This page highlights the articles on this blog that relate to Okta’s Identity Governance and Administration (IGA) products, Lifecycle Management (LCM), Workflows (where they relate to IGA) and Identity Governance (OIG).
IGA Overview
The term Identity Governance and Administration (IGA) was coined by (or made popular by) Gartner to highlight how the traditional IAM domains of Identity Management and Identity Governance were coming together with vendors covering aspects of both. Traditionally Identity Management covers capabilities around granting accounts access to systems, such as lifecycle management, HR integration, role- and request-based access entitlement, and provisioning (adapters, connectors etc.). Identity Governance is more focussed on the controls and visibility around who has access to what, and includes access request processes, access certification, role engineering and review, and reporting.
Okta has had Lifecycle Management capabilities for some time, including access request functionality, group rules to drive role-based access entitlements, target system integration for provisioning (via OIN integrations and SCIM), and workflows for process extension and automation. The Okta IGA product, Okta Identity Governance has just been released in Limited Early Access (Mar 2022) and covers access requests, access certification and identity reporting.
There are category-specific child pages. See the Pages navigation in the sidebar.
IGA Posts
The Okta IGA-related articles on this site are listed below.
OIG Assets in the Okta Community
Those following this blog will know we post a lot of technical assets on the Okta products from a technical specialist perspective, such as the how-to’s that aren’t obvious from product documentation or cross-product solutions to address specific use cases. But did you know there are some community assets published by Okta in addition to…
OIG Access Requests – Can I Attach a File?
A common requirement for access requests is adding a file to support the request. It may not be obvious, but Okta Identity Governance has the means to attach a file to a request. Let’s explore this and show an example. How to Attach a File in the Access Requests Portal A file can be attached…
OIG Access Requests – Posting Questions Based on Earlier Selections
My colleague, Rajesh Kumar, showed me something today that fell into the “wow, I didn’t even think of using the product this way” category. It involves using logic in Access Request flows (Request Types) in Okta Identity Governance to prompt for additional information based on earlier selections. Let’s look at how the user experiences it,…
OIG Access Requests and Workflows – Checking SoD In An Access Request
This article looks at a new approach you could use to perform Separation of Duties (SoD) checking from Okta Access Requests using Okta Workflows. It shows two approaches you could take to get SoD analysis into the request a soon as it’s raised so that the reviewer has the information at hand before approving the…
OIG Access Requests – Posting Additional Information into a Request
This article looks at a recent addition to the Okta Identity Governance (OIG) Access Request API that allows updating of in-flight access requests and can be used to add additional data to help reviewers review requests. Note that the OIG APIs are still in beta but can be used against preview and production Okta orgs.…
User Access Reviews in Okta Identity Governance
This article explores the new user campaign (User Access Review) feature in Okta Identity Governance (OIG) Access Certifications. Introduction The ability to build and run access certification campaigns against resources in Okta (groups and applications) has been in Okta Identity Governance (OIG) since it was released. In June User Campaigns was added to address User…
OIG Access Requests – Calling an Okta Workflow from Within a Request Type
For some time there has been the ability to trigger a workflow in Okta Workflows from a request flow in Okta Access Requests via events written to the Okta System Log. Events were created for a request being initiated and being closed. But this approach has some limitations, such as a lot of processing within…
Understanding AWS IAM and Integrating with Okta and Workflows
I’ve been looking into application entitlements and the Amazon Web Services (AWS) users, groups and entitlements has perplexed me for some time. I’ve had the opportunity to explore it, try to understand it and build some integration between Okta Workforce Identity Cloud (via Okta Workflows). This post is a summary of my findings. AWS and…
OIG Access Requests – Who is the Request Assignee?
As is often the case, product documentation tells you how to turn on or configure a function but often doesn’t provide the context of that function. I found this yesterday when exploring something with a customer in Okta Identity Governance (OIG) Access Requests. What is the Request Assignee you can assign to some of the…
OIG Access Requests – Can an Approver Supply Information for a Request?
Recently someone asked if Okta Identity Governance (OIG) Access Requests could be setup so a manager could supply additional information for the request. Their use case, the requester wants access to an application but they don’t know the role they need, so the manager would select the role at the approval stage. Short answer -…
Did You Know the Machine Learning in OIG Access Requests Extends to the WebUI?
