Use case: Change time- and context-based identity entitlement

Change entitlements or take actions based on specific time or user contexts.

Summary of Use Case

Problem: Limit user access to specific time periods, provide temporary access, delay entitlements by a specific amount of time, define a maximum lifespan for yet-to-be-activated new users, and ensuring retention of access for terminated users.

Solution: Either on a lifecycle event hook or a polling schedule, read Okta user information to determine whether specific actions based on time or another user context need to take place. Note: Okta's Automations feature also enables scheduled actions.

Applications: Okta, Salesforce, and Office 365 AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.. See Workflows' full list of available connectors.


For a detailed tutorial to implement this flow, see Time-Based Actions.

Sample Flow Summary Diagram 1

Sample Flow Summary Diagram 2

Guidelines and limitations

  • Workflows is not intended for full imports or synchronization from upstream systems, and you should not design a Flow with the intention of filtering a large set of users in memory. This Workflows use case is not a replacement for native directory or other HR integrations.
  • Workflows has a working memory limit of 100MB. Workflows that exceed that limitation will fail and produce an error message. You will typically hit this limit when reading a large batch of unfiltered data from Okta or another source and process it in the same Flow.
  • To avoid reaching the memory limit:
    • Use a filter parameter or search parameter.
    • Batch records that you've read, and remove users from the query after they've been processed.
    • Batch the records that you've read, and manage the API cursor manually.
  • Workflows system-wide limits also apply. See Learn about Workflows Limits.