Access Certifications for admin roles
Early Access release. See Enable self-service features.
Govern Okta admin roles is generally available if you're subscribed to Okta Identity Governance. Otherwise, depending on your org's eligibility, Govern Okta admin roles might not be available. Contact your account executive or customer success manager for more information.
It's important for organizations to periodically identify and review users, such as admins, who have access to your critical resources. Use Access Certifications to create campaigns to review your users' admin role assignments periodically. Running campaigns frequently helps avoid the accumulation of elevated or privileged access.
- Preconfigured campaigns
- Preconfigured campaigns are ready-to-use campaigns. You can launch these campaigns without manual configurations. To help you get started with Access Certifications, Okta presets the campaign settings for two campaigns. Run the Okta administrator review campaign to govern admin roles. The Discover inactive users campaign is also available with limited functionality to review one app in your org with the highest number of inactive users.
- Resource campaigns
- A resource campaign displays all users who have access to a resource. You can customize a resource campaign to your requirements by defining resource, user, reviewer, and remediation settings. For example, you can select a resource, such as Okta Admin Console. Next, select all users assigned to it or define a specific set of users using the Okta Expression Language. You can also exclude certain users from the campaign. Then, specify campaign reviewers who are responsible for reviewing users' admin role assignments and if the campaign should have multiple rounds of approval. Finally, define what remediation actions are taken when a reviewer approves or denies a users' access.
- User campaigns
- A user campaign displays all resources that a user can access. This campaign type helps you review users' access to resources when specific events happen, such as a department, role, or project change. You can customize a user campaign to your requirements by defining user, resource, reviewer, and remediation settings. For example, after you specify users, set the resource scope to All apps or All apps and groups, and select the Include Okta admin roles checkbox. Next, specify campaign reviewers who are responsible for reviewing users' admin role assignments and if the campaign should have multiple rounds of approval. Finally, define what remediation actions are taken when a reviewer approves or denies a users' access.
-
User campaigns are available for governing admin roles only if you're subscribed to Okta Identity Governance.
You can view admin role bundles and their expiration dates in the Admin role assignments report. You can also use the Past Campaign Details report and Past Campaign Summary report to view campaigns that were launched and if the user access to the resource was retained or revoked. The User entitlements report is also available if you're subscribed to Okta Identity Governance.
To learn more about Access Certifications, see Access Certifications and Campaigns.