Access Reviews: Okta App Assignments

Reviewing Okta User to Application assignments with Veza.

Overview

In Okta, users can be granted access to applications either directly or by group assignment. When assigned to an application, users can log in using their Okta credentials.

This document describes how to create a new configuration you can use to routinely inspect which Okta users are assigned to what apps, on an ad-hoc or scheduled basis.

Before you start

You will need:

  • An Okta integration configured in Veza.

  • A user account with the Veza admin or operator role, required to create configurations and start access reviews.

Create a review configuration

  1. Create a new access review configuration:

    1.1. Log in to Veza and go to Access Reviews > Configurations.

    1.2. Click New Review Configuration.

    1.3. Give the configuration a name and optionally a description.

  2. Define the scope of the access review:

    Use the Query section of the configuration builder to search for related Okta users and Okta apps. Then, enable the option to show details about any related Okta groups.

    2.1. For the Source Entity Type, search for Okta User and select it.

    2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Okta App.

  3. Add a filter to hide inactive users (optional):

    Filter the results to only include apps and users that are active.

    3.1. Under Query > Filters, click Add Filter Group.

    3.2. For the Entity Type, choose Okta User.

    3.3. For the Attribute Field, expand the menu and choose Is Active.

    3.4. For the Operator, choose Equals.

    3.5. Choose True as the Attribute Value.

    3.6. Click Save to enable the filter.

  4. Add a filter to hide inactive applications (optional):

    4.1. Click Add Filter Group to add a filter on the destination entity type.

    4.2. Choose Okta App as the entity type.

    4.3. Choose Status as the attribute to filter. For operator, choose Equals. As the value, type in ACTIVE.

    4.4. Save the filter.

  5. Add a Relationship:

    Choose to include details about intermediate Okta Groups for the results. If a user's access to an app involves an Okta Group, The review interface will have extra columns with information about that group.

    5.1. Expand Advanced Options and select Relationship.

    5.2. In the dropdown menu, choose Okta Group.

  6. Create a new review:

    6.1. Click Save to open the configuration details page to create a new review.

    6.2. From the Review Configuration Details, click New Review.

    6.3. Click Create to make the review available without publishing it.

  7. From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.

Review Access: Okta User to Okta Application

The reviewer interface shows a unique row for each Okta User to Okta App assignment. Inspect each row to approve or reject the access.

Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click Columns above the table of rows. Scroll or type to search for an attribute to show or hide:

  1. Add a column to show information about any intermediate groups. Find the Intermediate section, and choose Name or another attribute.

  2. Show Risk Scores for Okta users. Enable this column to show the user's relative level of risk, based on how many queries with a risk level the user appears in the results of.

  3. Search for User “IdP Unique ID” and deselect it, unless this is needed to differentiate between users with the same name.

For more information about a row, however over a row and click the Details icon to open the sidebar.

  1. Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.

  2. Make decisions final by clicking Sign-off at the top right.

  3. Finish the review by deciding and signing off on all rows. After all rows have a decision, click Complete Review on the top right.

See also

Last updated