Governance analyzer

Early Access release. See Enable self-service features.

Provide access certification campaign reviewers with insights and recommendations about approving or revoking user access with Governance Analyzer. This helps reviewers make informed decisions about the user's access during campaigns. Governance Analyzer reviews the access management data in your org and analyzes it to provide insights and approve/revoke recommendations to reviewers.

Reviewers often lack the context needed to make confident, consistent decisions about user access. Without data-driven guidance, access reviews can be inconsistent, time-consuming, or prone to careless approvals, which increases organizational security risk.

Governance Analyzer addresses this challenge by surfacing contextual, data-driven insights and recommendations to campaign reviewers. It provides insights and recommendations to reviewers by collecting and analyzing the full suite of access management data that your org generates. This helps your organization better govern resource access, reduce its attack surface, and support compliance with access governance policies.

Currently, Governance Analyzer insights and recommendations are only available for campaign review items that certify access to groups, apps, entitlements, and entitlement bundles as resources.

The Governance Analyzer approve/revoke recommendations and insight data that are provided to reviewers is for informational purposes only. Reviewers should use this information as a supplement, not a substitute, to their independent judgement and normal review processes. Okta makes no guarantees related to, and disclaims all liability surrounding, your use of the insights and recommendations to inform your certification review decisions.

Insights

An insight is contextual information generated by Governance Analyzer and surfaced to reviewers in the Review details panel of a review item. Insights include separation of duties rule conflicts, usage history, past governance decisions, assignments, and user profile changes.

Governance Analyzer provides insights based on app assignments, group membership, app access, and previous governance decisions. Four primary insights are displayed to the reviewer in addition to a separation of duties insight (if applicable).

  • Separation of duties

    This insight is determined based on the separation of duties rules defined for the app. A yellow warning icon indicates that the user's existing access violates one or more separation of duties rule(s).

  • Usage history

    This insight is determined by the user's last access date, compared to the average last access date of all users in the org. A yellow warning icon can indicate either of the following scenarios:

    • The user's last access date (or the date they were assigned to the app) is more than 90 days ago.

    • The user's last access date is less recent than the average access date.

  • Past governance decisions

    This insight is determined by other governance decisions made for the same user/resource pair.

    A yellow warning icon can indicate either of the following things:

    • The last governance decision for this pair was left unreviewed in the last two campaigns, and those campaigns weren't test campaigns. For example, they weren't opened and closed immediately after.

    • The last governance decision for this user-resource pair was "revoke", but the user still has access to the resource.

    A green checkmark icon can indicate that the last governance decision for this user/resource was approved.

  • Assignment method

    This insight is based on the method used to assign the resource to the user and how the user's resource assignment method compares to that of other users assigned to that resource in the org. A yellow warning icon can indicate that the user was assigned to the resource individually, but most users were assigned by group, entitlement bundle, collection, policy, or import.

    When an entitlement is assigned by entitlement bundles, policy, or collection to user, Okta always associates a green checkmark icon with the insight regardless of how the user's entitlement assignment method compares to that of other users in the org.

  • User profile changes

    This insight is determined by changes in a user's division, organization, department, cost center, or user type. This change is compared to the date of their last approval (or the date of their assignment, if there's no approval). A yellow warning icon can indicate that the user's attribute has changed since then. A green checkmark icon can indicate that there hasn't been any change.

Recommendations

Governance Analyzer recommendations are data-driven, machine learning-based approve or revoke access recommendations for reviewers. Governance Analyzer generates recommendations based on your org data and insights for each review item.

If the user access has a separation of duties rule conflict, Governance Analyzer always recommends the reviewer to revoke the user's access regardless of other insights. The reviewer should review all the SoD conflicts that exist together to determine which entitlement(s), if any, to review.

To allow Governance Analyzer to generate insights and recommendations and display them to reviewers, complete the steps in Configure Governance Analyzer settings.

Related topics

Configure Governance Analyzer settings