A user was initially provisioned to Okta Privileged Access (OPA) or Advanced Server Access (ASA) with a default naming convention.
Later, it is decided that a different naming convention is desired for some users (for example, prefixing the username with "admin_"). All the Okta-side configuration to map the usernames as desired is completed, such that new users who are provisioned to OPA/ASA for the first time are created with the desired naming scheme in OPA/ASA.
However, the previously provisioned users do not have their usernames updated. Deprovisioning them and then reprovisioning them does not help either.
- Okta Privileged Access (OPA)
- Advanced Server Access (ASA)
- Okta Classic Engine
- Okta Identity Engine (OIE)
While several attributes within an OPA/ASA user's profile, such as the unixUserName and windowsUserName can be updated, the Username itself is immutable.
When a user is deprovisioned from OPA/ASA, they are marked as deleted in the backend database. When reprovisioning the user back, the same user from the backend database is marked as active and retains the original username.
To update the OPA/ASA username, Engineering must first delete the user from the backend. This is an involved process that can take some time.
- Deprovision the user from OPA/ASA such that the Okta user is no longer assigned to the application, and the user is shown as "Deleted" in the OPA/ASA Dashboard.
- Open a case with Support to request OPA/ASA user deletion. Please provide a screenshot showing the user(s) in "Deleted" status in the OPA/ASA dashboard and confirm the name of the relevant OPA/ASA Team and associated Okta tenant URL.
- Support will then engage Engineering to request user deletion from the back-end. Depending on the engineering workload, this may take some time to complete, during which time the user will be unable to use OPA/ASA.
- Once the deletion is completed, reprovision the user back to OPA/ASA with the desired username mapping.
