u2idq (u2idq) asked a question.
We have special use cases were we store employee data in Workday for vendors and specific contractors. With the Workday/Okta integration, we can import and match users based on specific attributes/combination of attributes and choose to auto confirm/activate their accounts.
This is all fine for normal users but we have vendors and contractors who need to have their data stored in workday but dont need Workday access so they should not be assigned the Workday tile.
We originally thought about creating a different provisioning group and assigning this to the workday app so that our other provisioning groups could be used to drive account provisioning downstream to AD and this 3rd group would determine who gets assigned the Workday app and who doesnt.
the problem with this approach is a user has to be confirmed so that their Okta account and downstream AD account can be created. When we confirm the user, then they are automatically assigned the workday app which defeats the original purpose.
Would normally submit an okta ticket but our CSM has mentioned in the past, Okta support does not provide guidance on anything, they're only there to try to fix broken implementations....
Why not assign all the users to W/D but hide the tile so no one sees it. Then create a bookmark app, assigned to the group you would, that points to the original app. This should allow your accounts to be created while also controlling who can see the W/D tile.
I did something similar at a prev employer and it worked really well.
@feok4 (feok4) - That is the same response we got from Okta support. Guess we have no other choice but to go this route. It seems silly that we have to have 2 apps to accomplish this...