New Delegate Feature in OIG

IGA, OIG, OIG Access Requests 3 Minutes

Okta has recently released a delegate feature in Okta Idenity Governance. This feature allows all governance activity, such as reviewing access requests or access certifications, to another Okta user (optionally for a set period). This article introduces the new feature.

Introduction

We all need to go on leave or take time off. So what happens to the work we have to do when we’re away? We delegate it to someone else. Okta has recently released a Delegate feature into Okta Identity Governance (OIG) so any governance-related functions, like reviewing an access request or access certification campaign, can be reassigned to someone else in Okta.

This is an Early Access feature that can be enabled in the Features menu in the Okta Admin Console for OIG customers.

Setting a Delegation

As an Administrator

Setting up a delegation for a user by an administrator is done through the Admin Console by going to a users profile and going to the new Delegate tab.

You can only have one delegate assignment at a time and if none are set, you will see No delegates assigned.

Clicking the Assign a delegate button allows you to assign a delegate, set a note to go out in the email to the delegate, and optionally a start/end date and time.

Once it’s set, you will see it under the Delegate tab.

The delegate will get an email with the details.

Delegations can also be modified or deleted through the same Delegate tab.

As a User

A user with access to the access certification tile on their dashboard, can open it and then click the pulldown menu under their name and select the Delegate option.

Similarly the Access Request tile, when opened has the same pulldown option to select the Delegate option.

Both approaches will present the Delegate function in the Dashboard and a delegate can be assigned as in the admin use case above.

Now that we’ve seen how to set it, lets look at how it appears for the delegate.

Access Requests as the Delegate

For the Access Request scenario, I have set an approval to a user who has delegated their OIG functions to another. When a user requests access and looks at the approval step, they see that the approver is the delegate not the original approver and the original approver is shown in brackets (in this case it’s showing “You” because the user raising the request was the same user to approve, just for the sake of the screenshot).

When the delegate goes into the Access Requests app they will see the new request.

When they drill into the request, they will see the approval step set to themselves with the original approver shown in brackets.

You see similar messages for the newer Conditions and Sequences as you do for the older Request Types (shown above).

Access Certification as the Delegate

For Access Certifications, I defined a simple campaign and set the reviewer to myself.

When the campaign launched, you can see all the reviewers are now set to the delegate.

When that delegate goes into Access Certifications, they see the campaign and users for them to review.

Reviewing campaigns is the same process irrespective of whether it’s the original reviewer or delegate.

Delegate APIs

The APIs to see and manage delegates (aka delegate appointments) are spread across the OIG API documentation, so are summarised below.

Set a Delegate Appointment

There is a Principal Settings API with a Update the principal settings endpoint that is used to set a delegate appointment.

/governance/api/v1/principal-settings/{targetPrincipalId}

From the example, passing the following body into the endpoint

will result in a delegate appointment.

List all Delegate Appointments

There is Delegates API with a List all delegate appointments endpoint to view all current delegate appointments:

/governance/api/v1/delegates

This will return a list of all delegations.

Manage Personal Delegate Appointments

There is an End user My Settings API with three endpoints:

Use of APIs in Workflows

Currently there are no corresponding action cards in the Okta Connector in Workflows. You need to run these API endpoints using the Custom API Action card.

Conclusion

The ability to delegate governance functions in OIG, such as access request and access certification reviews, has been a longtime ask for OIG customers. This feature is now in Early Access and this article has provided a brief overview of how to set up and use delegations.

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

Leave a Reply