qzgwx (qzgwx) asked a question.
Everyone group is too risky
We use Okta for managing access to sensitive employee-only apps as well as our public SaaS product. All users, i.e. all internal and external users, are automatically and irrevocably members of the Okta-controlled "Everyone" group.
This presents a serious risk because adding an app that is only meant for employees to the Everyone group can expose sensitive data to your external users. Admins who do not realize how literal "Everyone" is may think they're adding a default set of apps to all employees via "Everyone".
Some solution ideas to consider:
- In the UI make it insanely loud and clear that adding an app to Everyone grants access to all internal AND external users.
- Add support to the custom rules feature that excludes people from Everyone
- Make it possible to manage external users separately from internal users
Perhaps a multiple org model - 1 for internal users and one for external with a combined org for certain applications would allow for more clarity when creating / provisioning applications? Or perhaps the creation (in the source directories or using smart groups) the provisioning of All Customers and All Users groups to distinguish / model your security needs.