Access Reviews: Okta Admin Roles
How to review administrative privileges assigned to Okta Users.
Last updated
How to review administrative privileges assigned to Okta Users.
Last updated
This document describes how to create an Access Reviews configuration you can use to periodically review and certify Okta User to Okta Role relationships in your organization, focusing on built-in Admin Roles.
In Okta, Admin Roles enable admin-level access permissions for authorized personnel to perform critical functions in the Okta environment such as managing users, apps, and system settings. Routinely reviewing and certifying which users are assigned to these roles can help maintain the least privileges for identity provider administration.
In the Veza graph, the "Okta Role" entity type includes both standard Admin Roles and custom roles. The reviewer interface can show additional metadata such as whether a role is built-in, and the role risk score if Activity Monitoring is enabled.
You will need:
An Okta integration enabled in Veza.
The Veza admin or operator role, required to create configurations and start access reviews.
Open the configuration builder:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Configuration to open the review builder.
1.3. Give the configuration a name and description to communicate the purpose of the Access Review to other reviewers and operators.
Use the Review Scope section of the configuration builder to search for related Okta Users and Okta Roles:
2.1. For the Source Entity Type, search for Okta User and click to select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Okta Role.
Add an Attribute Filter to only include built-in Admin Roles.
3.1. Click Add Filter Group and
3.2. Choose Okta Role as the entity type to filter.
3.3. Use the dropdowns to create a filter: "Custom" “Equals" “False".
Add a Relationship to show when a user’s access to a role is provided by membership in a group:
4.1. Under Advanced Options, toggle the Relationship option.
4.2. Use the menu to choose Okta Group as the intermediate entity type.
Create a new review:
5.1. Click Save to open the configuration details page to create a new review.
5.2. From the Configuration Details, click New Review.
5.3. Click Create to make the review available without publishing it.
The reviewer interface shows a unique row for each Okta User to Okta Role assignment, pre-filtered to only show built-in roles.
Review each row to ensure the access is appropriate. Approve or reject the access, check for roles that are unnecessary or incorrect, and sign off on your decisions once final.
Column customization: Focus on the most important details by showing or hiding columns. For this review, you might want to:
Disable the Permissions columns, since these will always be empty.
Enable the Intermediate Role Name column to show the group granting access to a role.
Hover over a row and click the Details icon to open the sidebar. Add columns or use the details sidebar to see more attributes such as the role type.
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.
