Review access to admin roles
Early Access release. See Enable self-service features.
Use Access Certifications campaigns to determine the users whose admin roles access need to be reviewed, who should review the access, and the remediation action that happens when a reviewer approves or denies access.
Users are granted access to the Okta Access Certification Reviews app in their dashboard if they have one or more review items assigned to them in a campaign. Reviewers can use the app to view review items that need their decision for a campaign and then approve or revoke a user's access.
Self-reviews are disabled by default for campaigns that govern admin roles. This means that admins can't approve, revoke, or reassign their own review item.
Best practices
-
Reviewers should verify their decisions before making them. When reviewers submit a decision for a review item, it's final and can't be changed.
-
When reviewers add a business justification to provide context on their decision, the note is visible to themselves, super admins, and the campaign creator.
-
For campaigns with multilevel reviews, keep the following considerations in mind:
-
Some review items are sent to second-level reviewers.
-
The second-level reviewer can take a decision only after the first-level reviewer approves or revokes a review item. It's important for the first-level reviewers to finish the reviews on time to avoid blocking the campaign's progress.
-
The second-level reviewer can view the first-level reviewer's decision and the justification for a review item.
-
The final reviewer varies depending on the campaign's configuration.
-
Remediation occurs only for the decisions of the final reviewer. See Understand remediation.
-
-
Considerations for reassigning review items:
-
Only super admins can reassign a review item for a campaign that reviews users' access to admin roles.
-
Reassigning a review item doesn't extend the campaign's end date. The new reviewer must approve or revoke access before the campaign ends.
-
The reviewer who you reassigned the review item to can view the justification you provided for reassigning the review item.
-
Start this task
-
On their End-User Dashboard, reviewers click Okta Access Certification Reviews.
-
On the My reviews page, they go to the Open tab, and select the access certification campaign that they want to begin reviewing.
-
They select a review item to view more details about the user and the resource, and the user's resource usage.
The Review details pane includes the following sections:
-
User Details: Information that's pulled directly from the user's profile in Okta.
-
Resource Details: This section contains the following information:
-
The application that's being reviewed.
-
When the user last accessed the application and any previous reviews related to access. After a reviewer completes a review, you (super admins) can also see their decision and business justification and the remediation that occurred.
-
When the user's access to the application was last reviewed.
-
When the application was assigned to the user.
-
The entitlements that the user has for the resources.
-
-
History: This section contains useful information such as details about the initial assignment, business justification for the reassignment, details of the assigned reviewer, and the reviewers' decision.
-
-
They click Approve or Revoke and provide a business justification for their decision. When they approve or revoke access, the remediation process begins immediately.
Reviewers (who aren't super admins) can't reassign a review item to another user.
-
They click Submit.
Reviewers can monitor their review metrics using the counts on the campaign page. In addition, they can reference the items that they've already reviewed from the Closed tab of the campaign's page. On the Closed tab, they can filter by Resource and Decision, and search by a specific user.