Use case: Change time- and context-based identity entitlement
Change entitlements or take actions based on specific time or user contexts.
Problem: Limit user access to specific time periods, provide temporary access, delay entitlements by a specific amount of time, define a maximum lifespan for yet-to-be-activated new users, and ensuring retention of access for terminated users.
Solution: Either on a lifecycle event hook or a polling schedule, read Okta user information to determine whether specific actions based on time or another user context need to take place. Note: Okta's Automations feature also enables scheduled actions.
Applications: Okta, Salesforce, and Office 365 Admin. For the full list of Workflows connectors, see Connectors.
For a detailed tutorial to implement this flow, see Tutorial: Time-based actions.
Sample Flow 1
Sample Flow 2
Guidelines and limitations
- Workflows is not intended for full imports or synchronization from upstream systems, and you should not design a Flow with the intention of filtering a large set of users in memory. This Workflows use case is not a replacement for native directory or other HR integrations.
- Workflows has a working memory limit of 100MB. Workflows that exceed that limitation will fail and produce an error message. You will typically hit this limit when reading a large batch of unfiltered data from Okta or another source and process it in the same Flow.
- To avoid reaching the memory limit:
- Use a filter parameter or search parameter.
- Batch records that you've read, and remove users from the query after they've been processed.
- Batch the records that you've read, and manage the API cursor manually.
Workflows system-wide limits also apply. See Learn about Workflows limits.