<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Frequently Asked Questions on Realms for Workforce Management
Jun 11, 2025
Identity Governance
Okta Identity Engine

This article provides answers to frequently asked questions about Realms for Workforce Management.
 

Table of Contents

What are Realms?
What are the benefits of Realms?
What challenges can be solved with Realms?
How does Realms compare to the other deployment models available today?
What key capabilities and use cases are available with Realms?
Can users exist in multiple Realms?
Can Realm Admins administer multiple Realms?
Can Realm Admins be granted the ability to manage apps or groups?
Is Okta offering any APIs for user management with this solution?
Are there any Known Limits and Limitations?
Is there a Workflow Connector for Realms? 

 


What are Realms?

Realms are a new construct in Universal Directory that provides a way to model distinct user populations within a single org. Today, customers who need to create and manage distinct, mutually exclusive user segments often turn to multiple Okta orgs. Realms offers additional flexibility and choice to customers looking to manage complex or siloed user identities. Realms is being introduced for two main use cases: Workforce Identity Management and Secure Partner Access.

 

What are the benefits of Realms?

  1. Flexibility in deployment models:  Flexibility to choose how to architect an org leveraging Realms, multiple orgs, or both. 
  2. Making Okta more secure and easy to adopt for World’s Largest Organizations (WLO’s): When using multiple orgs to manage separate user populations, there is a risk of having sign-on policies fall out of sync across the orgs.  With Realms, Okta helps improve security for customers by allowing them to create sign-on policies for distinct user populations within a single org, making it easier to adopt Okta. 
  3. Accelerate M&A Agility: Rapidly onboard users from acquisitions into an org to provide quick access to applications and delegate management of those users to the acquisition admins without over-privileging them. 

 

What challenges can be solved with Realms?

Realms can help accelerate growth and business outcomes by implementing efficient identity management and robust security within an org while sharing resources. 

​​​​​​​

  • Directory Management: Eliminate identity fragmentation and reduce and consolidate distinct user populations into a single unified view.
  • Optimize IT operations with Delegated Administration: Streamline global IT admin tasks by delegating administration of daily user management related actions, allowing global IT admins to focus on IT strategy and infrastructure.
  • Governance: Unlock governance of all user populations in a single org while still having a clear separation between populations.
  • Reduce risk: Reduce risk by creating global policies for distinct user populations within a single org and configuring access to resources based on limited scopes of users. Avoid over-privileged admins who have unnecessary permissions or visibility.

 

How does Realms compare to the other deployment models available today?

Realms provides customers with yet another option in how they architect their organization. 

  • Multi-Org: Populations are kept in separate tenants with no overlap. This is most valuable in addressing multiple sets of data residency requirements or scoping apps, groups, and policies to distinct groupings or segments. 
    • Hub & Spoke. Many populations are organized in Spokes, accessing shared apps in the Hub.
  • Group/Group rules in a Single Tenant. All user populations are in the same org and are managed with groups/group rules. It’s important to note that groups are not mutually exclusive, which can sometimes lead to user leakage.
  • NEW! Realms for Workforce Management: User populations exist in the same org and are segmented into distinct, mutually exclusive user populations. Realm Assignments automate the onboarding of users into the correct realm. Realm Admins can be scoped using the Custom Admin Role framework to manage the day-to-day administration of the assigned users. This is most valuable for businesses with distinct user populations, like brands or subsidiaries, and delegated brand- or subsidiary-level admins.

     

    What key capabilities and use cases are available with Realms?

    With Realms GA (for OIG SKUs only), Okta offers the following capabilities:
     

    Capability (Job to be done) 

    Description

    Benefit(s) / Why it matters

    Model unique populations of users within a single org

    Using Okta Realms, users can be segmented into mutually exclusive populations within a single org 


     

    Provide secure boundaries between segments of users to safeguard user data and securely delegate management of subsets of the workforce without the need for duplicating users or policies in distinct orgs. 

