Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Access Certification Campaign

Documentation

Access Certification Campaign

arxsec-site / library/workflows/access-certification/README.md

arxsec-site repo-root library/workflows/access-certification/README.md

Automates quarterly access certification campaigns by identifying stale access in Okta, creating ServiceNow review tickets, and notifying managers via Slack.

Maturity: L4+ (Governed and up)  ·  See the 5-level maturity model for where this workflow fits in your program.

What It Does

  1. Pulls all users and group memberships from Okta
  2. Identifies stale access: users with no login in 60+ days, excessive group memberships, or orphaned accounts
  3. Creates ServiceNow review tickets for each manager with their team's access summary
  4. Sends Slack notifications to managers requesting review and approval
  5. After manager approval/denial, executes access revocation in Okta (HITL gated)

Time Saved

Before: 2 days per quarter — IAM team manually pulls Okta reports, cross-references with HR data, emails managers, tracks responses in spreadsheets.

After: 2 hours — automated identification and distribution. IAM team reviews the summary and approves revocations.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Okta | users:read, groups:read, groups:write | HIGH | | ServiceNow | incidents:create | MEDIUM | | Slack | messages:send | LOW |

Overall Risk: HIGH — Okta groups:write can revoke access. Requires HITL approval.

ARX Governance

  • HITL Gate: Enabled — all Okta write operations (group removal) require IAM team approval
  • Risk Threshold: 80 — operations above this score trigger HITL review
  • Approval Channel: #iam-approvals
  • Audit Trail: Every user reviewed, access flagged, and revocation executed is logged
  • Schedule: Weekly on Mondays at 8 AM (0 8 * * 1)

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export OKTA_DOMAIN="your-org.okta.com" export OKTA_API_TOKEN="your-okta-api-token" export SERVICENOW_INSTANCE="your-org.service-now.com" export SERVICENOW_USERNAME="svc-arx" export SERVICENOW_PASSWORD="your-servicenow-password" export SLACK_BOT_TOKEN="xoxb-your-slack-bot-token" ``

Run

```bash

One-time execution

arx run workflow.py

Register on schedule

arx register --config arx.yaml ```

Customization

  • Adjust stale access threshold (default: 60 days with no login)
  • Configure maximum group membership threshold
  • Modify manager notification templates
  • Change the approval workflow and required approvers