Create resource campaign

Create a campaign to review resources and user access, ensuring least-privileged access in Okta Identity Governance.

Options

Field Definition Type Required

Schedule Type

Defines whether the campaign runs a single time or repeats on a defined schedule.

  • Once: The campaign runs one time only.

  • Recurring: The campaign runs repeatedly based on a recurrence schedule.

 Dropdown TRUE

Resources

Specifies which resource types are reviewed for the selected users.

  • Application

  • Group

Dropdown TRUE

Review Entitlements

Specifies whether to include entitlements for the app. This field is only applicable if Resources is Application.

  • Yes

  • No

If this field is enabled, all entitlements and entitlements bundles for that app are reviewed. This behavior simplifies campaign configuration by ensuring all app entitlements are reviewed without requiring extra setup.

Dropdown TRUE

Scope

Specifies how principals (users) included in the campaign are selected.

  • Users: Explicit list of individual users.

  • Custom: Users matched by a custom search or filter expression.

 Dropdown TRUE

Exclude Users

Choose whether specific users should be excluded from the campaign even if they otherwise match the user scope.

  • Yes

  • No

Dropdown TRUE

First Level Reviewer

Defines who performs the initial review of access items in the campaign.

  • User: Assigns the review to a specific individual user. All review items are routed to the selected user.

  • Group: Assigns the review to all members of a specified group. Any group member can complete the review.

  • Group Owner: Assigns the review to the owners of the group associated with the access being reviewed. This option is available only if the resource selected is Group.

  • Custom: A reviewer scope expression is used to dynamically determine the reviewer based on user, resource, or entitlement attributes.

  • Manager: Assigns the review to the manager of the user whose access is being reviewed, based on the user's manager relationship in Okta. The Manager option can exist only on one level of review. If it's already selected as a First Level Reviewer and the campaign has multi-level reviewers, Manager isn't eligible on the Second Level Reviewer list.

 Dropdown TRUE

Add Another Level

Choose whether a second-level (escalation or approval) review stage is enabled.

  • Yes: Enables a second-level reviewer.

  • No: Campaign has a single review level.

 Dropdown TRUE

Second Level Reviewer

Defines the reviewer responsible for second-level review decisions when multi-level review is enabled.

  • User: Assigns the review to a specific individual user. All review items are routed to the selected user for decision.

  • Group: Assigns the review to all members of a specified group. Any group member can complete the review.

  • Group Owner: Assigns the review to the owners of the group associated with the access being reviewed. This option is available only if the resource selected is Group.

  • Custom: A reviewer scope expression is used to dynamically determine the reviewer based on user, resource, or entitlement attributes.

  • Manager: Assigns the review to the manager of the user whose access is being reviewed, based on the user's manager relationship in Okta. The Manager option can exist only on one level of review. If it's already selected as a First Level Reviewer and the campaign has multilevel reviewers, Manager isn't eligible on the Second Level Reviewer List.

 Dropdown TRUE

Input

Field Definition Type Required

Campaign

Name

The name of the campaign.

Text TRUE

Description

A description of the campaign.

Text FALSE

Tier

The minimum required SKU to manage the campaign.

  • Basic

  • Premium

Dropdown FALSE

Create Auditor Package

The reporting properties for processing post-completed campaigns. If true, a post-campaign reporting package is created. The default value is NO.

  • Yes

  • No

Dropdown TRUE

Schedule Settings

Start Date

The date on which the campaign is supposed to start.

Date & Time TRUE

Time Zone

The time zone, in IANA format, for the start date of the campaign.

Dropdown TRUE

Duration In Days

The duration (in days) that the campaign is active. The duration can't exceed 90 days, and must be a minimum of 7 days if the campaign is reviewed in multi-level.

Number TRUE

Recurrence Settings

Interval

The interval of the recurrence.

  • When the interval is Days, the maximum value is 99.

  • When the interval is Weeks, the maximum value is 26.

  • When the interval is Months, the maximum value is 24.

  • When the interval is Years, the maximum value is 2.

Interval values that conflict with the duration of the campaign result in an invalid request. For example, setting a duration of 21 days and an interval of every two weeks results in an invalid request.

Number TRUE

Interval type

The type of the interval.

  • Days

  • Weeks

  • Months

  • Years

Dropdown TRUE

Ends

The date on which the resource campaign ends.

Date & Time FALSE

Repeat on Type

Specifies the day of the month to repeat the campaign. Applicable only if the Interval Type is Months.

  • Same Day as Start Date: Repeat the campaign on the same calendar day as that start date. For example, if the start date is the 5th of the current month, then the campaign repeats on the 5th day of the matching month.

  • Same Weekday as Start Date: Repeat the campaign on the same day of the week as the start date. For example, if the start date is on a Thursday, then the campaign repeats on the Thursday of the matching week.

  • Last Weekday as Start Date: Repeat the campaign on the last day of the week in the start date. For example, if the start date is Thursday and it's the last week of the month, then the campaign repeats on Thursday of the matching last week.

 Dropdown FALSE

Principal Scope Settings

Include Only Active Users

If true, only active Okta users are included in the campaign.

True/False FALSE

Custom Search Criteria

Include a custom search in the Okta Expression Language to include users in the campaign.

Text FALSE

Exclude Users

ID

The list of Okta users excluded from access certification or the campaign. Up to 50 users can be excluded.

