Understand remediation for security access reviews

Early Access release. See Enable self-service features.

While most remediation happens automatically for security access reviews, there are some scenarios where manual remediation is required:

The user was assigned to a group through a policy.
The user was assigned to a group through a policy and was also assigned to apps as a result.
The user was assigned entitlements through a policy or group rules.
The user is a member of an app-sourced group (except for Active Directory (AD) groups).

Considerations for manual remediation

Before removing a user from a group or policy, check the assignments that the user has through it. Apps, admin roles, sign-on policies, and other privileges are often assigned through groups or policies. Removing a user from a group revokes all assignments that the user has through that group.
Check if a user has multiple group memberships or policy rules that could assign them to an app. To remove access, you must remove the user from all groups or update policy rules that give them access to an app.
Before removing an app-sourced group, check its usage in the source app.

Remediate access by taking the following recommended actions:

Resource	Assignment method	Recommended action
Group	Okta-sourced group membership through a policy	Remove the user from the group. Also, review and update the policy rules to exclude them to prevent re-assignement.
App	Okta-sourced group membership through a policy	Remove the user from the group. Also, review and update the policy rules to prevent re-assignement.
App	App-sourced group membership (except for Active Directory (AD) groups)	Remove the user from the app-sourced group.
Entitlement	Policy or group rules	If entitlements were assigned through policy, review and update the policy rules to exclude them to prevent re-assignement. If entitlements were assigned through group rules, remove the user from the group and add them as an exception to the group rule.