This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your Okta device so that you can enable the Reset Credentials auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

Scope and Limitations

When choosing this auto remediation, remember the following:

• While an account is temporarily disabled, the user will not be able to reset their password; they will be forced to change their password as soon as the account is re-enabled.

Prerequisites

1. You must have admin access in Workbench, as auto remediations are enabled at the organization level.
2. Make sure all end-user accounts have MFA enabled to allow the auto remediation to run properly.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Configure Auto Reset Credentials for Okta
   • Option 1: Edit the Permissions of the User that Created the Existing API Token
   • Option 2: Generate a New API Token and Update Workbench
2. Update Your Context
3. Return to the Main Setup Guide

Step 1: Configure Auto Reset Credentials for Okta

This procedure applies to a regular Okta installation in Workbench. If you have questions or need assistance, contact support.

The Okta API token uses the Read-only admin permission and Expel's Auto Reset Credential feature requires the Group admin permission. In Okta, API tokens have the same permissions as the user who creates them and if user permissions change, the API token permissions also change. As a result, you have the following options:

• Option 1: Edit the existing user to add the Group admin role. This existing user should be the same one you used to configure an API key in Okta Workforce Identity Cloud setup for Workbench.
• Option 2: Generate a new separate API token with the required permissions level.

Option 1: Edit the Permissions of the User that Created the Existing API Token

1. Identify the Read-only admin account used to create the API token.
2. Log into the Okta console from an account that has Super administrator privileges and add the permissions of the Group admin to the existing user for Expel.

Option 2: Generate a New API Token and Update Workbench

1. Generate a new API token in Okta using an account with Report administrator and Group administrator privileges. For instructions, follow Step 2 of the Okta Workforce Identity Cloud Setup for Workbench guide, replacing "Read-only Administrator" with "Report Administrator" and "Group Administrator" privileges.
2. Log in to Workbench.
3. Navigate to Organization Settings > Security Devices.
4. Find Okta in the security device list.
5. In the Okta row, select the down arrow, and select Edit.
6. Replace the API Token with the newly generated token.
   
7. Select Save.

Step 2: Update Your Context

If you do not want to specify any credentials for a "do not reset" or "always reset" list, and instead wish for Expel to automatically reset all identified credentials, skip to Step 3.

Working with your engagement manager, prepare to create an allow or deny list by adding credentials as context for your environment. You will then be able to select those credentials as "Never reset" or "Always reset" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies credentials that must be reset and you have created either an allow ("Always reset") or deny ("Never reset") list in Workbench, any credentials falling outside of those parameters are assigned to you as actions rather than being reset automatically.

Step 3: Return to the Main Setup Guide

Your Okta device is now ready for the Reset Credentials Auto Remediation. You should now do one of the following:

• If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
• If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.