About the lifecycle of a provisioned user
As part of Okta Lifecycle Management (LCM), provisioning helps organizations automate the IT processes associated with an individual joining, moving within, or leaving their organization. This flow of a user's identity through different stages is known as a user’s lifecycle state change.
Events that trigger a lifecycle state change - such as an employee position change, termination, or the expiration of an external application license - initiate processes to ensure that access to resources remains compliant with business and security policies.
The following diagram outlines how the different events during a typical employee's tenure at an organization trigger user lifecycle changes:
Employee is hired
When an employee is hired, human resources (HR) needs to create an account for that user. Depending on the organization, it is then up to a combination of HR, information technology (IT), and supervisors to grant access to all of the applications and accounts the employee needs to perform their job, as well as to introduce and enforce the organization's security requirements. With the growing usage of cloud-based applications, IT organizations may need to manage user accounts in numerous administrator consoles for each application.
In a provisioned environment, the new user account is created in your organization's user store and, based on roles and profile needs, the profile information flows down through your Okta app integrations out to all the external applications to create the accounts that the new user needs to have access. Users can be imported from an external application or directory service, or can be manually created in Okta
Employee is promoted, changes roles, or requires different software tools
In these scenarios, user access requirements change. Organizations may restructure or acquire new businesses, bringing along new employees. They can also require temporary or permanent access to app integrations for contractors and partners.
In your provisioned environment, the existing user account is updated in the source of truth to reflect the new changes. The updates are sent through Okta out to the external applications, changing access levels, adding or removing group membership, or even synchronizing passwords. This keeps the user profile in the external application in sync with the Okta user profile.
Application removed from an employee
This scenario arises if, for any particular reason, a user no longer needs an external application or the application is no longer available to the user (such as an expired license). The user account is updated and the access to just that application is removed. Deprovisioning access to that external application is important for compliance reasons and to help you maintain an accurate usage count for your applications.
Employee changes groups
When a user is removed from a group that was providing him access to certain app integrations, the user is automatically deprovisioned from those app integrations. When added as a member of a group, the user inherits access to the app integrations that have been granted to the group.
Employee leaves an organization
When an employee leaves an organization, the responsible department (usually HR) initiates the automatic process to fully deprovision the user. Deprovisioning ensures that persons who are no longer in your organization do not have access to sensitive applications and data.
You can deprovision users directly in Okta or from an external user store, such as Active Directory or Salesforce.
During the deprovisioning process, the user account is deactivated in the Okta Universal Directory, access to Okta app integrations is removed, and their accounts are automatically deactivated in external applications. If manual deprovisioning of the user account for any application is required, admins receive a notice in their dashboard.
Employee returns to an organization
If the employee returns to the organization at a later date (for example, after a return from leave), reactivating the user in Okta Universal Directory reactivates the user's accounts in the external applications.