About import safeguards

Import safeguards help prevent an unusual number of app unassignments during user import. An import safeguard is the maximum percentage of app users in an org that can be unassigned while allowing the import to proceed.

You can apply an import safeguard at the app level, the org level, or both. An app level import safeguard applies a safeguard limit to individual apps in your org. An org level import safeguard applies to all users assigned to all apps in your org. A minimum of 100 app assignments are required to activate an org level import safeguard.

For example, an org with 10 apps and 100 users assigned to each app, for a total of 1,000 app users:

  • Org Level Safeguard – Applied against the total app user population of 1,000 app users. When set at 20 percent, any import that would unassign more than 200 app users is paused.
  • App Level Safeguard – Applied against the population of users assigned to any given app (100 users, in this example). If set at 50 percent, any import that would unassign more than 50 users from a given app is paused.

App level and org level safeguards are enabled by default and set at 20 percent. Safeguards are not triggered when an import job changes a property that a group rule uses to assign a user to group membership. An import safeguard is activated by a specified percentage of unassignments. Deactivated users are included in the unassignment calculation, regardless of lifecycle state that you set when importing.

If both the app level and org level safeguards are set, the user import is stopped when the first app or org level safeguard limit is reached. The app level safeguard takes priority when the app level and org level limits are the same. Individual app level settings apply to all apps in the org. For example, if you modify the import safeguard setting in one app from 20 percent to 15 percent, the new setting applies to all apps. The app level import safeguard setting defines the unassignment threshold for a single app (with more than 100 users) and the org level import safeguard setting applies to all unassignments in an org.

This image is an example of the warning that is generated for an app level import safeguard.

If the app unassignment was expected and intentional, click Resume All Imports to resume the import. You can view the event in the system log and adjust the threshold of allowed app unassignments.

If the app unassignment was not expected and the number of unassignments was not intentional, click Cancel the Affected Import and Resume Other Imports to stop mports from the app and resume other imports. View the event in the system logs and contact Okta customer support if you cannot determine the cause of the issue.