Access Certification – Helping Reviewers Decide whether to Approve or Revoke Access

The user interface, and general user experience, has been a challenge with Identity Governance and Administration (IGA) products for many years. Unlike many IT products, IGA solutions are used by all business users and need an easy to use and understand interface. This is particularly so with Access Certifications – business owners (like managers or application owners) need a painless experience when reviewing access. Access Certifications are a necessary evil, but rarely are they the most important thing for business owners to think about.

When designing and building Okta Identity Governance (OIG) a key focus has been on the user experience. With access reviews this means providing only the important information to help reviewers decide if access should be retained or removed. This article looks at the Okta Identity Governance access review page and how information is presented.

Note that some of the content presented here may be from the oktapreview environment and may not be in production yet.

Review Summary View

The main (summary) view of a campaign shows all access reviews for a reviewer. If the reviewer was a manager they would see all users assigned to the resource (group(s) or application(s)) reporting to them.

This page is designed to act as a “to do” list for the reviewer. It contains a summary of their reviews and a list of all the pending reviews. The pending reviews section shows the User, their Email, the Resource name (label) and Actions (Approve, Revoke and Reassign). This table view is deliberately uncluttered.

There is additional information available via a slide out window, the Review details view. To access this view, you click on the review you are interested in. In the example above, we can see a single user assigned to the resource OIG Salesforce.com. Clicking that row will cause the slide out window to appear.

Review Details View

The Review details section has three areas: User Details, Resource Details and History.

The User details section pulls attribute values from the (Okta) user profile, such as status, title, department and manager.

The Resource details information varies by resource type. For Groups, you currently only see the group name. For Applications, you will see the label (name) and application, when it was last accessed (if it’s a SSO app), when it was last reviewed and assigned. This information can be very useful for determining if a user should retain access.

For specific apps, like Salesforce.com and Microsoft Office365, entitlement information will also be shown if assigned. This may be roles or licenses or other entitlements. The following shows two examples.

Finally the History section shows the certification history for this user assigned to this resource. This is also very useful when deciding whether to approve or revoke the access.

The information presented to help reviewers is expected to grow over time.

This article has shown how information is presented to reviewers to help them make that review decision, whilst keeping the interface clean and easy to use.

Leave a Reply