Campaigns
Campaigns help ensure that your users have the right level of access to resources like apps (and associated entitlements) and groups.
In addition, if you've enabled the Realms feature, you can restrict the campaign to include users from a specific realm using Okta Expression Language.
-
Resource campaigns
This campaign type displays all users who have access to a resource.
You can select a resource, such as an app or group, and review who has access to it and the associated entitlements and bundles. You can select all users assigned to the resource or define a specific set of users using the Okta Expression Language. You can also exclude certain users from the campaign. Run resource campaigns regularly to ensure that access to sensitive resources is limited.
If you enabled the Govern Okta admin roles feature, use this campaign to review user admin role assignments.
Resource campaigns are useful for meeting your audit and compliance requirements.
-
User campaigns
This campaign type displays all resources that a user has access to.
You can select a specific user or user group and review their assigned resources. Most privileged access is either requested by the user or it's individually assigned to them. Often reviewers don't need to review access to resources granted through group membership or group rules. User campaigns allow you to set up a campaign where reviewers only need to review access to users' individually assigned resources and entitlements.
User campaigns allow you to manage user's access to resources efficiently, especially when the user's relationship with your organization changes due to events such as role, department, or project change.
Run user campaigns frequently to ensure that users have the least privileged access.
User's admin roles assignments aren't included for review in a user campaign.
You can schedule campaigns in advance, make them recur at specific intervals, and modify them before they launch.
A campaign becomes active on the start date and is marked as closed on the end date or when all reviewers in the campaign complete their reviews, whichever happens first. You can launch a campaign before its start date and end an active campaign before its scheduled end date. However, after a campaign launches, you can only reassign review items or end the campaign. You can't modify a campaign after it ends.
You can view active, scheduled, and closed campaigns from the Access certification campaigns page. Recurring campaigns are marked with the Recurring label on the Scheduled tab to indicate that they're a part of a series of recurring campaigns. Closed campaigns are stored for 12 months.
After you schedule a campaign, it becomes active on the scheduled start date.
If a scheduled campaign fails to launch, you receive an email notification. To view errors, you can do any of the following steps:
- Click View Campaign from the email notification.
- Open the campaign from the Closed tab of the Access certification campaigns page.
- Go to the System Log.
Resolve the errors before you recreate the campaign. You may want to note down the Okta Expression Language expressions for users and reviewers from the Overview section before recreating the campaign. You can delete a campaign that failed to launch from the Actions menu.
Campaign reviewers can access the review items assigned to them from the Okta Access Certification Reviews app tile on their dashboard. They can approve, revoke, or reassign the review items.
If you, a campaign creator, have included entitlements in the campaign, then reviewers can also see the entitlements or bundle associated with the resource and how the entitlement or bundle was assigned to the user for a review item. They can review access to entitlements and bundles in a similar manner as they review user's access to apps and groups. They can revoke an entitlement or bundle as individual units, but they can't revoke a specific entitlement that's a part of a bundle assigned to the user. Reviewers must manually remediate any entitlements that were assigned to a user by a policy rule.
You can run campaigns to review entitlements for an app only if Governance Engine is enabled for the app. See Enable Governance Engine and Considerations and limits .
Governance for admin roles
Early Access release. See Enable self-service features.
Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.
After you enable the Govern Okta admin roles feature, you can review a user's admin assignments using a resource campaign. Access Certifications treats admin assignments as entitlements associated with the Okta Admin Console. Specifically, it treats the admin role and resource set within a user's admin assignment as a key value pair for an entitlement.
Only super admins can govern admin roles. After you enable the feature, you may have to wait a few hours before you can run a resource campaign to review admin roles.