Create campaigns

Create campaigns to periodically review your users' access to resources.

Best practices

  • Select a campaign name that is self-explanatory. Campaign names are visible to your reviewers.
  • For the campaign description, include information that can help a reviewer understand the purpose of the campaign. For example, if you have set up a campaign to review Salesforce permissions of users, you can add that as the campaign description to provide the context to the reviewers.
  • Ensure that the resource associated with the campaign exists in Okta and isn’t deactivated or deleted.
  • Don’t rename, modify, or delete the Access Certification Reviewer group. Reviewers are automatically added to this group when review items are assigned to them. Modifying this group in any way can result in reviewers losing access to the campaign and may not be able to complete their reviews. If you accidentally delete the group, contact Okta Support.
  • Keep Known issues and limits in mind.
  • See Recurring campaign considerations.
  • Ensure that the fallback reviewer that you select is active in Okta.
  • Ensure that the managerId user attribute is set as the Okta username or email address of the user's manager to use the Manager reviewer type. Otherwise, the campaign fails to identify the manager and the review gets assigned to the fallback reviewer.

  • To use the Group Owner reviewer type, ensure that you have group owners configured in Okta. See Configure Okta group owners.

  • While defining reviewers, select the Disable self-review checkbox to ensure that users don’t review and approve their own access to critical resources.

  • For campaigns with multilevel reviews, keep the following considerations in mind:

    • You can set up two levels of review in a single campaign.

    • Review items are sent to the second-level reviewer only after the first-level reviewer approves or revokes them. It’s important for the first-level reviewers to take decisions on review items on time to avoid blocking the campaign’s progress.

    • The second-level reviewer can view the first-level reviewer’s decision and the justification for a review item.

    • The final reviewer varies depending on the campaign’s configuration.

    • The remediation options that you configure for a campaign are applicable to the decisions made by the final reviewer. See Remediation settings.

Start this task

Ensure that you’re signed in as a super admin or an access certifications admin before doing the following steps.

  1. In the Admin Console, go toIdentity GovernanceAccess Certifications.

  2. Click Create campaign.

  3. Select a campaign type from the Create campaign dropdown menu.

    • Resource campaign: Resource campaigns focus on setting the resource scope for your campaign so that you can review all users who have access to those resources. This campaign type helps you review access to sensitive resources and helps you meet compliance requirements.

    • User campaign: User campaigns focus on defining the user scope for your campaign so that you can do a comprehensive review of all resources assigned to those users. This campaign type helps you review users’ access to resources when specific events happen, such as department, role, or project change.

  4. Configure your requirements in the wizard. The configuration for Users and Resources pages varies depending on your campaign type.

    Resource campaigns

    1. General settings

    2. Resource settings

    3. User settings User settings

    4. Reviewer settings

    5. Remediation settings

    User campaigns

    1. General settings

    2. User settings

    3. Resource settings

    4. Reviewer settings

    5. Remediation settings

  5. Click Schedule campaign.

Related topics

Campaign settings

Examples of Okta Expression Language

View the progress of an active campaign

Modify a scheduled campaign

End an active campaign