If you’ve seen a demonstration of Okta Identity Governance (OIG) Access Requests, you have probably seen the machine learning (AI) capability when requesting access in Slack or Microsoft Teams. You ask for access to something, and the AI will try to determine the best request type to present. It learns over time, so that terms…
New Reviewer Options in OIG Access Certification
There was a recent change to the reviewer selections for Okta Identity Governance (OIG) Access Certification to allow for more options and to simplify the administrative experience. The feature is currently an Early Access feature (the “Reviewer Assignment” enhancement) that can be turned on in an OIG-enabled Okta org. It will roll into production over…
Okta Identity Governance and/or Service Now – Architectural Patterns
Most organisations have some ITSM or service request tool, and ServiceNow is the most common. So it’s understandable that any conversation about Okta Identity Governance, particularly access requests, will involve comparison with ServiceNow or integration patterns for both products. How do you approach an access request solution? Which product is going to meet your needs…
Risk-Based Application Certification in OIG
If you were at Oktane22, or have listened to the Oktane22 roadmap sessions, you will know risk and use of risk signals is a key focus for Okta going forward. This includes leveraging risk in Okta Identity Governance (OIG), to help make access requests and access certification more effective. But can you leverage risk today?…
Logging a ServiceNow Request via Workflows from OIG Access Requests
A common ask for Okta Identity Governance is to be able to log at ticket in a service desk tool, like ServiceNow, for manual provisioning activities after following an approval process in Access Requests. This article explores one approach to this using OIG Access Request events in the Okta System Log, Event Hooks and Okta…
OIG Access Requests – Cancelling a Timer
If you’re familiar with the timer feature in Okta Identity Governance (OIG) Access Requests, you may have wondered if you can cancel a running timer and if so, how? Let’s show how it can be done. If you’re not familiar with the timer feature, have a read of this article: https://iamse.blog/2022/07/27/oig-access-requests-using-the-new-timer-feature/. A timer is used…
OIG Access Requests – Public or Private?
If you have looked at Okta Identity Governance Access Requests, you will know that a request will contain the history of the activity, such as the questions asked and answered, approval steps performed and actions taken. Did you know that a request, with all this information, can be Public or Private? Did you know that…
OIG – Triggering Workflows From Access Certification Reviews
Okta Identity Governance (OIG) provides an access certification component for reviewing users and their access. When reviewing access, a reviewer (such as a users manager) can approve or revoke the access (or reassign). With the revoke action, the access certification campaign can be configured to automatically remove access or do nothing (i.e. leave the access…
OIG Access Requests – Clearing “Stuck” Requests
When working with Okta Identity Governance (OIG) Access Requests, you may find a request in a “stuck” state, where you can’t complete a step or the request doesn’t automatically close when done. Perhaps you’re testing a new Request Type and missed a step or have something misconfigured when you tested it. As an administrator you…
Reassigning Managers for an Access Certification Campaign
A common requirement for Identity Governance and Administration (IGA) controls is for reassignment when a reviewer, like a manager, goes on leave. Okta Identity Governance (OIG) currently supports manual reassignment of access certification reviews by an administrator or by the reviewer themselves. But what about automatic reassignment based on a change to the user profile,…
Access Certification – Helping Reviewers Decide whether to Approve or Revoke Access
The user interface, and general user experience, has been a challenge with Identity Governance and Administration (IGA) products for many years. Unlike many IT products, IGA solutions are used by all business users and need an easy to use and understand interface. This is particularly so with Access Certifications – business owners (like managers or…
OIG – Certification for External System Entitlements
A common ask for Okta Identity Governance (OIG) is to be able to do access certification on external application data. Currently OIG can only run campaigns on objects (group memberships and application assignments) in the Okta Universal Directory (UD). Importing of external system entitlements is on the product roadmap. But with some understanding of the…
OIG Access Requests – Where Do I Assign Teams?
A common concern from a new Okta Identity Governance (OIG) Access Requests deployment is “I can’t see the Application or Group list when building a Request Type”. The most common cause is the assignment of Teams. Teams are the access control mechanism built into OIG Access Requests. They control who can create and own Request…
Enable Provisioning with OAuth for Salesforce.com
A while back Okta changed the provisioning credentials for salesforce.com from the old username and password+token approach to using OAuth. Whilst the new approach was added to the Okta help documentation (https://help.okta.com/oie/en-us/Content/Topics/Provisioning/Salesforce/sfdc-configure-provisioning-REST.htm), the need for the documents to cover both the old and new can lead to some confusion. A customer hit a snag and…
OIG Access Requests – Understanding User Grouping
Understanding user grouping mechanisms in the Okta Identity Governance (OIG) Access Requests mechanism is important to building and running access request flows. It can be confusing and this article aims to address the confusion. Note that OIG Access Requests is the old atSpoke product. The term “Okta” in this article refers to the Okta Identity…
Loading…
Something went wrong. Please refresh the page and/or try again.