Campaign wizard fields

Configure your requirements in the wizard.

Sign in as a super admin if you want to create or manage a campaign to govern Okta admin roles.

Govern Okta admin roles is an Early Access feature. However, if you're subscribed to Okta Identity Governance, it's generally available.

General settings

Enter values for the following fields:

Field

Value

Campaign name Enter a name for the campaign. Ideally, enter a name that is easy for your reviewers to understand.
Description Describe the purpose of the campaign.
Start date Select a start date for the campaign.

Start time

Select a start time and the time zone for the campaign.

Duration

Select the duration for which the campaign should run.

Campaigns with multilevel reviewers require a duration of seven days or more.

Recurring campaign considerations

As a super admin or an access certifications admin, you can set up a recurrence schedule for campaigns to allow them to run periodically. This helps you save time and increases productivity. However, you must keep the following criteria in mind while configuring a recurring campaign.

  • In recurring campaign series, the duration of each campaign must be less than the interval between campaigns.

  • In the dropdown menu in the Repeats Every section, different prepopulated options are available depending on the values you enter for the campaign's duration and recurrence frequency type such as days, weeks, months, and years.

Recurrence frequency type Duration (days) Recurrence interval* Comments
No recurrence Enter a value between 1 and 90. N/A N/A
Days Enter a value between 1 and 90 that is less than the recurrence interval. Enter a value between 1 and 182. N/A
Weeks Enter a value between 1 and 90 that is less than the recurrence interval. Enter a value between 1 and 26. N/A
Months Enter a value between 1 and 90 that is less than the recurrence interval. Enter a value between 1 and 24.

You can select either of these options from the dropdown menu:

  • Monthly on [day of month]

  • Monthly on [day of week] of [week number]

The values inside the parentheses are populated automatically based on the Start date.

If you set a campaign to repeat Monthly on [day of the week] of Week 5, and the month ends before that day, the campaign begins on that day in week four.

If a month doesn't have the specified day, the last day is automatically used as the campaign's start date. For example, if you've set a campaign to recur on 30th of every month, it will begin on February 28th or February 29th.

Years Enter a value between 1 and 90 that is less than the recurrence interval. Enter either 1 or 2 as values. N/A

When increasing the campaign's duration, you can increase it up to 90 days or to one day before the campaign's next recurrence begins.

For example, you have a recurring campaign series where one campaign ends on the 15th and the next one begins on the 28th. You can increase the campaign duration of the first campaign up to the 27th. However, if your campaigns recur at an interval of more than 90 days, then you can only increase a campaign's duration such that the total duration of the campaign is 90 days.

Resource campaign settings

Resource campaigns display which users have access to a resource (like apps or groups) and their associated entitlements (including standard and custom admin roles). They're useful for meeting audit and compliance requirements for professional standards like SOC2 and SOX. You should run resource campaigns regularly to ensure that access to sensitive resources is limited.

You can configure multiple settings for a resource campaign. You can select as many as 50 resources and review who has access to them. You can also select all users assigned to the resource or define a specific user set with the Okta Expression Language. If you have the Govern Okta admin roles feature enabled, existing admin assignments are treated as key value pairs: the entitlement and the resource (the Admin Console).

The number of review items in a campaign can't exceed 100,000. To manage large campaigns, split reviews into multiple campaigns.

Resource settings

Field Value
Type
Application
  1. Select one or more apps.
    • If you want to review entitlements, select up to 10 apps highlighted in blue.
    • If you want to govern admin roles, search for and select the Okta Admin Console. You can't add any other apps if you select this one.
  2. Turn on the Review entitlements toggle.
  3. For each app, indicate whether you want to view All entitlements and bundles or Specific entitlements and bundles. If you specify an entitlement, you can also retrieve any bundle that contains your entitlement value by selecting the checkbox.

  4. Click Add to include other bundles or entitlements.

Group Select one or more groups.

Don't select Group if you want to include entitlements in the campaign. The Review entitlements toggle isn't available if you select Group.

User settings

Available options Actions Description
All users assigned to the resource Select this option to include users who are assigned to resources you selected earlier. N/A
Specify user scope Select this option to restrict the user scope to a specific set of users in your org.
  1. Enter a valid Okta Expression Language (EL) expression to specify the user scope.

