Access Certifications for admin roles
Early Access release. See Enable self-service features.
Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.
It's important for organizations to periodically identify and review users, such as admins, who have access to your critical resources. Use Access Certifications to create campaigns to review your users' admin role assignments periodically to avoid accumulation of elevated or privileged access.
As a super admin, you can create and run resource campaigns periodically to govern Okta admin roles and ensure that your users have the right level of access.
A resource campaign displays all users who have access to a resource.
You can select a resource, such as Okta Admin Console. Next, select all users assigned to it or define a specific set of users using the Okta Expression Language. You can also exclude certain users from the campaign.
Specify campaign reviewers who are responsible for reviewing users' admin role assignments. You can also have multiple rounds of approval. Next, define what remediation actions are taken when a reviewer approves or denies a users' access.
To learn more about Access Certifications, see Access Certifications and Campaigns.
You can view admin role bundles and their expiration dates in the Admin role assignments report. If you're subscribed to Okta Identity Governance, you can also use the Past Campaign Details report, Past Campaign Summary report, and User entitlements report.