When an Okta Access Request is configured to add/remove a user from a group or application with a multi-select dropdown, and more than one item is selected, the action will fail with the following in the request activity history:

Group Action:

Failed to run task: Add User to Group (The user group couldn’t be found in your Okta instance.)

Application Action:

Failed to run task: Add User to Application (The app instance couldn’t be found in your Okta instance.)

• Okta Identity Governance (OIG)
• Access Request (Request Types)
• Okta Classic Engine
• Okta Identity Engine (OIE)

Access Request group and application actions will only allow for one input, as there is no logic for multiple group or application inputs at this time.

The following 3 options for a solution would be to:

• Option 1: Disable the Multi-Select option and alter the design of the request or requests.
• Option 2: Continue to use the Multi-Select option.
  • Use multiple action cards and build out logic paths for each possible combination. 
    • Example: Have a separate Action for each possible Group, and statically set the Group to be added to in the Details and Logic tab.
      • This image shows getting added to a group called "Group 1", and the Action would have to be repeated for each possible group.

• Option 3: Continue to use the Multi-Select option (Alternate).
  • Pass the multi-select value along with the requester email into the "Run a Workflow" action. The Workflow design/flow would then parse the string and add the user to each group/application.

NOTE: Using this option may affect reporting, such as the Past Access Requests report, as Access Requests does not have visibility into the assignments being completed by Workflows.

Related References

• Okta Access Request - Create an Access Request type
• Okta Workflows - See Delegated flows and Build a delegated flow.
• Okta Workflows Actions in Access Requests is an Early Access Feature. To learn how to enable it, see Manage Early Access and Beta features.