Scope reviews appropriately
As you think about access reviews, focus on risk mitigation: in your reviews, exclude systems that don’t expose access to sensitive assets. For example, your read-only SaaS apps may not be necessary to audit. To keep audits clean and access control transparent, only include users and groups that require review. For example, if you include Okta apps in your access reviews, don’t use Okta groups to manage visibility to resources, since they’ll then be unnecessarily included in the review. Instead, use Opal groups to manage visibility, and audit Okta apps for actual access. Your needs may vary based on your compliance requirements. For example, privacy compliance requirements may require a revise of who can read customer data, while this is not a concern for SOX regulation for public companies.Use access rules to optimize the review process
You may need to review all users who have access to a resource, but in larger environments this can be costly, and review criteria may be identical across many users who have valid reasons to have standing access. To optimize the review process, you can use Opal access rules to manage access to resources, rather than direct access. Consult the access rule’s conditions first to ensure it properly gates users by attributes. In the subsequent access review, you’ll only need to review the single rule, rather than users with direct access.Tag resources
To keep scopes narrowly focused and easily collect resources, tag resources and groups, e.g.,Audit:UAR, then set the review’s scope to include items with a given tag. To automate this approach, use Terraform or the REST API to manage tags. You can also ingest tags from group attributes in Okta.
Import non-Opal resources as CSVs
If Opal doesn’t provide a native integration for a resource you want to review, you can:- Create a custom Push-only app without a webhook configured.
- In the app, import your resource from a CSV.
- Include the resource in your access review.