IGA (Incl. LCM)

This page highlights the articles on this blog that relate to Okta’s Identity Governance and Administration (IGA) products, Lifecycle Management (LCM), Workflows (where they relate to IGA) and Identity Governance (OIG).

IGA Overview

The term Identity Governance and Administration (IGA) was coined by (or made popular by) Gartner to highlight how the traditional IAM domains of Identity Management and Identity Governance were coming together with vendors covering aspects of both. Traditionally Identity Management covers capabilities around granting accounts access to systems, such as lifecycle management, HR integration, role- and request-based access entitlement, and provisioning (adapters, connectors etc.). Identity Governance is more focussed on the controls and visibility around who has access to what, and includes access request processes, access certification, role engineering and review, and reporting.

Okta Identity Governance covers the full spectrum of Identity Governance and Administration (IGA)

Okta has had Lifecycle Management capabilities for some time, including access request functionality, group rules to drive role-based access entitlements, target system integration for provisioning (via OIN integrations and SCIM), and workflows for process extension and automation. The Okta IGA product, Okta Identity Governance has just been released in Limited Early Access (Mar 2022) and covers access requests, access certification and identity reporting.

There are category-specific child pages. See the Pages navigation in the sidebar.


IGA Posts

The Okta IGA-related articles on this site are listed below.

New Reviewer Options in OIG Access Certification

There was a recent change to the reviewer selections for Okta Identity Governance (OIG) Access Certification to allow for more options and to simplify the administrative experience. The feature is currently an Early Access feature (the “Reviewer Assignment” enhancement) that can be turned on in an OIG-enabled Okta org. It will roll into production over…

Okta Identity Governance and/or Service Now – Architectural Patterns

Most organisations have some ITSM or service request tool, and ServiceNow is the most common. So it’s understandable that any conversation about Okta Identity Governance, particularly access requests, will involve comparison with ServiceNow or integration patterns for both products. How do you approach an access request solution? Which product is going to meet your needs…

Risk-Based Application Certification in OIG

If you were at Oktane22, or have listened to the Oktane22 roadmap sessions, you will know risk and use of risk signals is a key focus for Okta going forward. This includes leveraging risk in Okta Identity Governance (OIG), to help make access requests and access certification more effective. But can you leverage risk today?…

Logging a ServiceNow Request via Workflows from OIG Access Requests

A common ask for Okta Identity Governance is to be able to log at ticket in a service desk tool, like ServiceNow, for manual provisioning activities after following an approval process in Access Requests. This article explores one approach to this using OIG Access Request events in the Okta System Log, Event Hooks and Okta…

OIG Access Requests – Public or Private?

If you have looked at Okta Identity Governance Access Requests, you will know that a request will contain the history of the activity, such as the questions asked and answered, approval steps performed and actions taken. Did you know that a request, with all this information, can be Public or Private? Did you know that…

OIG – Triggering Workflows From Access Certification Reviews

Okta Identity Governance (OIG) provides an access certification component for reviewing users and their access. When reviewing access, a reviewer (such as a users manager) can approve or revoke the access (or reassign). With the revoke action, the access certification campaign can be configured to automatically remove access or do nothing (i.e. leave the access…

OIG Access Requests – Clearing “Stuck” Requests

When working with Okta Identity Governance (OIG) Access Requests, you may find a request in a “stuck” state, where you can’t complete a step or the request doesn’t automatically close when done. Perhaps you’re testing a new Request Type and missed a step or have something misconfigured when you tested it. As an administrator you…

Reassigning Managers for an Access Certification Campaign

A common requirement for Identity Governance and Administration (IGA) controls is for reassignment when a reviewer, like a manager, goes on leave. Okta Identity Governance (OIG) currently supports manual reassignment of access certification reviews by an administrator or by the reviewer themselves. But what about automatic reassignment based on a change to the user profile,…

OIG – Certification for External System Entitlements

A common ask for Okta Identity Governance (OIG) is to be able to do access certification on external application data. Currently OIG can only run campaigns on objects (group memberships and application assignments) in the Okta Universal Directory (UD). Importing of external system entitlements is on the product roadmap. But with some understanding of the…

OIG Access Requests – Where Do I Assign Teams?

