MatthewH.10249 (State of Iowa) asked a question.
I have a couple questions related to Okta and ServiceNow groups. A little background, we have provisioning enabled but have not checked the "import groups" yet. We have been using ServiceNow much longer than Okta so we have over 200 groups in ServiceNow that do not exists in Okta. It is our understanding that if we check the "import groups" checkbox found in the ServiceNow app provisioning page in Okta it will import all groups into Okta as well as assign users to the new associated groups in Okta if they were assigned to groups in ServiceNow.
Question 1: Please confirm by providing link to documentation that explains if our assumption of "import groups" is correct.
The reason we have not use "import groups" yet is because of our naming conventions in ServiceNow groups. We are thinking about using different group names so we can create "group push" rules so we can establish "push group rules" so we don't have to map each group by name. We noticed that "push group rules" allows for filters by "name" and "description". Renaming the groups might be a pain so we thought we could leverage the "description" by appending a common value like "SN-" that could then be use in a "push group rule" however the rule seems to require a name but does not require a description.
Question 2: Why when creating a "push group rule" can we leave out "description" but cannot leave out "name". Is this a bug? We want a rule based on description only.
Lastly, as we were playing around with "push group rules" we noticed the "Refresh App Groups" button which when hovered over says it will pull in list of groups from ServiceNow. This seems very similar to the "import groups" checkbox on the provisioning page but without pulling over users. After pushing the button it did seem to create groups in Otka but we cannot assign anyone to them and cannot even delete or modify their name in Okta. Each of these groups when viewed states "This group's membership cannot be modified because the group is managed automatically by Okta".
Question 3: What is the point of "Refresh App Groups" if we cannot manage the group in Okta?
Question 4: If we check the "import groups" will it override the groups that were brought in via "Refresh App Groups" so we can then edit them or will it duplicate the groups.
The reason I ask question 4 is because before pressing the "Refresh App Groups" button I manually created a Okta group with a name that exactly matched the name of a group in ServiceNow and had it working via Group Push using a by name rule but after pressing the "Refresh App Groups" button we now have 2 groups in Okta with the same name. I deleted the one I created manually and then tried renaming the corresponding group in ServiceNow and upon another "Refresh App Groups" it updated the name of the group in Okta but we still cannot manage (assign/delete/rename/etc) in Okta.
Hello Matthew Harshbarger
Thanks for posting.
I will try to respond all your questions here.
Question 1: Please confirm by providing link to documentation that explains if our assumption of "import groups" is correct.
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-import-groups-app-provisioning.htm
Group import is enabled by default. You cannot edit the memberships of these imported groups.
After a successful import, Okta scans for new users, new groups, or changes to existing user profiles or group memberships. If any of these are detected, Okta automatically sends an email to designated administrators detailing the number of users and groups scanned, added, updated, or removed during the import.
Question 2: Why when creating a "push group rule" can we leave out "description" but cannot leave out "name". Is this a bug? We want a rule based on description only.
Groups are pushed to applications using one of the following two methods:
By name: An Okta application administrator selects groups from Okta to be created and updated in the target app.
By rule: You use a string in either the group name or description to push many groups at once. Group push by rule is not available for AD integrations.
I created a rule myself and as you mentioned the name section cannot be blank, for the moment this is the way it works, what you can do is open an Okta Ideas to suggest this change for the future here:
https://support.okta.com/help/s/article/Okta-Ideas-Step-by-Step-Guide?language=en_US
Question 3: What is the point of "Refresh App Groups" if we cannot manage the group in Okta?
Refresh App Groups to update any imports or changes that occurred in the third-party app. This ensures that all groups from the target app are represented in Okta.
It will only check the groups that are already Synced between Okta and the App and make sure they have the same information, but that's it everything else must be done from "Import Groups" or "Push Groups".
https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-configure-enhanced-group-push.htm#:~:text=Access%20your%20Okta%20instance%20of,app%20are%20represented%20in%20Okta.
Question 4: If we check the "import groups" will it override the groups that were brought in via "Refresh App Groups" so we can then edit them or will it duplicate the groups.
It will override the groups that were brought in via "Refresh App Groups"
Let us know if this helps you.
Daniela Chavarria.
Okta Inc.