    Automate Realm designation during user onboarding and creation. 

    Using Realm Assignment, during user creation, a user can automatically be added to the correct Realm without any admin intervention. 

    Increase agility for user onboarding. Users can originate from many other solution offerings in the market (including directories, HR sources, other IdPs). Realm Assignment will automate the onboarding process, to automatically put users into the right Realm on creation, based on profile attributes.

    Delegate user management actions

    With the Custom Admin Role Framework, “Realm Admins” can be granted permissions like password resets, user creation, and application/group assignment within the scope of a Realm’s user population.  

    Enable IT teams to scale and reduce administrative burden on central IT admin teams. 

    Central IT teams can delegate daily help desk tasks to local admins for a specific subset of the user population. This minimizes what the admin has access to and prevents over-privileged admins from taking action on a wide scope of users in an org

    Automate Realm management

    Leveraging Workflows, admins can create, read, update, and delete Realms and automate user creation and movement between Realms.

    Workflows provide a way to automate and facilitate repetitive Realm and user actions, freeing up IT teams and bolstering security by eliminating manual tasks. 

    Balance centralized governance and delegated administration  

    Using Expression Language:

    • Run Access Certification campaigns scoped to users in a realm and designate Realm admins as reviewers.
    • Scope entitlements policies to users in a Realm. 

    With siloed orgs to solve for delegated administration, customers are not able to holistically run campaigns across their entire organization. Their governance strategy can become piecemealed, and they have to endure a laborious, manual, time-consuming, and repetitive process to collate a holistic governance picture to present to leadership. 

    Realms allows governance to be applied across multiple user populations within a single org.

     

     

    Can users exist in multiple Realms?

    No, one Realm end user can only exist in one Realm.
     

    Can Realm Admins administer multiple Realms?

    Yes, one Realm Admin can manage multiple Realms.
    ​​​​​​​

    Can Realm Admins be granted the ability to manage apps or groups?

    Yes. The target use case is for Realm Admins to be able to add new users into a Realm, move users between groups, and assign apps to users.  That being said, Realms leverages the flexible Custom Admin Role framework.  A Realm Admin can be assigned permissions to manage groups or apps in addition to users within a Realm. 

     

    Is Okta offering any APIs for user management with this solution?

    Yes. Okta is building out functionality with public APIs. For more information, refer to the Realms API and Realm Assignments API docs.

     

     

    Are there any Known Limits and Limitations?

    In GA, Realms is focused on users.  The following are noted limitations in regard to objects, scale limits, permissions, policies, and governance.  

     

    1. Object Segmentation
      1. The only object that has a direct relationship with realms is the user object.
      2. Groups, Applications, Servers, and Devices cannot be scoped to a particular Realm. These are all available at the org level. 
      3. Group Rules cannot be defined with the scope of users in a Realm. 
      4. IDPs cannot belong to a realm. They are at the org level. 
    2. Scale Limits
      1. A single profile source can point to only 10 realms
      2. 5000 Realm limit
      3. 500 Realm Assignment limit
    3. Permissions
      1. Creation and Management of Realms can only be delegated to Custom Admins who have access to all Realms. 
    4. Policies
      1. Only Authentication Policy rules can be scoped to users in a realm via Expression Language. 
      2. Global Session Policies cannot be scoped to users in a realm. 
    5. Governance
      1. Certifications and Entitlements can be scoped to Realms only via Expression Language
      2. Request Audiences cannot be scoped to a specific Realm

    Is there a Workflow Connector for Realms? 

    Yes. The Okta Realms feature allows Okta admins to partition a set of users within the Okta Universal Directory and manage them separately. This enables you to delegate the administration of users and groups to external collaborators or business units. For more information, refer to the Okta Realms Connectors docs.

     


    ​​​​​​​

    Recommended content

    Still looking for help?
    Loading
    Frequently Asked Questions on Realms for Workforce Management