IAmDavid

New Access Certification Auditor Reporting Package in OIG

Written by

iamdavid

in

,

on

Okta has just released a new Early Access feature for Okta Identity Governance Access Certifications – the Auditor Reporting Package. This new feature significantly expands the usefulness of OIG Access Certification campaign reporting.

Introduction

When Okta Identity Governance (OIG) was released with Access Requests and Access Certification, there was reporting included. It was available under the Reports menu on the Okta Admin Console. For access certification there were two reports, a Past Campaign Summary (listing a summary of all closed reports) and Past Campaign Details (details, including all the review line items, for a specific report).

There reports supported extensive filtering and export to CSV. However customer feedback was that it wasn’t enough to address auditors needs (often there was a lot of back-and-forth between the Okta admins and the auditors to get the data needed) and timeliness of report availability could be improved.

To respond to these concerns, Okta has developed the Access Certifications – Auditor Reporting Package. It has more data fields, more granular reports and improved timeliness.

Enabling the Feature – Globally and in Campaigns

This new feature is currently in self-service Early Access. This means it needs to be enabled under the Settings > Feature menu items in the Okta Admin Console.

This will enable the feature across OIG. However it needs to be enabled for any access certification campaign you want it to apply to.

Note that this means the campaign will contribute to the new reporting package. It will not affect it appearing in the standard access certification reports.

The New Reporting Interface

The reporting in the new feature is now part of the Identity Governance > Access Certifications part of the Admin Console.

Finding the Reports

When you go into Access Certifications you will see a new tab called Reporting.

Selecting this will show all campaigns that have the Create auditor reporting package checkbox selected.

Report Status

The reporting view has a table with the campaigns, listing the name, id, start and end dates, report status and a column of Generate reports buttons.

The Report status shows where the campaign is in its lifecycle and the reporting status:

  • Campaign created with the auditor reporting checkbox selected
  • Campaign launched
  • PENDING CAMPAIGN CLOSE status – campaign is still open
  • Campaign closed
  • Complete manual remediation
  • PENDING REPORT GENERATION status – waiting for “Generate reports” to be clicked
  • PENDING MANUAL REMEDIATION status – waiting for “Generate reports” to be clicked + confirm manual remediation completed
  • GENERATING REPORTS status – reports being generated, one or more may be available
  • READY FOR DOWNLOAD status – all reports are ready for download

As with the standard campaign reports, you cannot generate/download reports whilst the campaign is running, only when it has completed (i.e. reached the end date or was manually ended).

There is a background process that needs to run to generate reports, and this can only occur once the campaign has ended (showing one of the PENDING status’).

Generating reports

You click the Generate reports button to start the background (asynchronous) generation process.

A popup dialog box will remind you of the constraints around the generation process.

Downloading reports

When you expand the campaign (down arrow) you will see there are five different reports, each with a Download button. When a specific report is available it’s Download button is enabled.

The reports are based on different phases of a campaign:

  1. Campaign scope. To confirm complete campaign scope. Allows auditors to determine what was being certified.
  2. Resource access – Campaign launch. To capture application access at start of campaign. Allows auditors to confirm is what was being certified (1) match application access (2).
  3. Resource access – Campaign complete. To verify campaign decisions (users approved/revoked). Allows auditors to determine what decisions were made – especially who was revoked.
  4. Campaign actions. To verify application access (post remediation). Allows auditors to determine if the individuals/access marked for removal actually get removed. It is comparing the pre-campaign access (2) to post campaign access (3).
  5. Resource access changes – Campaign launch to campaign complete. To verify access changes between launch and campaign close by looking at syslog entries. Allows auditors to account for any discrepancies in reports.

Clicking the Download button will download the specific report to your local machine as a CSV file.

Conclusion

Whilst there has been access certification reporting available in OIG since the product was released, customers wanted more. This new feature is geared towards the auditors. It’s not meant as a tool for managing in-flight campaigns, but rather a means to provide more targeted information for preparing for audits in a more timely manner.