A common concern from a new Okta Identity Governance (OIG) Access Requests deployment is “I can’t see the Application or Group list when building a Request Type”. The most common cause is the assignment of Teams. Teams are the access control mechanism built into OIG Access Requests. They control who can create and own Request…

Enable Provisioning with OAuth for Salesforce.com

A while back Okta changed the provisioning credentials for salesforce.com from the old username and password+token approach to using OAuth. Whilst the new approach was added to the Okta help documentation (https://help.okta.com/oie/en-us/Content/Topics/Provisioning/Salesforce/sfdc-configure-provisioning-REST.htm), the need for the documents to cover both the old and new can lead to some confusion. A customer hit a snag and…

OIG Access Requests – Understanding User Grouping

Understanding user grouping mechanisms in the Okta Identity Governance (OIG) Access Requests mechanism is important to building and running access request flows. It can be confusing and this article aims to address the confusion. Note that OIG Access Requests is the old atSpoke product. The term “Okta” in this article refers to the Okta Identity…

Certifying Access for Disconnected Application in Okta

The beauty with Okta is that there are over 500 applications in the Okta Integration Network that enables Admins to automate the user lifecycle. For these apps, Okta Identity Governance enables immediate remediation based on access reviews. There are still many applications that don’t and won’t support this, which creates a challenge when it comes…

OIG Access Requests – Using the New Timer Feature

This article explores the new Timer feature in Okta Identity Governance (OIG) Access Requests. It provides an overview of the new function and how it could be used for a long-term (days or weeks) access request and a short-term (hours) privileged access request. This article assumes a familiarity with the OIG Access Requests workflows. For…

Historical Reporting of OIG Access Requests

A common request asked is how to look at past access request events. Currently you can see the results of the requests in the Okta System Log and also in the Okta Identity Governance (OIG) Access Requests admin console. This article will explore these. Article contents: This is still an early release product, so expect…

Designing OIG Access Requests for Ease of Use

Access Requests are designed to be used by all people in an organisation. So making the interface and information presented be more user friendly should be a goal of any deployment. In this article we look at what information is presented to end-users by Okta Identity Governance (OIG) Access Requests and how you can use…

OIG Access Requests – Requesting Access in Slack

A key benefit of Okta Identity Governance is the ability to interface with access request flows via chat tools such as Slack and Microsoft Teams. This article provides a summary of the different ways users can request access in Slack and how to monitor the progress of a request in Slack. Article contents: Overview of…

Integrating ServiceNow with OIG Access Requests

One of the standard integration points with Okta Identity Governance (OIG) Access Requests is to log a ticket of an access request in an ITSM tool like ServiceNow. This article explores the integration between OIG Access Requests and ServiceNow. Article contents: Overview of Integration The primary focus of the Okta Identity Governance (OIG) Access Requests…

OIG Access Requests – What Else Can You Do?

The Okta Identity Governance (OIG) Access Requests module is built for requesting (and reviewing/approving) access to applications or groups in Okta. However, the module can do a lot more with the actions provided for the Okta integration. This article explores these and gives some examples of how they can be used. Article contents: Please note…

Requesting Roles Through OIG Access Requests

This article looks at how Okta Identity Governance (OIG) can be used to provide a role-request feature in Access Requests. The example used is roles for Salesforce. Article contents: What Roles? If you’re familiar with the Okta Identity Cloud data model, you will know there are users, groups and applications but no roles (other than…

Inactive Application Account Reporting with Okta Workflows

I was recently asked about reporting, and possibly recertification, of inactive accounts in Okta. We can run reports in Okta on Okta profile states to find inactive users. We also have an Okta Workflows template to find and report on Okta users who haven’t accessed Okta in a period of time. But what about application…

Loading…

Something went wrong. Please refresh the page and/or try again.