When an Okta administrator or end-user account is used to create a workflow or authorize an Okta connection in Okta Workflows, if the account owner departs and their account is deactivated or deleted, there may be an impact on Okta Workflows that requires corrective action.

This article discusses the impact of deactivating or deleting the Okta user account that originally authored a workflow or authorized an Okta connection, and, if applicable, the corrective action required. It also discusses the impact of deactivating accounts used to authorize connections to third-party systems.

• Okta Workflows
• Okta Workflows Connections

What is the design-time impact of deactivating the user who originally authored a workflow?

• Workflows created by the deactivated user will remain active and can still be viewed and edited by users with the Super Administrator or Workflows Administrator role, as described in the Roles and permissions section of the Workflows Role-based access control documentation. 
• When viewing the list of flows in a folder from the Workflows console, the AUTHOR column will reflect the name of the original author. It does not get updated based on the user who last saved the flow.

What is the runtime impact of deactivating the user that originally authored a workflow?

• Existing running flow executions and new flow executions will not be impacted, as they do not run under the context of the original author. If the author's account is deactivated or deleted, it will not impact flow execution.

Can the original author of a workflow be modified?

• No, the original author who created a workflow cannot be changed; however, it is possible to: 
  • Export and import the flow, and the author of the imported flow will be set to the logged on user.
  • Duplicate the flow, and the author of the duplicated flow will be set to the logged on user.

What is the impact of deactivating the user who authorized connections for any of the Okta connectors?

• • If the account that was used to authorize any of the Okta connections in workflows is deactivated, the user session will be cleared and the access tokens revoked, resulting in the connection no longer being authorized, and any of the Okta action cards that use the connection will no longer work. The connection, including Okta, Okta Devices, Okta Realms and Okta ITP connections, must be re-authorized using a Super Admin account. NOTE: There is a requirement to authorize these connections using a Super Admin account, which is documented for each specific connector:
    • Okta Connector Authorization
    • Okta Devices Connector Authorization
    • Okta Realms Connector Authorization
    • Okta ITP Connector Authorization

How to determine which account last authorized a connection?

• If it is not known which account was last used to authorize a connection in workflows, for certain connectors, the following article describes how to determine the account that a Workflows connection is currently using: How to See what User Account a Workflows Connection is Using / Authorized with.

What is the impact of deactivating/deleting the account used to authorize connections to third-party systems?

• If the account used to authorize third-party connectors is deactivated or deleted in the third-party system, depending on the type of authorization required by the connector, the connection may need to be reauthorized using an active account that has the required permissions as specified in the Okta Workflows Connectors documentation for each specific connector.

What is the recommended practice for authorizing connections in Okta Workflows?

• User accounts that will get deactivated or deleted when the account owner departs the company should not be used to authorize connections in Okta Workflow. It is recommended that service accounts, with the required permissions as documented for each connector, be used to authorize all connections in Okta Workflows.
• Maintain a list of connections with connection specific configuration settings and credentials in a secure location. This is particularly important when using the Okta API Connector so there is a record of which Auth Type was used to authorize the connection.

Related References

• Okta Workflows Connectors
• How to See what User Account a Workflows Connection is Using / Authorized with