<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AH9rg4CQBOkta Identity EngineWorkflowsAnswered2024-11-29T16:38:33.000Z2024-11-14T13:58:01.000Z2024-11-29T16:38:33.000Z

CarstenW.33950 (SFLX) asked a question.

November 14, 2024 at 1:58 PM
Write into deactivated user's profile

Hello there,

 

I have a custom profile field that mirrors the okta status (I use a lot of group rules and only want active users in there, but cannot filter based on status in there).

 

Now, to mirror user states into that field, I use an Okta Workflow.

Unfortunately, if a user account gets deactivated, I can no longer write into that field. I'm solving this by activating the account, update the profile field and then deactivating the account again.

 

How would you deal with that situation?

  • 2 answers
  • 242 views

  • TimL.58332 (Workflows)

    @CarstenW.33950 (SFLX)​ -- This scenario is a limitation in Okta. The only changes allowed to a deactivated/deprovisioned users account is "Activating" them and removing them from groups.

     

    Depending on the criticality of this use case && how users are becoming deactivated there are some options available. If Okta is your source of truth and the origination of the deactivation you could just change the process from "Manually Deactivating" them in the UI and instead deactivate them leveraging a Delegated Workflow. This would allow you to perform the required actions prior to the deactivation API call occurring.

     

    Something else could be "adding them to a deactivated users group". Have this trigger a Workflow and perform the process. If they are removed from the group you could trigger a flow to reactivate them.

     

    However, if this deactivate is being push in by another source via provisioning there really isn't much that can be done.

    Expand Post
    Selected as Best

  • User17157611498146715886 (Customer Support Online Community and Social Care)

    Hello @CarstenW.33950 (SFLX)​ , thank you for contacting Okta Community.

     

    I brought your question to some of our colleagues who have more experience with Workflows.

     

    If the trigger for the workflow is a user status change, then the simplest option would be to ignore the user or terminate the workflow if the status change is to deactivated. Group rules won't apply to deactivated accounts, so it shouldn't be necessary to have this mirror attribute set on them.

     

    Regards. 

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post

  • TimL.58332 (Workflows)

    @CarstenW.33950 (SFLX)​ -- This scenario is a limitation in Okta. The only changes allowed to a deactivated/deprovisioned users account is "Activating" them and removing them from groups.

     

    Depending on the criticality of this use case && how users are becoming deactivated there are some options available. If Okta is your source of truth and the origination of the deactivation you could just change the process from "Manually Deactivating" them in the UI and instead deactivate them leveraging a Delegated Workflow. This would allow you to perform the required actions prior to the deactivation API call occurring.

     

    Something else could be "adding them to a deactivated users group". Have this trigger a Workflow and perform the process. If they are removed from the group you could trigger a flow to reactivate them.

     

    However, if this deactivate is being push in by another source via provisioning there really isn't much that can be done.

    Expand Post
    Selected as Best
This question is closed.
Loading
Write into deactivated user's profile