There was a recent change to the reviewer selections for Okta Identity Governance (OIG) Access Certification to allow for more options and to simplify the administrative experience. The feature is currently an Early Access feature (the “Reviewer Assignment” enhancement) that can be turned on in an OIG-enabled Okta org. It will roll into production over time and may have done so by the time you read this.
Let’s start by looking at a summary of changes.
Summary of Changes
Up until recently in Okta Identity Governance (OIG) Access Certification, there have been two types of reviewers – a single static reviewer, or a dynamic reviewer based on evaluating Okta Expression Language to derive a single reviewer at campaign launch time. A common scenario was to use the expression
user.profile.managerId to determine the reviewee’s manager from their Okta profile.
The types of reviewers has been expanded. An applications review screen now has the following options:
There are two new options – User’s manager and Group. The first removes the need to enter Okta Expression Language to derive the user’s manager. This was a usability change (you could still enter the expression for the manager). The remaining options are the same as using the expression.
The second will use a group defined in Okta, where the group members are the reviewers. This latter option opens up the ability to have multiple reviewers, solving the problem of a reviewer going on leave and having to manually reassign their reviews. We will give an example of this in the next section of the article.
If the campaign is for groups, there is an additional reviewer option:
This is leveraging the new Group Owner Early Access feature added to Okta Universal Directory recently (https://help.okta.com/en-us/Content/Topics/identity-governance/group-owner.htm). The feature supports assigning users and/or groups as owners of a group in Okta. The group owners can be reviewers in access certification campaigns. We will give an example of this in the last section of this article.
A Group of Reviewers
The ability to assign a group of reviewers addresses the issue of a single reviewer being unavailable. It opens up additional use cases, like having a team for reviewing access to specific apps or groups. This section is a walkthrough of what the new feature looks like.
First, let’s create an Okta group for application review.
When building the campaign we select Group as the reviewer type and select the group.
As a side note, the UI has been enhanced to show additional information about the group being assigned (description, members and applications).
When the campaign is created and launched, you will see it is assigned to the group, not individuals.
The campaign administrator can reassign the campaign.
If we look at the reviewer view, it is basically the same as campaign review pages in the past.
They can see all the users and their resources, and can approve or revoke. However they cannot reassign as the campaign is assigned to multiple people in the one group.
Group Owner Reviews
The other significant option is to allow Group Owners to be the reviewers for group membership. This is similar to having Role Owners in other IGA products – someone who is responsible for that role and its membership.
Let’s start with assigning some users to a group as owners.
Then when creating the campaign we select Group Owner as the reviewer type. You need to specify a Fallback Reviewer incase one or more of the groups being reviewed don’t have owners assigned.
When you preview the owner, you will see a message about a limit on the number of owner reviewers.
As a best practice, you should consider the number of owners for your groups – a large number of owners may mean you have a loose governance model over your groups.
When the campaign is created and launched, you see the group owner selection.
The reviewers will see basically the same review screen as before.
As before, a campaign admin can reassign a review item, but the individual reviewer cannot as it has potentially been assigned to multiple reviewers.
This enhancement represents more progressive and continuous improvements to the product. The new reviewer options are:
- User’s manager – removing the need to use Okta Expression Language to derive the user’s manager as reviewer,
- Group – specify a group of users to review, where they all get the notice but only one needs to review, and
- Group Owner – leveraging the Group Owner feature on groups in Okta as reviewers, again supporting multiple reviewers
The enhancement is addressing both the administrator experience (reducing the need for expression language in many cases) and improving the flexibility with multiple reviewers.