  2. Recommended. In the Previewer reviewer field, enter a user's name to check if they're included in the campaign. Click Preview. You get a message stating whether the user is a part of the campaign or not.

    If you preview a user that isn't assigned to a resource in the campaign, the preview indicates that they aren't a part of the campaign, even if the EL expression includes them.

The expression should result in true to include the user in the campaign or false to exclude from the campaign.

If you have the Realms feature enabled, use this option to restrict the campaign to include users from a specific realm.

See Define user scope.

Only include active Okta users in this campaign

Select this option to only include users who have one of the following statuses in Okta:

  • Provisioned

  • Active

  • Password Reset (or Recovery)

  • Password Expired

  • Locked Out

N/A

Exclude users from the campaign

To exclude specific users from the campaign, select Exclude users from the campaign and enter the names of the users who should be excluded from the campaign.

N/A

User campaign settings

User campaigns focus on defining the user scope for your campaign so that you can do a comprehensive review of all resources assigned to those users. It helps ensure that users don't accumulate elevated levels of access when specific events happen, such as a department, role, or project change.

You can select specific users or user groups and review access to the resources and associated entitlements that are assigned to them. You can also configure your campaign in a way that your reviewers only need to review access to users' individually assigned resources and not group-assigned resources, as the latter is governed by group membership and group rules.

You can exclude a maximum of 50 apps or groups, or a combination of both. The number of review items in a campaign must be from 1 through 100,000. To better manage large campaigns, split reviews into multiple campaigns.

User settings

Field Value
Select users or groups

Individual users

Select one or more users. You can have a maximum of 100 individual users.

Specific groups

Select one or more groups. You can have a maximum of five groups.
Custom (Okta Expression Language) Enter an Okta Expression Language expression to include users or groups that meet a specific criteria. The expression should result in true to include the user in the campaign or false to exclude from the campaign.

If you have the Realms feature enabled, use this option to restrict the user scope of the campaign to a specific realm.

See Define user scope.

Resource settings

Field Value
Resource scope

All apps and groups assigned to users in scope

Select this option to include all apps and groups assigned to users you selected earlier.

All apps assigned to users in scope

Select this option to include all apps assigned to users you selected earlier.

All groups assigned to users in scope

Select this option to include all groups assigned to users you selected earlier.

Don't select All groups if you want to include entitlements in the campaign or govern admin roles. The Only include individually assigned entitlements option isn't available if you select All groups.

Include options

Only include individually assigned apps

Select this checkbox to restrict the resource scope to apps that were individually assigned to users.

Applications assigned by a group aren't included. Use this option to reduce redundant reviews when reviewing both apps and groups assigned to a user (since the group that assigns apps and groups has already been reviewed).

Only include individually assigned groups

Select this checkbox to restrict the resource scope to groups that were individually assigned to users.

Any groups assigned by a group rule aren't included. This option is helpful when you're confident about the resources assigned by group rules and only want to review groups that were assigned outside of the group rules.

Only include individually assigned entitlements

Select this checkbox to exclude entitlements that were assigned by entitlement policy or to exclude admin roles assigned through group assignments.

  • To review entitlements for an app in a campaign, ensure that you have Governance Engine enabled for the app and you've created entitlements. See Get started with Entitlement Management.
  • Exclude options

    Exclude specific apps from the campaign

    Select this checkbox and identify apps that should be excluded from the campaign.
    Exclude specific groups from the campaign Select this checkbox and identify groups that should be excluded from the campaign.

    Reviewer settings

    Reviewer type

    The campaign won't launch if the reviewers included in the campaign are in a deactivated or deleted status at the time the campaign is set to begin.

    Reviewer type Actions Comments
    User

    Enter the name of the reviewer who should review access certifications of all users in the campaign.

    This reviewer is responsible for reviewing all review items.
    Manager
    1. Assign review items to the user's manager that is listed in the user's profile in Okta.
    2. In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
    3. Recommended. Click the Preview reviewer link and enter a user's name. Click Preview to see their assigned reviewer.
    The review gets assigned to the Fallback reviewer if the user's profile in Okta doesn't have a manager listed.
    Group

    Assign review items to all members of a specific user group.

    Only one group member needs to review and take action on the review item. So if a group member approves or revokes access for a review item, the review item is marked as completed for all reviewers.

