Setting up Attribute Level Mastering
Attribute-level Mastering (ALM) is a powerful feature of Okta Provisioning. Customers who previously purchased Enterprise Plus Edition also have access to ALM. For general information about provisioning, see Provisioning and Deprovisioning Overview. For details about profile mastering, see Profile Masters.
A profile master is an application (a directory service like Active Directory or an HR management software such as Workday) that can act as the "source of truth” for user identities. Currently, if more than one profile master exists on the Profile Masters page, they can be prioritized so that end users can be mastered by different systems, based on their assignments. At any given time, there can only be one profile master that masters a user's entire profile. However, ALM delivers finer grain control over how profiles are mastered by letting you specify different profile masters for individual attributes.
For example, an Okta user may have most of their profile attributes like first name, last name and department, mastered by an HR system like Workday. With attribute-level mastery, their phone number and email address attributes could be mastered by Active Directory. Furthermore, their personal email address or preferred display name could be mastered inside Okta, and managed by an Okta admin or the end user themselves.
Note: Profile mastering only applies to Okta user profiles, not app user profiles.
Setting up ALM
Using the ALM feature requires that (1) profile mastering is enabled, (2) you have chosen a profile master from the list under Profile master priority on the Profile Editor page, and (3) any desired mappings are specified through UD mapping.
The first step in setting up ALM is to enable profile mastering. Use of ALM assumes that more than one profile master is set on the Profile Masters page. In order for these profile-mastered apps to appear on the Profile Editor under Profile master priority, as shown below, profile mastering must be enabled for those apps.
Enabling Profile Mastering for Active Directory
Enabling Profile Mastering for Other Profile Mastering Apps
Establishing Profile Masters by Attribute
The second step of setting up ALM is to establish mastery by attribute. if your profile master(s) has been successfully enabled, they appear as a list under User > Profilemaster priority. When you scroll down to Attributes > Master priority (in the right-side column), the default state is Inherit from profile master, which retains the profile master set for the entire profile. To change the priority, you have the following options:
To change the priority:
Note: The Override profile master option allows you to delete a master here if you don't want it available to a particular attribute –this does not generally disable the app as a master. Do this by clicking the X beside the app name.
See below for an example scenario of how this might work with Workday and Active Directory as two profile masters.
Mapping the Attribute on the Profile Mappings Page
The third, optional step of setting up ALM is to map the attribute through UD. If no mapping are set up, the attribute has a null value.
After you have chosen an attribute to change and set the Master priority to Override profile master, for example, the attribute must be mapped. To map the attribute, do the following:
If you have selected an attribute that has no mapping from the primary profile master, the attribute has a null value. A value is not pulled from any other master apps in the priority list.
Allowing End-User Edit Permissions
There are some attributes that can be mastered inside Okta, then managed by an Okta admin or their end users. Although end-users cannot change their most primary attributes (such as first name, last name, or primary email), you may want to allow them to add or change attributes like personal email address or preferred display name. These attributes would appear as editable fields on their Settings > Account page.
To allow end-user editing of certain attributes, do the following: