MatthewH.10249 (State of Iowa) asked a question.
Deactivate/Delete App does not remove "Application Administrator" role assignments
Is there a reason when an app is deactivated and deleted that users who where assigned with "Application Administrator" role for the app retain the role? Is this behavior by design or a bug? If by design, please provide a link to documentation that explains in case there are other related details I should consider. Is there any way to automate role cleanup so any apps that no longer exist have any associated roles removed for all users?
Hello @MatthewH.10249 (State of Iowa)
I hope you are having a great day
Thank you for posting, according to documentation after the app integration is deactivated, any users currently signed in to Okta receive an error message if they click the app integration tile on their dashboard. Okta removes the app integration from the End-User Dashboard at the next sign-in or if the end user refreshes the browser page.
You can also learn about this topic in the following link: https://help.okta.com/en/prod/Content/Topics/Apps/apps-deactivate.htm
If you need further assistance you can also feel free to post this question on our Okta Developer Forums: https://devforum.okta.com, this is a place for the Okta developer community to interact
Have a great day ahead
Henry E.
Okta Inc
Thanks for your response but I'm not talking about the app access via app tiles, I'm talking about the administrator role assignments. In the admin console go to the left nav under "Security" and select "Administrators". You will see that anyone assigned as an "Application Administrator" to an app that was deactivated and deleted continues to retain the role for the app. I even logged out and back into Okta and it still shows I'm an "Application Administrator" to apps that no longer exist in the tenant.
Hi Matthew Harshbarger ,
Deactivating the application may generate deprovision tasks. However it will not automatically deprovision the user from third party service. If user provisioning is desired, the best practice is to unassign the user from application before deactivating the application.
Attaching the screenshot for your reference,
Understood, but this usecase has nothing to do with a 3rd party service, rather it is Okta's "Application Administrator" role I'm trying to get removed from users in Okta itself. Your post does give me an idea where I may be able to use a Workflow with a listener for the app deprovisioning task and use that to fetch a list of users who are assigned the Okta "Application Administrator" role and remove them one by one.
Thanks for your time!
I submitted an "Idea" request to have Okta consider upon deleting of an app that all users with app admin role for that app be removed as well to keep user permissions valid. If you are interested please upvote the request. https://ideas.okta.com/app/#/case/145765?section=requests