    The dropdown menu only displays groups that have between one and 10 members. If you add more members to the group, review items are randomly assigned to the 10 members of the group.

    Group owner

    1. Assign review items to the owner of a group that is listed in the group's profile in Okta.
    2. In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
    3. Recommended. Click the Preview reviewer link and enter a user's name. Click Preview to see their assigned reviewer.

    If the number of group owners within a group is greater than 10, then review items are randomly assigned to the 10 group owners.

    The Group Owner option is available and effective only if the following conditions are true:

    • You selected one or more groups as resources on the Resource pane.
    • The group owner for each group is either individual people or a group. For any group, you can't have a combination of people and groups as group owners.

    Custom

    1. Enter a valid Okta Expression Language expression to specify the reviewer.
    2. In the Fallback reviewer field, specify a user who is responsible for reviewing all review items.
    3. Recommended. Click the Preview reviewer link and enter a user's name. Click Preview to see their assigned reviewer.

    The expression should return the Okta User ID or username of the user who should be assigned as the reviewer. If the expression doesn't return a value for the reviewer, the Fallback reviewer is assigned as the reviewer for the users.

    If you have the Realms feature enabled, use this option to limit the campaign reviewers to a specific realm.

    See Define dynamic reviewers.

    Disable self-review

    This option gives you the flexibility to allow or disallow self-reviews for campaigns depending on the criticality or sensitivity of the resources included. This option is enabled by default for campaigns that review access to admin roles.

    If the Disable self-review checkbox is selected for a campaign and the user and reviewer that would be assigned happens to be the same person, then at the time of campaign launch, Okta assigns the review to a different reviewer depending on the reviewer type:

    • Manager, Group owner, or Custom: Okta assigns that review item to the fallback reviewer. If the fallback reviewer is deactivated, doesn't exist in Okta, or is the reviewer for their own review item, Okta assigns the review to the person who created the campaign.

      If there are two or more group owners as reviewers, Okta assigns that review item to other group owners who aren't the user.

    • User: Okta assigns that review item to the person who created the campaign.

    • Group: Okta assigns that review item to other members of the group who aren't the user. If the group only has one member and that person is also the user in the campaign, Okta assigns the review to the person who created the campaign.

    The campaign fails to launch if Okta assigns the review item to the person who created the campaign and any of the following conditions are met:

    • The user who created the campaign doesn't exist in Okta.

    • The user who created the campaign is the reviewer for their own review item.

    When a campaign has self-reviews disabled, you can't approve, revoke, or reassign your own review item. This option is enabled by default for campaigns that review access to admin roles.

    Additional level settings

    • Select which first-level reviewer decisions should go to the second-level reviewer.

      • Only approved decisions: The second-level reviewer is the final reviewer for approved decisions. This option allows second-level reviewers to make a decision on the first-level reviewer's approvals, but not their revoked decisions. The first-level reviewer is still the final reviewer for revoked decisions.

      • Both approved and revoked decisions: The second-level reviewer is the final reviewer for both approved and revoked decisions. This option provides second-level reviewers the ability to make a decision on all decisions made by the first-level reviewer.

    • Use the slider to determine when the second-level reviews should begin. This number should be less than the campaign's duration. The second-level reviews begin when the first-level reviews end. First-level reviews are flagged as overdue if the reviews are pending when the second-level reviews begin.

    Notifications

    Notification options Description
    Reviews assigned Reviewers receive an email notification when review items are assigned to them at the time of campaign launch and when a review item gets reassigned. As an admin, you can customize the email that the reviewers receive at time of campaign launch. See Customize an email template

    Reminder for pending reviews

    Reviewers who have pending review items receive email notifications before the campaign closes. You can opt to send reminders at the campaign's midpoint, on the day the campaign ends, or a few days before the campaign ends.

    For campaigns with multilevel reviews, both first-level and second-level reviewers get these reminders.

    As an admin, select this option if you also want to receive a reminder email before a campaign's scheduled end date.

    Overdue reminders for first-level reviewers

    First-level reviewers who have pending review items receive an email notification every day after the first-level reviews end and until the campaign ends.

    This option is available for campaigns with multilevel reviews.

