Change time- and context-based identity entitlement

Change entitlements or take actions based on specific time or user contexts.

Summary

Problem: Limit user access to specific time periods, provide temporary access, delay entitlements by a specific amount of time, define a maximum lifespan for yet-to-be-activated new users, and ensuring retention of access for terminated users.

Solution: Either on a lifecycle event hook or a polling schedule, read Okta user information to determine whether specific actions based on time or another user context need to take place.

Applications: Okta, Salesforce, and Office 365 Admin. For the full list of Workflows connectors, see Connectors.

Tutorial

For a detailed tutorial to implement this flow, see Tutorial: Time-based actions.

Sample Flow 1

Sample Flow 2

Guidelines and limitations

• Workflows is not intended for full imports or synchronization from upstream systems, and you should not design a Flow with the intention of filtering a large set of users in memory. This Workflows use case is not a replacement for native directory or other HR integrations.
• Workflows has a working memory limit of 100MB. Workflows that exceed that limitation will fail and produce an error message. You will typically hit this limit when reading a large batch of unfiltered data from Okta or another source and process it in the same Flow.
• To avoid reaching the memory limit:
  • Use a filter parameter or search parameter.
  • Batch records that you've read, and remove users from the query after they've been processed.
  • Batch the records that you've read, and manage the API cursor manually.

• Workflows system-wide limits also apply. See Learn about Workflows best practices and limits.