# Access Reviews: Okta Admin Roles ### Overview This document describes how to create an Access Reviews configuration you can use to periodically review and certify Okta User to Okta Role relationships in your organization, focusing on built-in Admin Roles. In Okta, Admin Roles enable admin-level access permissions for authorized personnel to perform critical functions in the Okta environment such as managing users, apps, and system settings. Routinely reviewing and certifying which users are assigned to these roles can help maintain the least privileges for identity provider administration. In the Veza graph, the "Okta Role" entity type includes both standard Admin Roles and custom roles. The reviewer interface can show additional metadata such as whether a role is built-in, and the role risk score if [Activity Monitoring](/4yItIzMvkpAvMVFAamTf/features/activity-monitoring.md) is enabled. ### Before you start You will need: * An [Okta](/4yItIzMvkpAvMVFAamTf/integrations/integrations/okta.md) integration enabled in Veza. * The Veza admin or operator [role](/4yItIzMvkpAvMVFAamTf/administration/administration/users/roles.md), required to create configurations and start access reviews. ### Configure Access Review: Okta User to Okta Role 1. Open the configuration builder: 1.1. Log in to Veza and go to **Access Reviews** > **Configurations**. 1.2. Click **New Configuration** to open the review builder. 1.3. Give the configuration a name and description to communicate the purpose of the Access Review to other reviewers and operators. 2. Use the **Review Scope** section of the configuration builder to search for related Okta Users and Okta Roles: 2.1. For the **Source Entity Type**, search for **Okta User** and click to select it. 2.2. For the **Destination Entity Type**, click to open the menu and scroll down to search for **Okta Role**. 3. Add an **Attribute Filter** to only include built-in Admin Roles. 3.1. Click **Add Filter Group** and 3.2. Choose **Okta Role** as the entity type to filter. 3.3. Use the dropdowns to create a filter: `"Custom" “Equals" “False"`. ![Adding a filter on the "Okta Role" entity type.](/files/vzXQsBO2ESDhBKqJO5or) 4. Add a **Relationship** to show when a user’s access to a role is provided by membership in a group: 4.1. Under Advanced Options, toggle the **Relationship** option. 4.2. Use the menu to choose **Okta Group** as the intermediate entity type. 5. Create a new review: 5.1. Click **Save** to open the configuration details page to create a new review. 5.2. From the **Configuration Details**, click **New Review**. 5.3. Click **Create** to make the review available without publishing it. ### Review Access: Okta User to Okta Role The reviewer interface shows a unique row for each Okta User to Okta Role assignment, pre-filtered to only show built-in roles. Review each row to ensure the access is appropriate. Approve or reject the access, check for roles that are unnecessary or incorrect, and sign off on your decisions once final. {% hint style="success" %} **Column customization**: Focus on the most important details by showing or hiding columns. For this review, you might want to: 1. Disable the **Permissions** columns, since these will always be empty. 2. Enable the **Intermediate Role Name** column to show the group granting access to a role. {% endhint %} ![Reviewing access: Okta users to Okta admin roles.](/files/WOYletypHrmhArQP0eqP) Hover over a row and click the **Details** icon to open the sidebar. Add columns or use the details sidebar to see more attributes such as the role type. 1. Click the **Approve ✅** or **Reject ❌** icon for each row to make an initial decision. 2. Make decisions final by clicking **Sign-off** at the top right. 3. Finish the review by deciding and signing off on all rows. Once all rows have a decision, click **Complete Review** on the top right. ### See also * [Access Reviewer's Guide](/4yItIzMvkpAvMVFAamTf/features/access-reviews/access-reviewer-guide.md) * [Integration Guide: Okta](/4yItIzMvkpAvMVFAamTf/integrations/integrations/okta.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/scenarios/okta-admin-roles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.