About user lifecycle state changes
As part of Okta Lifecycle Management (LCM), Okta provisioning is instrumental in the onboarding, transitioning, support, and deprovisioning of employees and external users in an organization. The flow of a user's identity throughout the different lifecycle stages is known as a user’s lifecycle state change. Events that trigger a lifecycle state change put into action a process that ensures access to resources stay compliant with business and security policies.
The following are events that trigger user lifecycle changes.
Employee is hired
When an employee is hired, human resources (HR) needs to create an account for that user. Depending on the organization, it is then up to a combination of HR, information technology (IT), and the employee supervisors to grant access to all of the apps and accounts they need to perform their job, as well as to introduce and enforce the organization's security requirements. With the proliferation of cloud apps, IT organizations may have to manage user accounts in numerous administrator consoles for each appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.. This can be quite difficult, if not unmanageable. Okta provisioning reduces IT overhead and helps to automate user management.
Employee is promoted, changes roles, or adopts or drops various software tools
For these scenarios, user access requirements change. Organizations may restructure or acquire new businesses, bringing along new employees. They can also require temporary or permanent app access for contractors and partners.
Employee leaves an organization
As employees leave an organization, a process can be initiated by various departments to deactivate users. The user account needs to be deactivated. Deprovisioning deactivates the user account from the Okta Universal DirectoryUniversal Directory enables you to store an unlimited amount of users and attributes from applications and sources like AD or HR systems. Any type of attributes are supported including linked-objects, sensitive attributes, and pre-defines lists. All of it accessible by all apps in our OIN catalog, over LDAP or via API.. Deprovisioning ensures that persons who are no longer in your organization do not have access to sensitive applications and data.
You can deprovision users in Okta or from an external user store, such as AD or a CRM app, such as Salesforce. Typically, user deactivation is triggered from an external user store and it flows into Okta. In any case, deactivated users are automatically deprovisioned from supported apps. Admins receive an email describing any apps that require them to manually deprovision from users.
When a user is removed from the group that was providing him access to certain apps, the user is deprovisioned from these apps. As a member of a new group, the user inherits access to the apps belonging to the group.
App removed from user
For a particular reason, a user no longer needs an app or the app is no longer available to the user (such as an expired license). In this case, deprovisioning is important for compliance reasons and to help you maintain an accurate usage count for your applications.