List of Text FALSE

Resource Settings

Application ID

The list of apps to review, up to a maximum of 20.

List of Text TRUE

Group ID

The list of groups to review, up to a maximum of 250.

 List of Text TRUE

1st Level Reviewer

Reviewer ID

The unique identifier of the reviewer.

Text TRUE

Self Review Enabled

If true, users can review their own review items.

True/False FALSE

Reviewer Group ID

The unique identifier of the reviewer group.

All members of the group are reviewers for the campaign. If the group contains only one member, then that member is assigned as the reviewer for all reviews, and the reviewer type is set to User for those reviews. When the campaign launches, if the group has more than 10 members, 10 members from the group are randomly set as reviewers for the campaign.

Text TRUE

Reviewer Scope Expression

The expression to derive a reviewer for the campaign.

This is typically used when the manager is the reviewer. For the Manager reviewer type, the reviewer scope expression is fixed at user.profile.managerId.

Text TRUE

FallBack Reviewer ID

The unique identifier of the fallback reviewer. A fallback reviewer is assigned if the Reviewer Scope Expression doesn't identify any reviewers, or reviewers aren't identified through resource owners.

Text TRUE

On Day

The day when second-level reviews start.

For the first level, this value is always 0 since the first level starts when the campaign starts. For the second level, enter a value that's greater than 0. This indicates the day when the reviews move to the second level.

Number TRUE

2nd Level Reviewer

Reviewer ID

The unique identifier of the reviewer.

Text TRUE

Self Review Enabled

If true, users can review their own review items.

True/False FALSE

Reviewer Group ID

The unique identifier of the reviewer group.

All members of the group are reviewers for the campaign. If the group contains only one member, then that member is assigned as the reviewer for all reviews, and the reviewer type is set to User for those reviews. When the campaign launches, if the group has more than 10 members, 10 members from the group are randomly set as reviewers for the campaign.

Text TRUE

Reviewer Scope Expression

The expression to derive a reviewer for the campaign.

This is typically used when the manager is the reviewer. For the Manager reviewer type, the reviewer scope expression is fixed at user.profile.managerId.

Text TRUE

FallBack Reviewer ID

The unique identifier of the fallback reviewer. A fallback reviewer is assigned if the Reviewer Scope Expression doesn't identify any reviewers, or reviewers aren't identified through resource owners.

Text TRUE

On Day

The day when second-level reviews start.

For the first level, this value is always 0 since the first level starts when the campaign starts. For the second level, enter a value that's greater than 0. This indicates the day when the reviews move to the second level.

Number TRUE

When

The condition for reviews to move from the first to the second-level reviewer.

  • Lower Level Approves: Only approved reviews from the lower-level move to this level.

  • Lower Level Approves or Rejects: Both approved and revoked reviews from the lower-level move to this level.

 Dropdown FALSE

Reviewer Settings

Justification Required

If true, a justification is required when review items are approved or revoked. This property must be true for user-centric campaigns that have the Okta Admin Console as one of the resources.

True/False FALSE

Reassignment Enabled

If true, reassignment is enabled for reviewers.

True/False FALSE

Bulk Decision Enabled

If true, bulk actions are enabled for approving or revoking review items.

True/False FALSE

Notify Reviewer

Period End

If true, a notification is sent to the reviewer when a given reviewer level period is about to end. This property is only applicable for multi-level campaigns.

True/False FALSE

During Midpoint Of Review

If true, a notification is sent to the reviewer during the midpoint of the review process.

True/False FALSE

When Overdue

If true, a notification is sent to the reviewer when reviews are overdue.

True/False FALSE

When Review Assigned

If true, a notification is sent to the reviewer when actionable reviews are assigned.

True/False FALSE

At Campaign End

If true, a notification is sent to the reviewers when the campaign ends.

True/False FALSE

Closing Reminders In Seconds

Specifies, in seconds, the time a reminder is sent to reviewers before the campaign closes. You can send up to three notifications.

For example, the array [86400, 172800, 604800] sends reminder notifications at 7 days, 2 days, and 1 day before the campaign closes. By default, reminders are sent 2 days and 1 day before the campaign closes.

List of Numbers FALSE

Remediation Settings

Remove Access

If true, the user has their access revoked as long as they aren't assigned to a group.

True/False TRUE

Remove Access on No Response

If true, the user's access is revoked when the campaign ends as long as they aren't assigned to a group.

True/False TRUE

Automatic Group Remediation

Remove From All Groups

If true, the user's access to all groups that can assign the user to the apps are removed during remediation. Only app assignments through groups can be automatically remediated.

You can specify either to remove from all Groups or a specific group using the Group ID.

True/False FALSE

Group ID

The groups to be automatically remediated.

List of Text FALSE

Output

Field Definition Type

Campaign

ID

The unique identifier of the resource campaign created.

Text

Name

The name of the resource campaign created.

Text

Description

A description of the resource campaign created.

Text

Created

The date and time when the resource campaign was created.

Date & Time

Created By

The unique identifier of the Okta user who created the resource campaign.

Text

Last Updated

The date and time when the resource campaign was last updated.

Date & Time

Last Updated By

The unique identifier of the Okta user who last updated the resource campaign.

Text

Status

The status of the resource campaign created.

  • Active

  • Completed

  • Deleted

  • Error

  • Launching

  • Scheduled

Text

Raw Output

The raw object response for the resource campaign created.

Object