Change time- and context-based identity entitlement

Change entitlements or take actions based on specific time or user contexts.


Problem: Limit user access to specific time periods, provide temporary access, delay entitlements by a specific amount of time, define a maximum lifespan for yet-to-be-activated new users, and ensuring retention of access for terminated users.

Solution: Either on a lifecycle event hook or a polling schedule, read Okta user information to determine whether specific actions based on time or another user context need to take place.

Okta's Automations feature also enables scheduled actions.

Applications: Okta, Salesforce, and Office 365 Admin. For the full list of Workflows connectors, see Connectors.


For a detailed tutorial to implement this flow, see Tutorial: Time-based actions.

Sample Flow 1

Sample Flow 2

Guidelines and limitations

  • Workflows is not intended for full imports or synchronization from upstream systems, and you should not design a Flow with the intention of filtering a large set of users in memory. This Workflows use case is not a replacement for native directory or other HR integrations.
  • Workflows has a working memory limit of 100MB. Workflows that exceed that limitation will fail and produce an error message. You will typically hit this limit when reading a large batch of unfiltered data from Okta or another source and process it in the same Flow.
  • To avoid reaching the memory limit:
    • Use a filter parameter or search parameter.
    • Batch records that you've read, and remove users from the query after they've been processed.
    • Batch the records that you've read, and manage the API cursor manually.
  • Workflows system-wide limits also apply. See Learn about Workflows best practices and limits.