Hello. It is my understanding that Okta does not currently support nested groups (or groups in groups, or hierarchical groups). I am curious to find out what challenges and problems this would cause if one wants to move off an existing on-prem enterprise AD which may have nested groups, to using the Okta Universal Directory. Has anybody had experience with this?
As you mentioned, many directory systems and applications support the concept of nested groups (or groups in groups). For example, a directory might contain a parent group named Sales, which itself might contain two child groups: East Coast Sales and West Coast Sales. Each of those groups can have members (users or groups).
Okta does not preserve nested hierarchies. In other words, Okta does not list a parent group, its direct users, and member groups. Instead, if Okta finds nested groups in a directory, Okta will recursively search all nested groups for users and list them under a single parent group in Okta. As an example, consider an AD structure that contains a parent group named Sales. Sales has two child groups (East Coast Sales and West Coast Sales), each of which contains users. Okta finds all users in Sales, East Coast Sales, and West Coast Sales – and lists them under a parent group named Sales. Okta will also import the child groups: East Coast Sales and West Coast Sales and their users, including those in nested child groups.
One challenge you might encounter is that your application that's connected to AD might need info about the hierachy (West Coast Sales is a part of Sales). Since Okta effectively flattens groups, the notion of hierachy disappears. A potential solution is to recode your app to accomodate a simpler, flatter structure. This may be difficult or impossible to do, depending on the app and on how much control you have over it.