Configure policies for Govern Okta admin roles apps

Early Access release. See Enable self-service features.

The Govern Okta admin roles feature includes the following apps.

  • Okta Access Requests: This app is automatically assigned to super admins. It controls which super admins can be assigned to a request. You can assign it to approvers if you want to assign them tasks, and to end users if you want them to see the Request admin role button. This is the only app visible on the Okta dashboard.

  • Okta Access Requests OAuth: This app is automatically assigned to super admins. It's only used for running workflows in a request. You don't need to assign it to any users.

  • Okta Access Requests Admin: This app is automatically assigned to super admins. You can assign it to any admins who need to manage Access Request Conditions.

  • Okta Access Requests Resource Catalog: This app is automatically assigned to all users. Nothing is made available by default, and no app management is required.

  • Okta Access Certifications: This app is automatically assigned to existing and new super admins. It provides access to the Access Certifications section of the Admin Console.

Existing super admins get these apps automatically when you enable the feature. If you add super admins later, you need to manually assign the apps to them.

Configure policies for your apps

Okta Access Requests Admin app

  1. Use the following System Log query to check if your authentication policies for the Okta Access Requests Admin app match the policies for the Okta Admin Console app.

    target.displayName eq "Okta Access Requests Admin" and outcome.result eq "DENY"

  2. If the events for the policy are being denied when you use the Govern Okta admin roles feature, clone the authentication policy of your Okta Admin Console app.

  3. In the cloned policy, set the Prompt for authentication condition to When an Okta global session doesn't exist.

  4. Assign the cloned policy to your Okta Access Requests Admin app. You can also require MFA to access this app. See Enable MFA for the Admin Console.

Okta Access Requests Resource catalog app

  1. Clone the authentication policy of your Okta Dashboard app.
  2. In the cloned policy, set the Prompt for authentication condition to When an Okta global session doesn't exist.

  3. Assign the cloned policy to your Okta Access Requests Resource Catalog app.

Related topics

Get started

Access Requests for admin roles

Access Certifications for admin roles