Preconfigured Access Certification Campaigns in Okta Identity Governance

IGA, OIG 3 Minutes

The Access Certifications capability has been a core part of Okta Identity Governance (OIG) since its inception. However in the first update for this year (2025.01.0), Preconfigured Access Certifications Campaigns were added to OIG. This article explores the new feature.

Overview

Building of access certification campaigns is very straightforward. The wizard-like flow walks you through the steps to define the resources and users, the reviewers, how the campaign is to run and how to respond to a revoke action. It has been extended over the years for additional functionality, such as multiple levels of review, entitlements and UARs.

So what’s new? Some of the options for specific use cases have been “templatized” to make them easier to create and run.

When exploring Access Certifications under the Identity Governance menu item in the Okta Administration Console, you may notice a new tab called Preconfigured campaigns.

There are currently two preconfigured campaigns: Discover inactive users, and Okta administrator review. We will explore each of these.

Discover inactive users

This campaign will “identify and manage users who have been inactive for more than 90 days in the top five apps with the most inactive users”. It is not looking at all apps for all users, just the big hitters. The example above shows the top five apps with the most inactive users in my test system.

When the Create campaign button is used, the campaign details are pre-filled. You are not walked through the creation steps, but you can go back and modify them.

There is some background work that Okta has done to determine the top five apps with the most inactive users in your Org. You have no control over this (although you could change the app list in the campaign, it’s just that OIG has determined the biggest ones).

There is a Predefined user scope to restrict the users to “No recent activity” within the last 90 days.

This is a standard option for Access Certification campaigns. You could apply this scope to any resource campaign.

The campaign defaults to the administrator who built the campaign. It also takes no remediation action on a revoke or no response at campaign end.

As for any other campaigns, you can Schedule and (optionally) Launch it. It appears in the reviewers list of Open campaigns.

The campaign will show all users, with the standard options to Approve, Revoke and Reassign.

Clicking a user reveals the slide-out panel with the details of the user and resource (in this case the app).

The reviewer can see details about when the user was assigned to the app, last access date and application usage to help them decide if they need to retain access.

Okta administrator review

The Okta administrator review campaign will “ensure users have the correct admin roles and identify users who may no longer need admin access based on activity.”. This is a powerful tool to help reduce the administrative privileges in Okta (see also Reduce Risk Through Governance for Okta Administrators).

This type of campaign has been available since the Govern Admin Roles feature was released in Okta (see A Look at the new Govern Admin Roles feature), this update has made it a template for easier use.

The Resources scope is looking at the Admin Console app and the entitlements (i.e. Admin Roles) associated with it.

The Users scope is all users assigned to the selected resources (i.e. the Admin Console app). As with the other preconfigured campaign, it is assigned to the administrator creating it (but they will be automatically excluded) and there are no remediation actions taken.

The review shows all admins (except the requester) and the Admin Roles they have.

Selecting a user produces the slide-out window with more detials.

You can see the specific entitlement (Admin Role) but also the other active entitlements for the user in one place. This provides a simple view of what that admin can access and the reviewer can decide what (if any) they should retain.

Bonus Integration

In addition to be able to create campaigns off the two templates, the Inactive Users capability is integrated with the applications view.

In the above example, when looking at the AWS IAM Identity Center application, there is a widget showing the number of inactive users for the last 90 days, with a button to create a campaign off it. The campaign will be scoped to only the selected app.

Conclusion

The new Preconfigured campaign feature provides for templates to simplify creation of campaigns. The two templates provided, Discover inactive users and Okta administrator review, can be created manually (although the first would require knowing which apps have the most inactive users).

The new feature has made it easier to generate these campaigns, which may mean organisations run them more often and use them to reduce the number of inactive users and users with unnecessary admin access, leading to a more secure environment.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

One thought on “Preconfigured Access Certification Campaigns in Okta Identity Governance

  1. Pingback: Role Analysis with Okta ISPM – Are My Groups and Roles Being Used Effectively – IAMSE

Leave a Reply