Okta Workflow for Access Certifications – Slack Notifications

Introduction

Today, ensuring the security and compliance of user access rights is a top priority for organizations worldwide. As an advocate for streamlined processes and effective communication, I am excited to share with you a custom-built Okta Workflow to send Access Certifications campaign notifications like campaign launch, weekly campaign reminders to reviewers who are yet to finalize their campaign reviews and campaign re-assignments for smoother transition.

Robust technical capabilities of this workflow includes triggering from Okta campaign event hooks, handling API paginations, processing volumes of data, building and sending Slack blocks for notifications. Workflow assumes a typical campaign lasting for 28 days to send all the different notifications via Slack.

In addition to Okta’s native campaign email notifications, the integration of Slack notifications serves as a vital complement to ensure prompt and effective communication throughout the Access Certification campaign process. Unlike emails, which can often get lost in cluttered inboxes or overlooked amidst a sea of messages, Slack notifications provide a direct and immediate channel for engagement.

Teams are also heavily reliant on platforms like Slack for real-time communication and collaboration, delivering notifications directly to reviewers within their familiar workspace ensures heightened visibility and engagement. Reviewers are more likely to respond promptly and take action when notifications are seamlessly integrated into their daily collaborative platforms, eliminating the risk of missed deadlines or overlooked tasks.

By embracing a multi-channel approach with Slack notifications, organizations can enhance the efficiency and effectiveness of their Access Certification campaign processes, fostering a culture of accountability and responsiveness across the board.

Pre-requisites

If you intend to build this workflow following are the pre-requisites:

1. Create 2 Okta event hooks for campaign launch and campaign decision
2. Create a custom or use Okta’s off the shelf Slack application for Okta workflows. If using custom application following are the required scopes: channels:manage, chat:writes, groups:writes, im:write, mpim:write, users:read, users:read.email. All the scopes can be added to Slack Bot and you can use Slack bot token to create a custom connection in Okta Workflows.

Design

Since this is a very complex workflow, lets review the components of this 3 part workflow with a visual representation.

As depicted above, lets walkthrough this workflow’s 3 components:

Campaign Launch Slack Notification Workflow

1. A campaign is launched in the Okta tenant and the event hook triggers the Okta workflow with the event details containing campaignId
2. Okta Workflows makes a GET API call to Okta tenant for getting additional campaign details with the campaignId received in the event hook
3. Okta Workflows processes the response from the GET API call, parses the campaign details and writes these campaign details like campaignId, campaignName, campaignStartDate and campaignEndDate to a Campaign Details Workflow Table
4. Next, with campaignId Okta Workflows makes another GET API call to the Okta tenant requesting the list of assigned reviewers to the campaign; build this workflow to handle pagination for this Okta API calls
5. With the list of reviewers the workflow processes a list of unique reviewers assigned to the campaign and writes them to a temporary Okta Workflow table
6. Next, reading this temporary table of unique assigned reviewers, Okta Workflows builds the Slack Blocks and makes a postMessage Slack POST API call to notify the assigned reviewer about the campaign launch and assignment (if message delivered with response 200 OK, delete all entries from unique assigned reviewers temporary table)

Campaign Reminder Slack Notification Workflow

1. This is a scheduled workflow, runs once a day, whenever it runs it gets the current date & time
2. Next, it queries all the active campaigns list from the Campaign Details Workflow Table created initially during campaign launch, it gets all the active campaign compared to the current date time, it also deletes the table entries if the campaigns have ended
3. Next, it calculates the number of day difference by subtracting current dateTime with campaignStartDate
4. Based on the outcomes of step 3, it determines if the difference is 7, 14, 21 or 25 days respectively to further continue the workflow, else stop
5. Next, with campaignId (queried from workflow table in step 2) Okta Workflows makes a GET API call to the Okta tenant requesting the list of assigned reviewers to the campaign with a filter “UNREVIEWED” (this workflow also handles pagination for Okta API calls)
6. With the list of unreviewed reviewers it processes a list of unique unreviewed reviewers assigned to the campaign and writes them to a temporary Okta Workflow table
7. Next, reading this temporary table of unique unreviewed reviewers, Okta Workflows builds the Slack Blocks and makes a postMessage Slack POST API call to send respective campaign reminders – 7th, 14th, 21st and 25th day (if message delivered with response 200 OK, delete all entries from unreviewed reviewers temporary table)

Campaign ReAssignment Slack Notification Workflow

1. A campaign decision event is sent to this Okta workflow, the decision events include, approve, deny or re-assignment events
2. Okta workflow filters only events for re-assignment to continue, else stop the workflow
3. For the campaign where there is re-assignment; query the campaign details from Okta using GET API call for campaign details using campaignId
4. Process the data from event (step 1) and GET API call (step 3) to get re-assignee, re-assigner, campaign name and campaign end-date
5. For the processed details from step 4, send the Slack notification to the re-assignee to notify about the re-assignment with the campaign details

Areas of Attention

If you build this workflow, following are the areas of attention, or things to consider

1. Handle pagination, when you GET a list of reviewers of a campaign from Okta’s API, the API only returns 200 reviewers per page
2. To send Slack notification, you need the user’s Slack channel ID, the way I approached this is:

• GET Slack’s userID with user’s email firstName.lastName@example.com using users.lookupByEmail API
• With the userID you open a conversation with the user using the conversation.open API, which will return the channelId of the conversation with the user
• Then you can use the channelId returned to send notifications via chat.postMessage API

Conclusion

In conclusion, this integration of Okta workflow with Slack for sending campaign notifications exemplifies efficiency, collaboration, and user-friendliness in user access management.

By leveraging Slack as real-time communication platform, our workflow ensures that notifications reach reviewers promptly and effectively, fostering a culture of responsiveness and accountability within the organization. Reviewers can seamlessly engage with notifications within their familiar Slack environment, streamlining the review process and enhancing overall efficiency.

Moreover, the collaborative nature of Slack enhances teamwork and communication among reviewers, campaign admins, enabling them to discuss and resolve access review issues efficiently. This collaborative approach not only accelerates decision-making but also improves the quality of review outcomes.

Furthermore, the user-friendly interface of Slack makes it intuitive for reviewers to interact with notifications and take necessary actions, reducing the learning curve and ensuring widespread adoption across the organization.

It’s worth noting that while I have demonstrated this integration with Slack, the framework developed can easily be adapted to integrate with other enterprise collaboration tools. This flexibility ensures that organizations can leverage their preferred collaboration platforms while still benefiting from the efficiency and user-friendliness.

In essence, our approach not only streamlines Access Certification campaign management but also empowers organizations to embrace collaboration and be user-centricity in their access review processes, ultimately driving improved security and compliance outcomes.