SteveF.61090 (Customer) asked a question.
Using group rules for RBAC vs workflows
I’m working on setting up fairly straight forward RBAC where individuals are assigned permissions based on attributes (job title, department) passes from BambooHR. Is there any reason to use workflows for something like this or is Group Rules sufficient?
As an example, an account executive in sales would be added to different groups through the groups rules (Salesforce, Zoom - Licensed), etc.
How would you handle this type of scenario? Also, what would you do if you had an Account Exec II would had additional app access or a different Salesforce profile? Use a different group rule?
Thanks.
Group rules sound like the way to go so long as you don't exceed the 2000 rule limit.
https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-about-group-rules.htm
Thanks. The downside is that Group Rules really aren’t editable. I can create new rules, but that seems like overkill. I suppose I could assign a rule to reach group then assign apps and permissions to each role group, but then I lose the ability to use the assignment report and have it show me which app and permission level everyone has assigned. I guess edit ability is more valuable in this case.
Groups rules are sufficient to an certain extent, like for birthright access. It gets a little more challenging when you start with assigning granular entitlements, for that I'd recommend workflows. Example, Salesforce, the out of the box provisioning within the app can leave creating lots of group rules to assign the correct profile, role, license type, etc. As far as the assignments report, you can create a report within workflows that does the same thing and is delivered to you without having to manually 🙂
@MatthewH.10249 (State of Iowa) - you can always get that changed with Okta, just need justification