About user management

When you add a user in Okta, you are creating a user account—or user profile, for the user in the Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API.. Universal Directory is the user store for all Okta users.

User accounts often originate in a third-party appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.. During provisioning, if an existing app user account matches an Okta user account, then the Okta account and app account are matched and linked.

The method used to manage (master) users is determined by how user data is added to Okta. Three methods are available to create user profiles: manually, importing from a directory or application, or importing from a CSV file.

Manually create user profiles

Users manually created in Okta are mastered by Okta and Okta is the single source of truth for these users. User data is managed or "mastered" in Okta and Okta is the most current source for user data.

For example, if you integrate with Salesforce for provisioning, users created in Okta are pushed to Salesforce, but are managed in Okta. Updates and terminations made in Okta are reflected in Salesforce (and any other integrated, third-party application that’s part of the process). This downstream connection lets you to have a single source of truth, where any changes made in Okta are reflected in Salesforce. As the single source of truth, Okta manages employee and contractor access to applications.

Okta pushes user information to the integrated, third-party application, which results in the creation of a user account within the application.

When user account information is updated in Okta, this information is pushed to the integrated, third-party app where the application user account is also updated.

Import user profiles from a directory service or app

User data can be imported into Okta from:

Users created in a directory service or integrated, third-party application are pushed to Okta and new AppUser objects are created, for matching against existing Okta user accounts, or creating new Okta user accounts.

Profile Mastering is a more sophisticated process for importing user data and makes an application or a directory the source of truth for user attribute information. Profile Mastering defines the flow and maintenance of user-object attributes and their lifecycle state. When a user profile is mastered from a directory or application, the Okta user profile’s attributes and lifecycle state are derived exclusively from that resource. An Okta user mastered by an application or directory has an Okta profile, but the profile cannot be edited in Okta and all user information is derived exclusively from the application or directory. If the user profile in the application or directory is disabled, the linked Okta user profile moves to the Deactivated lifecycle state on the next import.

You can use the Import User Schema feature, or Schema DiscoveryAbility to import additional attributes to Okta, to import additional user attributes from apps such as Salesforce.

Use one of the following integration strategies to import user data:

Import users from a CSV file

Users are imported from a CSV file and managed in Okta. Any user profile changes are pushed to integrated, third-party applications.

User lifecycle changes such as a position change, app license expiration, or employment termination trigger certain provisioning functions that change the user's lifecycle state.