Govern Okta admin roles

Early Access release. See Enable self-service features.

Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.

Govern Okta admin roles streamlines the processes around requesting and approving access to admin roles. It helps you control who has access to your org’s admin roles, the level of access they have, and the access duration. This functionality provides an easy way for users to request time-bound access to admin roles, and for orgs to revoke those roles when they’re no longer needed.

How it works

Before you begin using this functionality, you should familiarize yourself with these concepts:

  • Admin role bundle is a combination of role and resource set. Govern Okta admin roles treats an admin role bundle as a group of entitlements that are associated with the Admin Console.

  • Access Requests allows you to streamline the process of requesting access to an admin role bundle. It provides an easy and secure way for users to submit requests, and automatically sends those requests to approvers for action. Once a request is approved, the user has time-bound access to the requested admin role.

  • Access Certifications helps you create audit campaigns to periodically review, approve, and revoke users’ admin role assignments. This helps avoid the accumulation of elevated or privileged access to a resource.

On the Administrators page, you can create admin role bundles that pair your org’s admin roles with one or more resources. Once you’ve created admin role bundles, you can configure access request conditions for them.

Conditions help you define rules for requesting access to an admin role bundle. They allow you to define who can make requests, the admin role bundle that they can request, and the access duration. You can also use conditions to select an approval sequence for users’ requests. An approval sequence is a series of steps for granting admin role bundles. When a user submits an access request, the approvers in the configured sequence are assigned approval tasks.

After you’ve defined your org’s admin role bundles, conditions, and approval sequences, users can submit access requests directly from the End-User Dashboard. When a request is approved, the user is granted the admin role for a limited time.

Using Access Certifications, you can create audit campaigns to review users with assigned admin role bundles and revoke access where needed. This helps ensure that your org’s critical resources are secured, and that only the right users have access to them.

You can view admin role bundles and their expiration dates in the Admin role assignments report. If you're subscribed to Okta Identity Governance, you can also use the Past Campaign Details report, Past Campaign Summary report, and User entitlements report.


The Govern Okta admin roles feature provides these important security features:

  • Orgs have more control over who can access your org’s admin roles and resources.
  • Time-bound admin access helps ensures that sensitive permissions and resources are protected.
  • Unnecessary standing admin assignments are eliminated.
  • Users can easily request admin access, and orgs can quickly grant and revoke that access.
  • Campaigns allow you to review users' admin role assignments periodically to avoid accumulation of elevated or privileged access.

Govern Okta admin roles may use security controls and sub-processors that are different from those used in other Workforce Identity Cloud subscriptions. For more information, see Okta Trust and Compliance Documentation.


Get started

Access Requests for admin roles

Access Certifications for admin roles