OIG Access Requests – Where Do I Assign Teams?

IGA, OIG, OIG Access Requests 2 Minutes

A common concern from a new Okta Identity Governance (OIG) Access Requests deployment is “I can’t see the Application or Group list when building a Request Type”. The most common cause is the assignment of Teams.

Teams are the access control mechanism built into OIG Access Requests. They control who can create and own Request Types (flows), who can see and use configuration lists (like app lists), and who can be used as approvers and other participants within flows.

An earlier article, OIG Access Requests – Understanding User Grouping, looked at Teams and how they can be used in flows. This article looks at the three common areas that are missed when creating and using teams in Access Requests: Team membership, Teams assigned to the Okta connection, and Teams assigned to the configuration lists.

Ensure Your Team Has the Right Members

A common issue with a new Access Request instance is that the default team (“IT”) does not have the current administrator assigned. When first accessing Access Requests as an administrator, you should go to Teams and check the IT team has you assigned. For any new Team, you should check that the relevant administrators are assigned. If you don’t have administrators assigned they will not see any Request Types they create (they can create, but the new Request Type does not show up in the UI for them).

In the above example the new Team, Plant Managers, has a new admin, Monty Burns, assigned.

Ensure the Team is Assigned to the Okta Connection

For a Request Type to be able to make calls into Okta (e.g. Add User to Group) the Team must be assigned to the Okta connection in OIG Access Requests.

To check/update Team assignment, go into Settings and edit the Okta Connection.

Make sure all relevant Teams, including any new ones, are assigned.

If you add a new Team, you need to make sure they are assigned here.

Ensure the Team is Assigned to Any Configuration Lists

Finally, if you want to be able to access any of the Configuration items (like the standard Applications or Groups lists, or the sublists or custom lists you build), the relevant Team must be assigned to the list.

To check/update Team assignment, select the vertical dots icon beside the relevant list.

Then select Edit list.

Then select the check box to add to the list.

You should now have visibility into the relevant lists when creating or editing the Request Type.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

One thought on “OIG Access Requests – Where Do I Assign Teams?

  1. Pingback: OIG Access Requests – Who is the Request Assignee? – IAMSE

Leave a Reply