# Access Reviews: Okta App Assignments ### Overview In Okta, users can be granted access to applications either directly or by group assignment. When assigned to an application, users can log in using their Okta credentials. This document describes how to create a new configuration you can use to routinely inspect which Okta users are assigned to what apps, on an ad-hoc or scheduled basis. ### Before you start You will need: * An [Okta](/4yItIzMvkpAvMVFAamTf/integrations/integrations/okta.md) integration configured in Veza. * A user account with the Veza admin or operator [role](/4yItIzMvkpAvMVFAamTf/administration/administration/users/roles.md), required to create configurations and start access reviews. ### Create a review configuration 1. Create a new access review configuration: 1.1. Log in to Veza and go to **Access Reviews** > **Configurations**. 1.2. Click **New Review Configuration**. 1.3. Give the configuration a name and optionally a description. 2. Define the scope of the access review: Use the **Query** section of the configuration builder to search for related Okta users and Okta apps. Then, enable the option to show details about any related Okta groups. 2.1. For the **Source Entity Type**, search for **Okta User** and select it. 2.2. For the **Destination Entity Type**, click to open the menu and scroll down to search for **Okta App**. 3. Add a filter to hide inactive users (optional): Filter the results to only include apps and users that are active. 3.1. Under **Query** > **Filters**, click **Add Filter Group**. 3.2. For the **Entity Type**, choose **Okta User**. 3.3. For the **Attribute Field**, expand the menu and choose **Is Active**. 3.4. For the **Operator**, choose **Equals**. 3.5. Choose **True** as the **Attribute Value**. 3.6. Click **Save** to enable the filter. 4. Add a filter to hide inactive applications (optional): 4.1. Click **Add Filter Group** to add a filter on the destination entity type. 4.2. Choose **Okta App** as the entity type. 4.3. Choose **Status** as the attribute to filter. For operator, choose **Equals**. As the value, type in **ACTIVE**. 4.4. Save the filter. 5. Add a **Relationship**: Choose to include details about intermediate Okta Groups for the results. If a user's access to an app involves an Okta Group, The review interface will have extra columns with information about that group. 5.1. Expand **Advanced Options** and select **Relationship**. 5.2. In the dropdown menu, choose **Okta Group**. 6. Create a new review: 6.1. Click **Save** to open the configuration details page to create a new review. 6.2. From the **Review Configuration Details**, click **New Review**. 6.3. Click **Create** to make the review available without publishing it. 7. From the configuration details, in the **Active Reviews** section, click the review name or click **Open** next to the one you just created. ### Review Access: Okta User to Okta Application The reviewer interface shows a unique row for each Okta User to Okta App assignment. Inspect each row to approve or reject the access. {% hint style="success" %} Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click **Columns** above the table of rows. Scroll or type to search for an attribute to show or hide: 1. Add a column to show information about any intermediate groups. Find the **Intermediate** section, and choose **Name** or another attribute. 2. Show **Risk Scores** for Okta users. Enable this column to show the user's relative level of risk, based on how many [queries with a risk level](/4yItIzMvkpAvMVFAamTf/features/insights/risks.md#how-risk-scoring-works) the user appears in the results of. 3. Search for **User “IdP Unique ID”** and deselect it, unless this is needed to differentiate between users with the same name. {% endhint %} ![Access review: Okta User to Okta Application.](/files/a5afeFY74D4PWEbegYGZ) For more information about a row, however over a row and click the **Details** icon to open the sidebar. 1. Click the **Approve ✅** or **Reject ❌** icon for each row to make an initial decision. 2. Make decisions final by clicking **Sign-off** at the top right. 3. Finish the review by deciding and signing off on all rows. After all rows have a decision, click **Complete Review** on the top right. ### See also * [Access Reviewer's Guide](/4yItIzMvkpAvMVFAamTf/features/access-reviews/access-reviewer-guide.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/scenarios/okta-applications.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.