    Campaign ended Reviewers receive an email notification when the campaign closes. As an admin, you're auto-subscribed for email notifications when a campaign you created launches or ends. You also get an email notification with a link to the campaign's page when a campaign fails to launch

    Additional settings

    • Require justification: Select this option to make it mandatory for the reviewers to enter a justification for their decision to approve or revoke a user's access to a resource. This option is enabled by default for campaigns that review access to admin roles.

    • Disable bulk decisions: Select this option to prevent reviewers from selecting multiple reviews to approve or revoke. Reviewers can still reassign multiple reviews to another user and must enter a justification for the reassignment (even if the Require justification checkbox isn't selected). This option is enabled by default for campaigns that review access to admin roles.

    Remediation settings

    Remediation settings allow you to decide what happens when a reviewer approves or revokes a user's access to a resource, or doesn't complete a review. You can also customize the remediation using Okta Workflows. You must remediate reviews manually if a user's app or a group assignment is through group rules or group membership.

    Select a reviewer action

    While creating or editing a campaign, you can select one of the following remediation options for a reviewer action:

    Reviewer action Available options
    Approve access The default remediation is Don't take any action.

    Revoke access

    • Don't take any action
    • Remove user from the resource

    Doesn't respond
    • Don't take any action
    • Remove user from the resource

    For campaigns with only one level of review, the remediation process begins immediately after the reviewer approves or revokes a user's access.

    For campaigns with multilevel reviews, reviews are sent to the second-level reviewer only after the first-level reviewer has approved or revoked them. If the first-level reviewer doesn't respond and the campaign ends, your remediation configuration for reviewer Doesn't respond takes effect.

    The first-level reviewer decisions that are sent to the second-level reviewer determines the final reviewer for those items and the subsequent remediation.

    Only approved decisions: The second-level reviewer is the final reviewer for the approved reviews. If they don't respond and the campaign ends, your remediation configuration for reviewer Doesn't respond takes effect.

    For example, you selected that Only approved decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for all approved review items, but not for the revoked ones. Your remediation configuration applies to the decisions made by the second-level reviewer.

    However, for the review items that the first-level reviewer revoked, the first-level reviewer is the final reviewer. Your remediation configuration for Revoke access applies for those reviews.

    Both approved and revoked decisions: The second-level reviewer is the final reviewer for all approved and revoked reviews. If the second-level reviewer doesn't respond and the campaign ends, your remediation configuration for reviewer Doesn't respond takes effect.

    For example, you selected that Both approved and revoked decisions go to the second-level reviewer. In this case, the second-level reviewer is the final reviewer for those review items. Your remediation configuration applies to the decisions made by the second-level reviewer. If they don't respond, then your remediation configuration for reviewer Doesn't respond takes effect.

    Customize remediation using Okta Workflows

    Okta Workflows enables you to automate the following remediation tasks:

    • Trigger a ticket to your IT service management (ITSM), such as ServiceNow, to deprovision accounts from your application manually.

    • Delay remediation events by a few days or until the campaign has closed.

    • Send custom notifications to users who have had their access removed, so they're aware and can request access again if needed.

    You can use all access certification decisions as events to build custom workflows. See Access Certification Decision Submitted in the Okta Connector.

    For more information on configuring Okta Workflows, see Build Flows.

    Handle remediation manually

    If you have set Remove user from the resource as a remediation option, you may see the remediation status as Manual Remediation Required in the following situations:

    • The user was assigned to an application through a group.

    • The user was added to a group through group rules.

    • The user is a member of an app-sourced group.

    Considerations for manual remediation

    • Before removing a user from a group, check the assignments that the user gets from a group. Apps, admin roles, sign-on policies, and other privileges are often assigned through groups. Removing a user from a group revokes all assignments that the user gets through that group.

    • Check if a user has multiple group memberships that could assign them to an app. To remove access, you must remove the user from all groups that give them access to an app.

    • Before removing an app-sourced group, check its usage in the source app.

    Remediate access by taking the following recommended actions:

    Resource

    Assigned through

    Recommended action

    Application

    Okta-sourced group membership

    Remove the user from the Okta-sourced group using Workflows.

    Application

    App-sourced group membership (for example, Active Directory (AD) group)

    Remove the user from the app-sourced group.

    Okta-sourced group

    Group rules

    Remove the user from the group and add them as an exception to the group rule.

    App-sourced group

    Imports

    Remove the user from the app-sourced group.

    Related topics

    Modify a scheduled campaign

    Modify campaign's end date