PabloG.13477 (Customer) asked a question.
Hello.
I have created a workflow that is quite convenient for our infrastructure and works really well for our existing users.
Basically I have a set a group of rules based on a custom user attribute which is assigned on user creation (appears in the Add Person dialog). So this attribute is set and depending on the value several groups are assigned to the user.
These groups are set to be pushed to our on prem AD, so effectively when the user attribute is changed in the user's profile some groups are assigned and the changes are propagated to AD.
Now the problem happens with new users. Apparently users that are inactive are not included in the push groups process, and because a user that is just created need to be activated basically all new users are not set correctly in our AD, they are not active by the time they are created.
From what I have seen in the docs they only solution is to manually force a group push for all groups, which is not very convenient.
The tandem with Groups Rules plus Push Groups is really powerful to simplify the onboarding process, but this unfortunate detail, inactive users not bein pushed, breaks the whole workflow.
Is there any way to override this option and force Okta to include non active users in the push process?
As an alternative, is there any way to automate a full push automation when an user is activated.
So if the user get successfully activated we for a push for all groups.
Thanks
Hello @PabloG.13477 (Customer) Thank you for reacting out to our Community!
What you are seeing is expected behaviour and you can make a feature request on our Idea section for a functionality like this in the future.
However as a workaround you can add a workflow that will look active users and place them into the required group, with this you could also remove the need for a group rule.Please see a sample below:
Thanks for you answer Paul.
Yeah I was starting to have the feeling that the only option is a workflow.
I mean the best option will be to have a new feature in Okta, were users that are staged, pending to be activated, are included in the Push Groups, which makes sense.
I haven't done a workflow before, I would need to research a little bit how they work.
In your example, that User Activated box, is only executed when the user turns from non active to active?
Is it possible in workflows to implement the logic needed to test some user attributes in the user profile and based on that assign groups?
Thanks
Hello @PabloG.13477 (Customer) ,
Yes, the workflow is executed when the user is activated. Yes, you should be able to do the required tests. Please see some docs for workflow:
Hope this helps!
I am having the same issue but the sample work flow will not work for me because the users are being added to groups based on work locations. I was told group rules are the best way to add people to groups but should I be using workflows instead like the "Manage Okta Group Membership Based on Profile Attributes" template?
We also have different groups based on location.
I'm using a groups rules to read a custom attribute in our profiles that we call user.location (I think), then based on the value we trigger different group rules that put users in certain groups.
Again it has the same flaw, is not going to push the groups membership to AD if the user is not active.
I'm porting everything to workflows, I hope using the User Activated event in workflows will trigger all the group provisioning correctly and groups will be pushed.
Still working on it, workflows are not very intuitive at the beginning but I'm starting to get fluent with it.
Well, I got provisioning working now using Workflows!
Thanks @Paul S. (Okta, Inc.) , workflows a little tricky at the beginning but is a really powerful feature.