review items in a campaign |
1 to 100,000 To better manage large campaigns, split reviews into multiple campaigns. |
|
Resource campaigns
|
Resources included in a campaign | 50 |
Apps reviewing entitlements | 10 | |
User campaigns
|
Individual users | 100 |
User groups | 5 | |
Excluded resources |
50 You can exclude a maximum of 50 apps or groups, or a combination of both. |