Review access

Early Access release. See Enable self-service features.

Understand the steps reviewers do to review user access in a security access review.

Reviewers are users assigned a security access review who are responsible for making a decision on another user's access to resources. Reviewers receive an email notification when a security access review is assigned to them. Okta also grants them access to the Okta Security Access Reviews app on their End-User Dashboard. They can review and make decisions about a user's current access from the app.

Reviewers can't reassign the review to another user.

Reviewers can revoke the user's access to the resource itself, its specific entitlements, and the groups that assign access to the resource to mitigate identified risks at the resource level. While a review is still active, reviewers can restore user access to the resource even if it was revoked earlier as a part of the same review. Reviewers can also close the review.

For Okta Admin Console as a resource, reviewers can only take actions to revoke or restore access to the admin role bundle or group that grants access. They can't revoke or restore access to the Okta Admin Console itself.

Best practices for reviewers

  • Add a business justification to provide context on the decision, whether that's to approve or revoke access. This note is visible to you, the super or security access review admin, and other reviewers.

  • Generate the AI summary for org-specific insights and context for the review.

    The AI-generated summary is available in reviews only if the Access Certifications - AI summary for Security Access Reviews feature is enabled for the org. This is also is an Early Access feature.

  • Security access reviews automatically close after seven days.

Start this task

  1. On the End-User Dashboard, reviewers click Okta Security Access Reviews.

  2. On the Security Access reviews page, they go to the Open tab.

  3. Click View for a review item.

  4. Read the information in User details and Last login info sections.

  5. View the list of resources for the user and their review priority.

  6. Expand a resource to view more details and anomalies categorized by severity of impact.

  7. Optional. Click Generate summary to get AI-generated summary of org-specific contextual information about the user, resource, and usual assignment methods.

  8. Go to the Entitlements tab (if available) to review the entitlements assigned to the user.

  9. Go to the Groups tab (if available) to review the groups that grant access to the resource.

  10. Open the Actions menu for the resource and click Revoke access. The remediation process begins immediately. Reviewers can also click Restore to restore access from this menu while the security access review is active.

    Take remediation actions in a granular manner from the Actions menu associated with each resource like entitlements and groups. This gives control on the level of access that the user should retain.

  11. Repeat steps 5 - 10 for other resources in the security access review.

  12. In the Add a comment field enter a business justification for the review decision or other relevant information.

  13. Optional. Scroll to the top of the page and open the Actions menu for the security access review. Click Close to end the review.

Related topics

Understand prioritization for security access reviews

Understand remediation for security access reviews

Manage Security Access Reviews