Okta Lifecycle Management (OLC) provides the means to automate license deprovisioning based on static data such as the user’s role, team, or location, However, OLC has no inherent ability to automate based on employee-level app usage data, such as that provided by Productiv.
Productiv created the Okta user access management connector to allow customers whose instance of Okta Enterprise includes the required SKUs, and also has SCIM set up, to remove both access and licenses via Okta.
The connector creates Productiv deprovisioning workflows that remove Okta access via the Okta APIs, based on the user’s application usage history. If you have set up the Okta SCIM to automatically manage Okta users based on their access, you can automatically reclaim those users’ licenses at that time.
Note: If your instance of Okta Enterprise does not include the required SKUs, Productiv can still remove access.
Okta user access management workflow
Okta access is set by either assigning an individual user to an application, or assigning a user to a group that has access to that application. When the user is deprovisioned, the workflow is slightly different, depending on how they were originally assigned.
(1) Users are assigned the application individually
When users are directly assigned to an application, Productiv removes the user’s access from the application using Okta APIs.
(2) User are assigned as a member of a group
(a) All of the groups that grant access to the application only grant access to that single application
When all users are assigned to an application via a groups and those groups only manages access to that single application, Productiv removes the user from their respective groups using the Okta APIs. If there are multiple such groups with access to that single application, the user will be removed from all of them.
(b) Any of the groups that grant access to the application grant access to multiple applications
When any of the users are assigned to an application via a group and that group manages access to multiple applications, Productiv does not remove the users from their respective groups. Instead Productiv first updates the users to be directly associated with the application (by changing the access type from “group” to “administrator”) and then removes the user’s access to the application via the Okta APIs.
(c) The user is a member of more than one group that has access to the application
The configuration where a users are assigned to an application via multiple groups and some of those groups manage access to multiple applications while others manage access to that application is treated the same as case (b) above. All users are not removed from any groups, we simply remove their access via the Okta APIs.
Preparing for setup
The Okta user access management connector provides Productiv with Write permissions to modify application access and group memberships, required to manage user access, as described in the previous section.
Note: The Okta Lifecycle Management and Okta Advanced Lifecycle Management SKUs are required for Okta deprovisioning. If you are unsure whether your instance of Okta Enterprise includes those SKUs, consult your system administrator.
It takes around 30 minutes after the Okta user access management connector is set up, for SSO access removal via Okta to become available. After that, once the deprovisioning workflow of an Okta Integration Network (OIN) app is edited, or a new workflow is created, the Access Management tab of any OIN app includes a new action method: Remove SSO access via Okta.
Creating and running a deprovisioning workflow with the Remove SSO access via Okta option action method enables you to remove a matched user’s Okta access to the application. All other aspects of rule creation remain the same.
Comments
0 comments
Article is closed for comments.