Attribute-level Mastering (ALM) is a powerful feature of Okta Provisioning. For general information about provisioning, see Provisioning and Deprovisioning Overview. For details about profile mastering, see Profile Masters.
A profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. is an application (a directory service like Active Directory or an HR management software such as Workday) that can act as the "source of truth” for user identities. Currently, if more than one profile master exists on the Profile Masters page, they can be prioritized so that end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using chiclets to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. can be mastered by different systems, based on their assignments. At any given time, there can only be one profile master that masters a user's entire profile. However, ALM delivers finer grain control over how profiles are mastered by letting you specify different profile masters for individual attributes.
For example, an Okta user may have most of their profile attributes like first name, last name and department, mastered by an HR system like Workday. With attribute-level mastery, their phone number and email address attributes could be mastered by Active Directory. Furthermore, their personal email address or preferred display name could be mastered inside Okta, and managed by an Okta adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. or the end user themselves.
Note: Profile mastering only applies to Okta user profiles, not appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. user profiles.
Setting up ALM
Using the ALM feature requires that (1) profile mastering is enabled, (2) you have chosen a profile master from the list under Profile master priority on the Profile Editor page, and (3) any desired mappings are specified through UD mapping.
The first step in setting up ALM is to enable profile mastering. Use of ALM assumes that more than one profile master is set on the Profile Masters page. In order for these profile-mastered apps to appear on the Profile Editor under Profile master priority, as shown below, profile mastering must be enabled for those apps.
Enable Profile Mastering for Active Directory
- From the Administrative Dashboard, go to the Directory drop-down menu.
- From the drop-down menu, choose Directory integrations.
- Click the Active Directory instance.
- Choose the Settings tab.
- Scroll down to Provisioning Features > Profile Master.
- Check the Enable button.
Enable Profile Mastering for Other Profile Mastering Apps
- From the Administrative Dashboard, go to the Applications drop-down menu.
- From the drop-down menu, choose Applications.
- Choose the app from the list of applications.
- From the <app> page, choose the Provisioning tab.
- From the left-side Settings panel, chose To Okta.
- Scroll down to Profile & Lifecycle Mastering and click the Allow <app> to master Okta users check box.
Establish Profile Masters by attribute
The second step of setting up ALM is to establish mastery by attribute. if your profile master(s) has been successfully enabled, they appear as a list under User > Profile master priority. When you scroll down to Attributes > Master priority (in the right-side column), the default state is Inherit from profile master, which retains the profile master set for the entire profile. To change the priority, you have the following options:
- Inherit from profile master: Picks up the default profile master for the entire profile, as shown in the Profile master priority field.
- Inherit from Okta: Picks up this particular attribute value from Okta. This attribute value can be edited in three ways: via the user's Profile tab, the Okta API or, if appropriate for end-user modification, by the end user.
- Override profile master: Overrides the default profile master. Click the Add Master drop-down menu to choose another available profile master.
To change the priority:
From the Directory drop-down menu, choose Profile Editor.
- From the Profile Editor page, select the source you wish to edit, then click Profile in the Actions column.
- From the left-side column (Base or Custom), choose an attribute. An example might be Last name. Click the Information icon in the right-hand column.
- From the Master priority drop-down list, you can choose to either Inherit from profile master, Inherit from Okta, or Override profile master.
Note: The Override profile master option allows you to delete a master here if you don't want it available to a particular attribute –this does not generally disable the app as a master. Do this by clicking the X beside the app name.
See below for an example scenario of how this might work with Workday and Active Directory as two profile masters.
|Example Profile Master Set|
Default master for the entire profile.
|Workday, Active Directory|
|Attribute master: Alternative master for a particular attribute.||
3rd attribute: mobile phone = Active Directory
All other attributes: Workday
|Mobile phone||Active Directory|
Mapping the Attribute on the Profile Mappings Page
The third, optional step of setting up ALM is to map the attribute through UD. If no mapping are set up, the attribute has a null value.
After you have chosen an attribute to change and set the Master priority to Override profile master, for example, the attribute must be mapped. To map the attribute, do the following:
- From the Profile Editor page, click the Profile Mappings tab.
- Choose the app instance of the profile master you wish to map.
- Click the Edit Mappings button.
- From the list of attributes on the left, find the attribute (such as Last name) you have chosen to change. Note: ALM only maps from a profile mastered app to Okta –it is not bidirectional.
- Click the Save Mappings button to save your choices.
If you have selected an attribute that has no mapping from the primary profile master, the attribute has a null value. A value is not pulled from any other master apps in the priority list.
Allowing End-User Edit Permissions
There are some attributes that can be mastered inside Okta, then managed by an Okta admin or their end users. Although end-users cannot change their most primary attributes (such as first name, last name, or primary email), you may want to allow them to add or change attributes like personal email address or preferred display name. These attributes would appear as editable fields on their Settings > Account page.
To allow end-user editing of certain attributes, do the following:
- From the Directory drop-down menu, choose Profile Editor.
- From the Profile Editor page, on the left-side panel under Filters, select a profile type to narrow the list of apps.
- Find the app source you wish to edit, then click the Profile button under the Actions column on the right-side column.
- Under Attributes, from the left-side column (Base or Custom), choose an attribute, then click the Information icon in the right-hand column.
- From the User permission drop-down menu you can choose one of the following options:
- Hide: Hides the attribute field from the end-user list.
- Read Only: Does not allow the field to be edited.
- Read-Write: Allows the end-user to change or add information to the attribute field.
- From the Master priority drop-down list, choose Inherit from Okta.
- Once completed, click the Save Attribute button.