Least privilege for your critical Identity roles: Introducing ‘Govern Okta Admin Roles’

Okta recently introduced the Okta Secure Identity Commitment, outlining our long-term plan to lead the industry in the fight against Identity-based attacks. This commitment is as much a plan of action as it is a recognition of our role in your organization: our customers see Okta and our service as critical infrastructure, with Identity and Access Management (IAM) serving as a crucial foundation and lynchpin for your security.

Among the critical focus areas of that commitment were initiatives to provide market-leading, secure Identity products and services, and to champion customer best practices to help ensure all of you are best protected from Identity-based attacks. That means solving IAM security challenges to keep your organization more secure through a single, tightly unified Identity solution.

We’ve made progress through additional safeguards for our administrators via mandatory MFA policies, and Okta custom admin roles that helped set our customers on the path of establishing least privilege principles. Today, we continue that commitment by introducing a new product capability: Govern Okta Admin Roles.

What is Govern Okta Admin Roles?

We recognize that Identity-based attacks have moved closer to the critical Identity infrastructure organizations rely on for security. Standing access to sensitive administrator privileges in Okta can present a target for malicious actors.

These bad actors often deploy social engineering attacks based on publicly available information, targeting users who are likely to have standing or over-permissioned accounts with administrator privileges. Organizations need a better way to control permissions for systems like Okta without slowing down business and hampering productivity.

Govern Okta Admin Roles builds on custom admin roles by enabling every Workforce Identity Cloud customer to govern administrator access in privilege and time. IT teams can ensure only select users can request the right level of admin access in Okta and time-bound that access for whatever task a user is accomplishing. This helps organizations minimize and monitor standing privilege without impacting productivity. Security and risk teams can review any standing administrator access through automated campaigns to give the appropriate reviewers the ability to validate any access and take action. Combining Govern Okta Admins with admin role assignments reporting gives security and IT teams visibility and automated remediation capabilities through the Workforce Identity Cloud.

See Govern Okta Admin Roles in action via this demonstration.

Govern Okta Admin Roles makes this possible by delivering core governance functionality within the Workforce Identity Cloud.

  • Entitlement management: Bundle entitlements across custom and out-of-the-box admin roles. Administrators can create sets of permissions to capture necessary business processes without over-permissioning across administrator actions.
  • Access requests: Provide access to Okta administrator roles via self-service access requests. Administrators can build admin-role-specific flows with multiple approvals and documented justifications.
  • Access certifications: Perform ongoing reviews of existing access to administrator roles. Administrators can create recurring multi-level reviewer campaigns designed to prevent any accumulation of elevated or privileged administrator access.

Learn more about configuration best practices via the Okta Help Center.

How to get Govern Okta Admin Roles

Beginning today, we will gradually roll out Govern Okta Admin Roles in Early Access for Workforce Identity Cloud customers. Should your organization be interested in adopting Govern Okta Admin Roles sooner, please contact your Okta account representative or Customer Success executive. 

If you’re interested in adopting governance for all of your resources and applications beyond Okta administrator roles, learn more about Okta Identity Governance.