Access Certification for In-active application users

Problem Statement:

  1. You have an application that costs $$$ for every user provisioned with a license

2. After assigning the said license to a user, some users are heavily active while some aren’t

3. You want to know which users are actively and passively using the application

4. If a user is passively using the application, you want to review them and certify them if they still need access to the application

5. Overall, you want to save $$$ and make sure your licenses are appropriately used and activated

How Okta can address this:

Solution Overview:

Okta Workflows setup:

1 Parent Flow called Application Inactive Parent Flow and 3 Child/Helper Flows

In summary, the custom flows do the following:

  1. Parent flow – accepts an application name as input and this flags which application should be reviewed

2. Process Users AssignedInApplication Child Flow- Loops through all users who are assigned in the application and builds the information on the custom table. This child flow uses the Okta System Logs to determine how many times a user has access the said application

*Make sure you grant your Okta Workflow OAuth Application the Log Okta API scope such that the said workflow will work as designed.

3. Process User Activity List Child Flow – Loops through the event logs and count how many times a users has successfully accessed the application and updates the custom table in the workflow.

Add User For Application – Adds the Users into the Group to be certified if they are deem to be in-active.

Once the flow is finished, you can action on the Access Certification Campaign Review in Okta

Check out the demo video at:

If you want access to the flow, please reach out to, and we would gladly assist you with the solution above.

Leave a Reply