Access Reviews: Okta Group Membership

How to conduct access reviews for Okta User to Okta Group assignments.

Overview

In Okta, users are typically assigned to groups, which usually correspond to a business role. Applications can be assigned to groups, Groups are then assigned to applications enabling teams of users within the same Group to access the same set of applications.

This document describes how to create a new configuration you can use to review which Okta Users are assigned to Okta Groups in your organization.

Before you start

You will need:

  • An Okta integration enabled in Veza.

  • The Veza admin or operator role, required to create configurations and start access reviews.

Create a review configuration

  1. Create a new access review configuration:

    1.1. Log in to Veza and go to Access Reviews > Configurations.

    1.2. Click New Configuration.

    1.3. Give the configuration a name and optionally a description.

  2. Define the scope of the access review: Use the Review Scope section of the configuration builder to search for related Okta users and Okta groups.

    2.1. For the Source Entity Type, search for Okta User and select it.

    2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Okta Group.

  3. Create a new review:

    3.1. Click Save to open the configuration details page to create a new review.

    3.2. From the Review Configuration Details, click New Review.

    3.3. Click Create to make the review available without publishing it.

  4. From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.

Review access: Okta User to Okta Group

The reviewer interface shows a unique row for each Okta User to Okta group assignment. Inspect each row to approve or reject the access.

Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click Columns above the table of rows. Scroll or type to search for an attribute to show or hide:

  1. Show Risk Scores. Enable this column to show the total percentage of resources each user can access, but has unutilized permissions on.

  2. Search for User “IdP Unique ID” and deselect it, unless this is needed to differentiate between users with the same name.

Hover over a row and click the Details icon to open the sidebar. Use the details sidebar or add columns to see more attributes such as the group type, created date, and description. You can also add or remove columns to show or hide additional details about a user and group.

  1. Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.

  2. Make decisions final by clicking Sign-off at the top right.

  3. Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.

See also

Last updated