OIG Access Requests – Where Do I Assign Teams?

A common concern from a new Okta Identity Governance (OIG) Access Requests deployment is “I can’t see the Application or Group list when building a Request Type”. The most common cause is the assignment of Teams.

Teams are the access control mechanism built into OIG Access Requests. They control who can create and own Request Types (flows), who can see and use configuration lists (like app lists), and who can be used as approvers and other participants within flows.

An earlier article, OIG Access Requests – Understanding User Grouping, looked at Teams and how they can be used in flows. This article looks at the three common areas that are missed when creating and using teams in Access Requests: Team membership, Teams assigned to the Okta connection, and Teams assigned to the configuration lists.

Ensure Your Team Has the Right Members

A common issue with a new Access Request instance is that the default team (“IT”) does not have the current administrator assigned. When first accessing Access Requests as an administrator, you should go to Teams and check the IT team has you assigned. For any new Team, you should check that the relevant administrators are assigned. If you don’t have administrators assigned they will not see any Request Types they create (they can create, but the new Request Type does not show up in the UI for them).

In the above example the new Team, Plant Managers, has a new admin, Monty Burns, assigned.

Ensure the Team is Assigned to the Okta Connection

For a Request Type to be able to make calls into Okta (e.g. Add User to Group) the Team must be assigned to the Okta connection in OIG Access Requests.

To check/update Team assignment, go into Settings and edit the Okta Connection.

Make sure all relevant Teams, including any new ones, are assigned.

If you add a new Team, you need to make sure they are assigned here.

Ensure the Team is Assigned to Any Configuration Lists

Finally, if you want to be able to access any of the Configuration items (like the standard Applications or Groups lists, or the sublists or custom lists you build), the relevant Team must be assigned to the list.

To check/update Team assignment, select the vertical dots icon beside the relevant list.

Then select Edit list.

Then select the check box to add to the list.

You should now have visibility into the relevant lists when creating or editing the Request Type.

Leave a Reply