Overview
In this guide, you will learn how to remove a user from groups when the user is deactivated.
This guide helps you get started with Workflows. Okta support does not assist with custom flow construction using this guide, as it falls outside the scope of standard support. You may need to adjust the flow(s) to meet your needs. For questions, attend community office hours or post on the community forum.
Solution
User groups
When a user is deactivated, you want to remove the user from all groups. In the screenshot below, user Olivia Green is a member of four groups. The Everyone group is a default group from which a user cannot be removed. You will add logic to check for the Everyone group and skip removing the user from it.
User groups
List user groups flow
The first flow is List User Groups:
List user groups flow
In this flow:
- The flow is triggered when a user is deactivated (Okta – User Deactivated card).
- The Okta – Get Users Groups card finds all user groups and streams the list to a helper flow (Remove User from Group_Helper flow).
- In addition to the group list, the User ID field is passed to the helper flow (in the Streaming section). The User ID is needed when removing a user from a group.
Next, you are going to look at the helper flow.
Remove User from Group helper flow
This is the helper flow:
Remove user from group flow
In this flow:
- The first Helper Flow card sets up inputs for the helper flow.
- The Record (type object) field is an item from the list.
- If you inspect the JSON object for an item (below), it has the fields ID (text), Profile (object), and Profile.Name (text).
- Because you need these fields in the flow, they are exposed under the Record object.
- The State (object) field allows the passing of any additional data to the flow. In this flow, you are passing the User ID field.
- The Record (type object) field is an item from the list.
- The Continue If card adds logic not to remove the user from the Everyone group. It works like the if/else condition.
- If the group Name (value a) is not equal to Everyone (value b), then continue the flow.
- Else (the otherwise section) halt the flow (a message is also created).
- The Remove User from Group card removes the user (User ID) from this group (Group ID).
A JSON snippet passed to the helper flow:
{
"Profile": {
"Name": "No-code Automation",
"Description": "A group with awesome people"
},
"Last Updated": "2022-07-01T14:10:24.000Z",
"ID": "00g16ym8ayy6wKBvS0h8",
...
}
After you run the flow, Olivia Green is removed from all groups except the Everyone group:
User groups after deactivating the user
A solution using the List – For Each card
In the first example, you processed the records using the streaming option. Another solution is to use the List—For Each card. With this option, you can process only up to 200 records.
The List User Groups flow looks like this:
List user groups flow using the List – For Each card
The Remove User from Group helper flow looks like this:
Remove user from group helper flow when using List – For Each card
A solution using the List – Filter card
In the two examples above, you added logic to check for the Everyone group and skip removing the user from it.
Another solution is to remove the Everyone group from the list and then pass the list to a helper flow. With this approach, the helper flow will only remove the user from a group.
This is how the List User Groups flow looks:
Using the List – Filter card to remove the Everyone group
In this solution, the List – Filter card removes the Everyone group item from the list. In the helper flow, you only remove the user from the group.
NOTE: This solution only works when using the List—For Each card option. You cannot modify the list when using the streaming option.
The helper flow has no if/else logic; it only removes a user from a group:
Helper flow removes a user from a group
