Background information

To better grasp Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications., it's helpful to understand user management in Okta and how apps are configured and users are assigned to them.

User management

The Okta Provisioning workflow begins with user management. When you add a user to Okta, you are creating a user account—or user profile, for the user in the Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API.. This directory is the user store for all Okta users.

User accounts often originate in a third-party appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.. During provisioning, if an account already exists in the app that matches the one in Okta, then the Okta account and app account are matched and linked.

Users are managed (mastered) based on the method used to add them to Okta. The following are the possible methods:

Events impacting a user's lifecycle trigger certain provisioning functions that can change the user's lifecycle state (see Okta Provisioning functions). These can include such events as an employee position change, app license expiration, and employment termination (see Triggering events and user identity flow).

Triggering events and user identity flow

As part of Okta Lifecycle Management (LCM), Okta Provisioning is instrumental in the onboarding, transitioning, support, and off-boarding (deprovisioning) of employees and external users in an organization. The flow of a user's identity throughout the different lifecycle stages is known as a user’s lifecycle state change. Events that trigger a lifecycle change put into action a process that ensures access to resources stay compliant with business and security policies.

The following are events that would trigger a user lifecycle change.

  • Employee is hired

    When an employee is hired, HR needs to create an account for that user. Depending on the organization, it is then up to a combination of HR, IT, and the employee supervisors to grant access to all of the apps and accounts they will need, as well as to introduce and enforce the organization's security requirements. With the proliferation of cloud apps, IT organizations may have to manage user accounts in numerous administrator consoles for each app. This can be quite difficult, if not unmanageable. Okta Provisioning reduces IT overhead and helps to automate user management.

  • Employee is promoted, changes roles, or adopts or drops various software tools

    For these scenarios, user access requirements change. Organizations may restructure or acquire new businesses, bringing along new employees. They can also require temporary or permanent app access for contractors and partners.

  • Employee left an organization

    As employees leave an organization, a process can be initiated by various departments to deactivate users. The user account needs to be deactivated. Deprovisioning deactivates the user account from the Okta Universal Directory. Deprovisioning ensures that persons who are no longer in your organization do not have access to sensitive applications and data.

    You can deprovision users in Okta or from an external user store, such as AD or a CRM app, such as Salesforce. Typically, user deactivation is triggered from an external user store and it flows into Okta. In any case, deactivated users are automatically deprovisioned from supported apps. Admins receive an email describing any apps that require them to manually deprovision from users.

  • Employee changed groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.

    When a user is removed from the group that was providing him access to certain apps, the user is deprovisioned from these apps. As a member of a new group, the user inherits access to the apps belonging to the group.

  • App removed from user

    For a particular reason, a user no longer needs an app or the app is no longer available to the user (such as an expired license). In this case, deprovisioning is important for compliance reasons and to help you maintain an accurate usage count for your applications.

App configuration

In order to manage user lifecycle between Okta and an app, provisioning for an app must be enabled.

User app assignment

Below are the scenarios in which a user can be given access to an app. Based on your organization, a particular scenario may fit your needs better than another.

  • Individual user or users

    • For an organization having one or a few members, it may be best to directly assign the app to user.
    • You can assign the desired app to the user or the user to the desired app (see Assign and unassign apps to users).
  • Users originating from an external source, such as an application

    • For an organization having user groups well organized in an HR-management app such as Workday or a directory service such as AD or LDAP
    • You can assign the application group to the desired app or the desired app to the application group.
  • Users best served by an Okta group and rules

    • If there are users across various locations such as Okta, apps, and directories, it may be best to assign all these user stores to an Okta group with access rights to the desired app.
    • This scenario is based on an Okta user group and a rule. Using an Okta user group assigned certain app access is a best practice for assigning users app access to imported users in an app group. When an app group is imported into Okta, the members of that group will be assigned to the Okta user group, and thus the members will inherit the app access of the Okta user group. The assignment of users from the imported app group into the Okta user group is controlled by rules.


Users can also be assigned roles and permissions as long as the integrated, third-party application to which they are assigned has functionality within Okta.

See also

The Applications Page

What's next?

Now that you have some background information, let's learn more about Okta Provisioning.