Assign app integrations

This table describes how users and groups are granted access to app integrations. The specific requirements of your organization determine which method is most suitable. Users can also be assigned roles and permissions as long as the external application to which they are assigned has the equivalent functionality within Okta.

User type

Description

Individual users
User groups originating from an external source, such as an application or directory
  • You can assign the app integration to an application group. See Assign an app integration to a group.
  • This is useful for an organization with user groups that are managed in HR-management applications such as Workday, or an external directory service.
  • You can also turn an individual app integration assignment into a group assignment. For example, if a "Marketing" group is formed after several new people have been hired, the existing users can be brought into the group assignment. Then the administrator no longer needs to manage the access and profile attributes for individual users. See Convert an individual assignment to a group assignment.
Users from Okta, apps, and directories
  • If there are users sourced from various locations, such as Universal Directory, external applications, or external directories, it may be best to assign all these user stores to a single Okta group and then grant that group the access rights to the desired app integration.
  • A best practice scenario for importing users is based on an Okta user group and a rule. Set up an Okta user group and give access to the desired app integration to that group. When an external application's user group is imported into Okta, the assignment of users from the imported application's user group into the Okta user group is controlled by rules. As the members of that group are automatically assigned to the Okta user group, then the members inherit the access of the Okta user group. See About group rules.