|
Push new users
|
Users created in Okta are also created in FleetDM.
Here are some important things to note:
- To generate the FleetDM full name, either the First Name or the Last Name is required.
- The email must match the username.
- When you create users, use governance enabled instances to manage global roles.
- Providing a role parameter isn't required when assigning a new user in Okta, even in instances where Okta Identity Governance is enabled.
- New users created in Okta, who aren't explicitly assigned entitlements, are automatically given the observer global role.
|
|
Push profile updates
|
Updates made to the user profile through Okta are pushed to FleetDM.
Here are some important things to note:
- To generate the FleetDM Full Name, either the First Name or the Last Name is required.
- The email must match the username.
- You can only update your First Name and Last Name.
- Joining a group overrides your global role and inherits the role assigned to that fleet or group.
- When a user is removed from all groups or fleets, they're assigned the global observer role. A user must have either a global role or a fleet assignments role.
|
| Push user deactivation |
Disabling a user in Okta triggers an immediate deletion of the user in FleetDM.
|
| Import new users |
Users created in FleetDM are imported into Okta.
Here are some important things to note:
- During import, user attributes and organization data are maintained.
- If a user is assigned to a fleet, only global roles are visible in user provisioning; fleet-specific roles aren't.
- As FleetDM uses a single name attribute, the First Name (FN) and Last Name (LN) fields of Okta are merged into a single Full Name field in FleetDM during synchronization.
- If FN or LN is missing, it's replaced with First Name Undefined (FNU) or Last Name Undefined (LNU). You can't import users without an email.
- You can't import FleetDM fleets or groups with Unicode characters or empty titles.
|
| Import profile updates |
Updates made to a user's profile in FleetDM are downloaded and applied to the profile fields in Okta. |
| Push password updates |
Changes to the user's password in Okta are pushed to FleetDM.
The password must be at least 12 characters. It must contain at least one uppercase or lowercase letter, one number, and one special character.
|
|
Entitlement Management
|
You can manage app entitlements for FleetDM in Okta.
If the app supports Okta Identity Governance, then you need to enable it to manage entitlements.
Here are some important things to note:
- When assigning entitlements in an Okta Identity Governance-enabled instance, select and assign appropriate global roles to users. For details on role-based access, see the Fleet documentation.
- The following global roles are available:
- Observer
- Observer Plus
- Technician
- Maintainer
- Admin
- GitOps
- A user can have either a global role or fleet-specific roles in FleetDM.
- Assigning a global role to a user results in their removal from all fleets within FleetDM. This removal is a local change in FleetDM and isn't automatically communicated to Okta.
- To maintain synchronization, the users immediately perform an Import Users action in the Okta instance. This ensures that both systems are synced before future modifications.
- In an Okta Identity Governance-supported app, assigning a role to a new user isn't mandatory. However, if roles are assigned, the user must be given the global user roles.
- For fleet or group-specific role access, use Okta push groups to assign the role observer. This is the least privilege role in the fleet. Any additional fleet-specific roles are managed directly within the FleetDM UI.
|
| Push groups |
You can push groups and their members to integrated apps. See Manage Group Push.
Here are some important things to note:
|