<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008SLfjlCADOkta Classic EngineIntegrationsAnswered2025-09-13T09:01:51.000Z2022-12-06T17:14:09.000Z2022-12-14T20:36:24.000Z

PaulC.27959 (DigitalFish, Inc.) asked a question.

December 6, 2022 at 5:14 PM
How to modify user attribute in BambooHR-sourced user after termination

We have several users that were sourced in BambooHR and previously terminated. The records have the wrong value in userType attribute, which is mapped from Bamboo appuser.employmentHistoryStatus. Although their status in Bamboo is "Terminated", this change was not imported into Okta, where the userType attribute value is still "Full-Time."

 

How can we change the userType in Okta for these deactivated users? 

 

How to prevent the import failure is a separate issue that I'm not asking here. In this question, I need a way to fix the existing records of previously deactivated users, which are causing incorrect group memberships in rule-based groups.

  • 8 answers
  • 698 views

  • DonF.81354 (Customer)

    If you change the records directly in Okta, then you should be good on the emails, but it could be time consuming depending on how you choose to re-activate and modify those attributes. But, they would be Okta-mastered and would not generate an email unless you have something enabled to do that in response.

     

    You could setup a workflow to delete these users potentially? Perhaps set a schedule to run X number of days to do this for you. Say delete a user after 90 days? Just a thought. Let us know if this is something you want to explore further. Thanks!

    Expand Post
    Selected as Best

  • DonF.81354 (Customer)

    These users are deactivated in both BambooHR and Okta, correct?

     

    The issue is that, I am assuming, the deactivated users in Okta have an incorrect profile attribute value and you cannot change/modify because you cannot modify a deactivated account in Okta, correct?

     

    Additionally, You cannot import new values from BambooHR, because they are deactivated/terminated there, right?

     

    Finally, assuming the above is true, Please take a look here:

     

    How to remove deactivated Users from Okta Groups (including users assigned by group rule)

     

    I will completely agree though, group rules should ideally not be applicable to deactivated users. At minimum, this should be a selection when creating the group rule.

     

     

     

    Expand Post

  • PaulC.27959 (DigitalFish, Inc.)

    Thanks for the reply, Don! Yes to both questions - the users are deactivated in both BambooHR and Okta, and I can't import new values because they are deactivated.

  • PaulC.27959 (DigitalFish, Inc.)

    ... (didn't mean to hit send, continuing...) Thanks for the pointer to deleting from the groups. However I'm not convinced by that idea: Removing from (rule-based) group via Okta web adds an exception for that person in the group rule, which is not acceptable. Even if using the API to remove avoids changing the rule, the user is still subject to the rule and re-joining the group if the rule is ever toggled off and on (right?). I don't think that solves the problem.

     

    I even considered re-activating the person to make them editable, but I think that would send an activation email to their personal email, not really want you want to do to a former employee. Maybe I should delete the users in Okta, since we still have their info in Bamboo. Hopefully, being inactive in Bamboo, they wouldn't all show up in the next Bamboo import list!

    Expand Post

    • DonF.81354 (Customer)

      You are correct, there are some significant limitations involved with getting that disabled users removed. And furthermore, disabling and re-enabling will unfortunately un-do some of that unless they are added to the exception (which does not work for you).

       

      Now you are correct though, disabled users in other platforms (AD, Workday, Bamboo, etc.) will not import into Okta, so that should ensure that, if deleted, the users will not come back into Okta.

       

      Finally, re-activating these users would not normally send an email to them, so that should not necessarily be a concern. They would be Okta mastered at that point, and thus there would not be a check box as described below, which is available for AD, Workday, and others.

       

      Ultimately, you may be able to setup a workflow to assist in your goals as well, so let us know if any of this does or does not work. Thanks!

      Expand Post

  • a0n5s (a0n5s)

    @PaulC.27959 (DigitalFish, Inc.)​ 

    You can disable the email notificaton for a moment, after activate and import, then disable it.

    Image is not available
    Hope you can create a feature quest in https://ideas.okta.com/, add a feature import individual user by user name whatever the status is.

    Image is not available

    Expand Post

  • PaulC.27959 (DigitalFish, Inc.)

    Ge, thank you for that tip! The BambooHR provisioning settings, however, do not have that option, perhaps due to a difference in how AD and Bamboo integrations work. I did a little searching for a way to temporarily turn off the activation email but didn't find one.

    A workaround might be to change the personal email in Bamboo, since a re-activation ought to send to the new email address being imported. But at this point I'm leaning toward just deleting the old records, which Okta documentation indicates does remove them from groups. Thanks anyway 🙂

    Expand Post

    • DonF.81354 (Customer)

      If you change the records directly in Okta, then you should be good on the emails, but it could be time consuming depending on how you choose to re-activate and modify those attributes. But, they would be Okta-mastered and would not generate an email unless you have something enabled to do that in response.

       

      You could setup a workflow to delete these users potentially? Perhaps set a schedule to run X number of days to do this for you. Say delete a user after 90 days? Just a thought. Let us know if this is something you want to explore further. Thanks!

      Expand Post
      Selected as Best

  • PaulC.27959 (DigitalFish, Inc.)

    Since this question is about Bamboo, I'll chose this as the best answer. We are in fact going to start deleting old users from Okta and maintain permanent records elsewhere, probably in Bamboo itself.

    I'm not sure how a different best answer got selected without me, since I'm the OP, but whatever.

This question is closed.
Loading
How to modify user attribute in BambooHR-sourced user after termination