JamesN.83470 (Customer) asked a question.
Basically put, I'm dying here.
We have a number of systems that rely on Okta groups, and many of those groups have group rules that triggers off of a specific profile attribute -- for example, one such attribute that controls many automated actions in our org is a custom called "businessUnit."
The problem i'm having is that when a user is deactivated\termed in Workday(we are using Lifecycle management), everything is fine and works great -- except those rule based groups that are looking for specific values in that business Unit attribute. I tried utilizing a workflow that, upon a user deactivation event, set that field to null -- but I run into the issue that at that point, the user is already deactivated and i can no longer update them -- attempting to do so throws a 404.
Even periodically scripting a cleanup via Okta API doesn't work, for the same reason -- I have to reactivate the account (can't wait for our cyber security team to start asking questions there), blank the field, and then deactivate them again.
There really has to be a better way, no?
I think I would work with your Workday folks to change the value on their end at deactivation time so it passes over blank or with some value that will satisfy your rules.
Someone back in 2018 had the same issue and it does not seem like there is an Okta side solution past what you tried with activate and deactivated. https://support.okta.com/help/s/question/0D50Z00008C3jZ4SAJ/error-trying-to-edit-a-deactivated-user-profile?language=en_US
Unfortunately, I tried that route and was met with a dead end -- they are unable to blank it because they utilize it for some of their reports that need to include terminated employees :\