Assign app integrations

This table describes how users and groups are granted access to app integrations. The specific requirements of your organization determine which method is most suitable. Users can also be assigned roles and permissions as long as the external application to which they are assigned has the equivalent functionality within Okta.

User type	Description
Individual users	For an organization with few users, apps can be directly assigned to the user. You can assign the app integration to the user or the user to the app integration. See Assign an app integration to a user or Assign applications to users. If users are already assigned to an app integration before provisioning is enabled for that app integration, those users are not automatically provisioned. See Provision unprovisioned users. When the app integration is assigned, Okta updates the user’s attributes in the downstream application. See Automatically update user attributes
User groups originating from an external source, such as an application or directory	You can assign the app integration to an application group. See Assign an app integration to a group. This is useful for an organization with user groups that are managed in HR-management applications such as Workday, or an external directory service. You can also turn an individual app integration assignment into a group assignment. For example, if a "Marketing" group is formed after several new people have been hired, the existing users can be brought into the group assignment. Then the administrator no longer needs to manage the access and profile attributes for individual users. See Convert an individual assignment to a group assignment.
Users from Okta, apps, and directories	If there are users sourced from various locations, such as Universal Directory, external applications, or external directories, it may be best to assign all these user stores to a single Okta group and then grant that group the access rights to the desired app integration. A best practice scenario for importing users is based on an Okta user group and a rule. Set up an Okta user group and give access to the desired app integration to that group. When an external application's user group is imported into Okta, the assignment of users from the imported application's user group into the Okta user group is controlled by rules. As the members of that group are automatically assigned to the Okta user group, then the members inherit the access of the Okta user group. See About group rules.