User Access Reviews in Okta Identity Governance

IGA, OIG 4 Minutes

This article explores the new user campaign (User Access Review) feature in Okta Identity Governance (OIG) Access Certifications.

Introduction

The ability to build and run access certification campaigns against resources in Okta (groups and applications) has been in Okta Identity Governance (OIG) since it was released. In June User Campaigns was added to address User Access Review requirements.

Whereas the resource campaigns are focussed on who has access to a set of resources, the user campaign is focussed on what access (groups and/or resources) a user has. Resource campaigns are more useful to service owners or those concerned with compliance. User campaigns are more useful to managers who need to keep track of what access their people have.

The mechanisms and interfaces for user campaigns are the same as for resource campaigns, so this is an evolution of OIG Access Certifications (as will be Entitlement Campaigns when the Entitlements features are rolled out). This means no new training for reviewers and the same management mechanisms used to today will also work for user campaigns.

There is also a video walkthrough of this on the Okta YouTube channel – https://www.youtube.com/watch?v=dIu2FfKoDWo.

In this article we will walk through creating and running a User Campaign

Setting Up a User Campaign

The set up steps are similar to a resource campaign, with the wizard-like UI walking though the general set up, user selection, resource selection, reviewer selection and remediation action steps. The following sections will highlight the differences (assuming you’re familiar with setting up Access Certification Campaigns).

You begin by selecting User Campaign from the pulldown under the Create Campaign button (shown above).

General Set Up

The General page is the same as for every campaign – name and description, and execution start and duration.

Users Selection

The Users page is new for this campaign type. This is the page where you specify the users that will be the subject of this campaign.

You can select to specify groups of users (all users in one or more groups), a specific user or use some Okta Expression Language (OEL) to determine the user(s).

The second field will change depending on the selection of the first. For example, selecting Individual users will change the second field to Select users.

If you select to use OEL you will get a text field for the expression language plus links to samples and the documentation (as you would with a resources campaign).

This might be useful if you want to select a set of users based on a User Profile attribute, like review access to all users in a department or office location.

Resources Step

With the user(s) selected, you need to define what Resources to include. You can select all apps and groups, all apps or all groups.

There are four checkboxes you can select or not:

  • Only include individually assigned apps – you can either see all apps for the user (i.e. assigned directly or via a group assignment) or only those assigned directly
  • Only include individually assigned groups – you can see all group memberships (i.e. manually assigned or assigned automatically through a group rule) or only those assigned manually
  • Exclude specific apps from the campaign – list those to exclude
  • Exclude specific groups from the campaign – list those to exclude

By default you will see everything, but some campaigns may need selection of some of these options.

Reviewer Step

The Reviewer page is the same as for any other campaign. You can specify multiple levels of reviewer and also when notifications are sent.

Some options, like Group Owner, aren’t available as they don’t apply to user campaigns.

Remediation Step

The Remediation page and options are the same as for any other campaign.

Even though the campaign is presenting resource assignments by user, the outcome is the same – users retain or lose the assignment based on the reviewer selecting Approve or Revoke when reviewing, and these options control what occurs.

Running a User Campaign

Running the campaign is exactly the same as with a resource campaign – it is launched then reviewers review access until the campaign finishes.

Launching the Campaign

With the user campaign defined, it will launch on schedule or can be manually launched immediately.

The administrator can see details of the campaign – a summary at the top and the review details (items) at the bottom.

The reviewers will get notification of the campaign being launched.

Campaign Review

The reviewer, such as the user’s manager, will see the new campaign in their list of open campaigns

Opening the campaign they will see the summary information and the list of items to be reviewed. This is the same as for any resource campaign.

As with the resource campaigns the reviewer can see the details of a specific user-resource assignment by clicking on the row.

The reviewer would run through all the assigned items and Approve, Revoke or Reassign as they would for a resource campaign.

Monitoring, Managing and Reporting

As with resource campaigns, the progress can be monitored in the Admin Console, review events will be sent to the Okta System Log (and can trigger automation in Workflows), and the campaign information will be available in the Access Certification Campaigns reports.

Conclusion

Adding user campaigns to Okta Identity Governance Access Requests for User Access Review requirements represents an evolution not revolution. The concepts and user interface are the same, just with a focus on users rather than resources. It represents a significant improvement in functionality with little incremental change to those using it.

Published by David Edwards (IAmDavid)

A two-decade veteran of Identity and Access Management, spending 22 years working on various IAM products at IBM and now two years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement.

Published

Leave a Reply