Governance delegates

Early Access release. See Enable self-service features.

If your org has the Access Governance - Delegates feature enabled, you and users can assign another user as a delegate to complete governance tasks on their behalf temporarily or permanently. Governance tasks include access certification campaign review items and access request approvals, questions, and tasks. For Access Requests, a delegate can complete governance tasks for requests managed by both conditions and request types.

Benefits

  • Reduce the time spent manually reassigning governance tasks when the primary stakeholder is unavailable.

  • Ensure that governance processes don't stall when reviewers and approvers are unavailable or tasks need to be rerouted to a different stakeholder for a long period.

When you or a user specify a delegate, the delegate is notified by email. You (super admin) can specify a delegate for a user from their profile page in the Admin Console. Users can specify delegates for themselves from the Access Certifications or Okta Access Requests app on their dashboard. The delegate assignment applies to governance tasks for both Access Certifications and Access Requests.

Any new campaign reviews and access request tasks are automatically assigned to the delegate. The delegate also receives notifications for new access request tasks and access certification campaign reviews that the admins have set up. Existing campaign reviews and access request tasks remain unchanged. Requesters and other users who can view a request can also see that a task has been assigned to a delegate.

Governance tasks are assigned only to the original reviewer or original approver's delegate. For example, the original reviewer assigns their manager as a delegate and the manager assigns the director as a delegate. In this example, the governance tasks assigned to the original reviewer are still delegated to the manager. Admins or request assignees must manually reassign these governance tasks.

For request types, if one of the team members has a delegate assigned, Okta doesn't assign the team member as the request assignee when a request associated with the request type comes in. If the team that owns a request type only has one member who has a delegate assigned, Okta leaves the request associated with request type unassigned.

As a super, access certifications, or access requests admin, you also have visibility into tasks assigned to delegates:

  • Access Certifications: The Reviewer is Delegate filter shows which review items are assigned to delegates for an active or closed campaign as well completed reviews in an active campaign. When you use this filter, the results also include review items assigned to Group and Group Owner as reviewer if one or more reviewers in the group has a delegate assigned. The Review details panel also displays this information. For campaigns with the reviewer type as Group or Group Owner, the Review details panel for a review itemalso indicates which users are delegates.

    The Past Campaign Details and Past Campaign Summary reports have a Reviewer delegated filter and columns for Reviewer ID, Original Reviewer, Original Reviewer Email, and Original Reviewer ID.

  • Access Requests: In the Access Requests app, the request details page displays users and their delegates.

  • System Log: The governance.principal.settings.update System Log event helps you track changes to delegates and meet your audit requirements.