FrankT.51349 (Customer) asked a question.
I need a way to hide an application from one group or users while keeping it visible to another
My situation is as follows:
I have a Production application and a training application. The backend groups sync'd to OKTA control the permissions within both the applications. All Users have the same group memberships for permissions purposes, except for the Training users they have a seperate additonal group membership. I need a way to make the Training app tile visible to the training group of users while in training, but not be able to see the Prod app tile. Then when their training is over, remove visibility from the Training Tile and make the Prod tile visible again.
Any one have a way to accomplish the above?
You could hide the training app from everyone and then you could create a bookmark app that points to the training app that you only grant access to the users you want to see the app.
Thank you for the suggestion.
The apps themselves are OIDC apps, and already have bookmarks assigned to them.
My problem is that the training and Prod users are members of the same backend groups, except for the training group. So by entitlment via group memberships, even the training users have visibility to the PROD bookmark app.
What I am trying to avoid having to do is duplicate the app permissions groups into two sets, one for PROD and one for Training as their are 15 of them. Administratively it would be a real pain to have to pull the training users from one set of permissions groups and re-assign to the other once their training period is over.
I was hoping there was a way that I could , within OKTA, control the visibility. If we only had to pull the training users out of the one group, then they could see the only the PROD app.
I think I'm following you now. In this case, if you are leveraging a group rule to populate the users to the Production group then you could add the training users to the "Except" users list in that group rule so they would not show up in the Production group but would still be in the Training group. This approach has a limit of 100 users and if you are doing SCIM provisioning this could cause issues.
https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-create-group-rules.htm#:~:text=In%20Except%20The%20following%20users,Click%20Save.
Correct!
Now I have tried to add the individual users from the training group into that Except Users list, as there will never be more than a handful of them, however the test user that I added as the exception, was still able to have visibility to both bookmarks. Am I missing something? Why would the exception user still see both tiles?
The training tile is only assigned to that training group mentioned previously.
Sorry just thought of something.... Would I have to remove the assignment from all the individual groups, and leave only the group that is created by the rule assigned to the Bookmark app, and the underlying app?
Would that be why the exception user isn't working?
Thank you for your input! I was able to figure out why the exception did not work, and fixed it.
I know have control of the visibility of both of the tiles. ( Needed to remove the Assignment of the apps from the groups included in the rule, and only leave the assignment to the group created via the rule ).
Thanks again,
-F