Requesting Roles Through OIG Access Requests

IGA, OIG, OIG Access Requests 5 Minutes

This article looks at how Okta Identity Governance (OIG) can be used to provide a role-request feature in Access Requests. The example used is roles for Salesforce.

Role Request for Salesforce

Article contents:

What Roles?

If you’re familiar with the Okta Identity Cloud data model, you will know there are users, groups and applications but no roles (other than roles to administer Okta itself). But groups can be used to “group” users for different functions, such as applying authentication policy and application entitlements. Many customer deployments treat groups as roles for the latter – groups assigning users to applications may be tied to a job function.

In addition to this coarse-grained assignment, many applications in Okta support fine-grained entitlements. For example when looking at Salesforce.com, users or groups can be assigned to specific SFDC roles and licenses. It makes sense (even “best practice”) to assign groups to these applications and set these fine-grained entitlements at the group level, and then manage user membership to the groups rather than assigning individuals to applications. This strengthens the model of groups as roles – providing both coarse- and fine-grained entitlements. See https://iamse.blog/2022/03/22/fine-grained-entitlement-reporting-with-workflows/ for more discussion on managing fine-grained entitlements in Okta.

The following figure shows the relationships discussed above.

An Example – Salesforce.com and Some Role Groups

Let’s look at an example of this. I’ve created four groups in Okta to represent roles against Salesforce.com.

Role Groups in Okta

These are assigned to the Salesforce.com application.

Role Groups assigned to Salesforce.com

If you drill into the group-level assignments you see that a specific Salesforce.com role has been assigned to the Okta group.

Role Group assignment to Salesforce.com Role

Thus the Okta groups represent roles, and also assign a fine-grained permission (in this case a role) in Salesforce.com.

How do we expose these to be requested in Okta Identity Governance (OIG) Access Requests? Let’s have a look at two ways – a group request and a label-based request. Note that the approaches shown below are based on the current Limited Early Access code and features may be added to OIG Access Requests in the future that may mean different approaches can be used.

Requesting The Role Groups Directly

A key driver for Access Requests is to keep it as simple as possible for end users. If you have a simple and well-understood naming standard applied to your groups, you could just expose them in an Access Request flow as they are.

We will use the groups and group assigments above.

Using Configuration Items for a List of Groups

The first thing needed is a Configuration item with the groups you want to expose.

Configuration Items (for SFDC)

This list contains the four groups.

Groups in Configuration Item

Access Request Flow For The Group List

Next we can build a workflow to assign the user to the role. It will prompt for the group and a justification, get manager approval and then assign the user to the group.

The following figure shows the entire workflow – we will drill into the detail of each step below.

Actions to Add User to Group

The first step, Role, is a simple Dropdown question using the Configuration Item from above.

Role Selection (Question) step

It’s important that the Role is a required field as the flow will fail if nothing is selected. The Dropdown is assigned to the Configuration item SFDC-Role-Groups from above. The logic assumes a single role is selected (there is no logic in the example flow to support multiple selections).

The Justification and Manager Approval steps are straightforward.

The last steps (Assign User to XYZ) are basically a case statement, with a single step for each role group that could be chosen in the Role question. Let’s look at one of them (they are all the same)

This step uses the standard [Okta] Add user to group action. When enabling the Run automatically checkbox, the required fields (email and group) are exposed. The email address is that of the requester (the user to be assigned to the group). To get the group, we need to select 1. A configuration list item, then 2. the Groups object (the full list of Okta groups), and finally 3. the actual group to be assigned.

The image above shows the logic applied to the step. It will only run if the Manager has approved the request and the role selected by the user matches the group name for this step.

Logic for Step

As the second condition is based on the role value from the question, and that is tied to the Configuration item with the list of groups, so you can only select a value from that Configuration list for this condition.

Running the Access Request Workflow

Let’s see this in action. The user initiates the Access Request workflow.

User Selects a Role Group

There request flows and is approved.

Worklflow Runs

The user is added to the group in Okta.

User in SFDC Group in Okta

This proves the workflow works as intended.

Requesting The Role Groups via a Label

The previous example shows the user being presented a list of role groups, where the group names follow a standard making them easily understood. But what if the Okta group names assigned to the application don’t make sense to the end user? You can use the same approach, but instead of presenting a list of group names, you can present a list of labels.

I will summarise below, rather than going into the detail as above.

Configuration Item for Role Labels

For this example, I have duplicated the above Configuration item and changed the group names to labels.

Configuration Item List for Role Labels

This will be used in the Access Request workflow.

Access Request Workflow for the Role Label List

The flow is basically the same as the previous one, except using in the new SFDC-Role-Labels Configuration Item list, and different Logic for the conditional steps.

Access Request Workflow for Role Labels

The Role dropdown question is using the new Configuration item – SFDC-Role-Labels, and the conditional logic in the Assign to XYZ steps check for each of the SFDC-Role-Labels values.

Running the Access Request Workflow

The end user experience is fundamentally the same but they see a list of role labels.

Selecting Roles in Access Request

The rest of the workflow proceeds as above.

Conclusion

This article has discussed how Okta groups can represent roles, and be used for both coarse-grained (application-level) and fine-grained (application attribute-level) entitlement assignment. It has shown two examples of using OIG Access Request Configuration item lists and workflows with conditional logic to present lists of roles (by group name or role label) and have the right role be assigned to the user.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

2 thoughts on “Requesting Roles Through OIG Access Requests

  1. Hi, How can user request for a change of role? Ex: User has Role ‘xxx’ via the Group ‘Group xxx’. Now he wants to change the role to ‘YYY’. This request is approved by Manager. Will Okta automatically remove the user from ‘Group xxx’ and add to the new ‘Group YYY’?

    Reply

    1. Any change of role would be built into the Access Request flows (Request Types). Okta UD does not have the concept of “can only have N out of M groups”.

      Reply

Leave a Reply