SteveC.83268 (Customer) asked a question.
Can you map OU's to Department and then share those departments with an App
We have 20 divisions inside our company . We all share the same domain (ex:acme.com) We have a Service Provider Application that manages all these users . We would like to be able to have each of the 20 divisions be able to manage their users & their users only & not be able to see or manage the other 19 divisions . Our Service Provider App can separate Admin duties by RBAC based on a department level. So if we can take the 20 OU's and match the OU field with a department field and share that with the App we would be good to go . Can Okta take these 20 OU's & its members and map them to 20 departments ?
Great question. I would do a rule based group based on the DN (assuming AD since you mentioned OU), populating membership in that manner. Outside of that, I don't think Okta has a way I know of to match OUs to Departments.
You mention you want to have the 20 departments manage their own users. Does this mean you would allocate a person (admin) per department? If so then you could grant them the "Group" administrator permissions and add them to only control the specific group based on what Jeff has mentioned.
So create the Dynamic Groups (rule based) based on department OU or AD Group if you have AD integrated with group sync.
This will put all the correct department members into the appropriate group.
Then assign the admin user via Security > Administrators and assign then the role of Group Admin. this will give you the option to select specific groups to manage or All groups.
You should also be able to configure the Service Provider to sync with the appropriate group
All the best, I hope this was helpful.