This article introduces the new Resource Collections feature in Okta Identity Governance, looking at how collections are defined, requested and reviewed.

Introduction

Okta has introduced a new feature into Okta Identity Governance (OIG) called Resource Collections (or sometimes referred to as just Collections).

They are a way to define a role that spans different entitlements across different applications. Prior to collections, you would need discrete Entitlement Bundles for each application. Let’s say you had a media role that required access to Salesforce, Google and some Physical Building locations, and each had discrete entitlements needed for that role. Before, you would need to create a bundle for each of Salesforce, Google and the Physical Access app. With Resource Collections you can create a single collection (role) that can be requested.

In this article we will look at the new feature, how to define the collections and how to use them. The article assumes some familiarity with OIG, access requests and access certification.

Note that this feature is in Early Access at the time of writing. There is some additional functionality planned for this feature soon after it becomes Generally Available (GA), so what you see in your environment may be slightly different to what’s in this article, depending on when you view it.

Creating a Resource Collection

As the new feature is in early access, you need to enable it via the Settings > Features menu item. This is for customers that have the OIG product.

The need to enable it will go away when the feature becomes Generally Available.

Once enabled, you will see a new menu item under Identity Governance called Resource Collections.

Creating a new collection is straightforward – click the button, give it a name and a description.

Then you assign Resources to it, where resources are apps and their entitlements.

The new collection is now ready to use. An administrator can manually assign users, or an Access Request condition can be created for it.

Requesting Access to a Resource Collection

This new feature leverages the new Access Request conditions mechanism in OIG. This is the same that is used for application entitlement bundles and groups associated with applications.

An Access Request will consist of a Condition associated with the resource and the condition will call a Sequence for the flexible flow portion of the access request. For application-specific access, the Condition is tied to the application. For resource collections, the condition is tied to the condition.

Additional articles on Access Request Conditions include:

• New Features for the Access Request Conditions and Resource Catalog in Okta Identity Governance
• Managing Access in Okta Privileged Access with the new OIG Resource Catalog

Creating an Access Request

A condition can be created under the Access requests tab for the collection.

The condition, and associated sequence are managed in exactly the same way as a condition associated with an application.

In this example, there is a single condition for everyone, with the Single Approval – Manager sequence. Let’s walk through a user example.

Requesting Access

A user selects the Request Access button on their Okta Dashboard to see what they can request access to. In this case they see the new collection “Marketing – Media”.

Selecting this shows the apps in the collection and requires a Business Justification to be supplied.

When the request is submitted, an access request is raised and the reviewer (in this case the user’s manager) gets and email to tell them there is a request to review. They access the request to see the request for the collection.

They can use the Details tab to see the apps covered by the request.

When it is approved and the user returns to their Dashboard, they will see the apps associated with the collection.

An administrator can view the entitlements associated with each app for the user in the Admin Console.

The administrator can also see all of the users assigned to the collection under the Assignments tab for the collection.

The administrator can manually assign users. They can also edit the expiration of the access or unassign a user from the collection.

Recertifying a Resource Collection

In the Early Access release, you can run Resource Campaigns that will highlight when an entitlement has been granted via a collection. The following shows a campaign run across the apps and entitlements covered by the collection.

Selecting a user and entitlement row will show if it was assigned via a collection.

As a collection could represent a complex mix of apps and entitlements, any Revoke action on a review will be flagged for manual remediation.

Expect the access certification capabilities for collections to be enhanced post GA.

Conclusion

The new resource collections feature allows definition of cross-application roles within Okta Identity Governance. It builds on the Entitlements Management and Resource Catalog and Access Request features introduced into OIG last year, to provide a more comprehensive approach to governing access through the request and review processes.