Okta Lifecycle Management (LCM)

What is Okta Lifecycle Management (LCM)?

LCM automates user account creation, updates, and deactivation across all integrated systems.

What are the benefits of Lifecycle Management (LCM)?

Onboards users quickly, adjusts access automatically when roles change, offboards users properly to reduce risk, avoids manual errors, and manages user access across systems.

What does the Joiner (Onboarding) process do in LCM?

It creates the user in Okta, fills their profile with upstream attributes, assigns them to groups, and provisions them into apps based on group membership.

What happens during the Mover (Role Change) process in LCM?

It updates the Okta user profile, changes their group membership, deprovisions apps they no longer need, and provisions apps required for the new role.

What actions are taken during the Leaver (Offboarding) process in LCM?

It deactivates the Okta account, deprovisions the user from apps, and revokes all access immediately.

What is user provisioning in Okta?

Provisioning is syncing user accounts between Okta and an app, handling create, update, deactivate, and reactivate actions.

What are upstream apps in the Okta provisioning context?

These systems are the source of truth for user attributes and include HR systems and directory services.

What are downstream apps in the Okta provisioning context?

These apps receive provisioning actions from Okta and include services like Salesforce, Box, Google Workspace, and Slack.

What is agent-based provisioning?

It is a method used for on-premise directories using agents like Active Directory and LDAP.

What is API-based provisioning?

It uses cloud-based API calls to manage users, utilizing protocols like SCIM and vendor-specific APIs.

What is SCIM in the context of provisioning?

SCIM (System for Cross-domain Identity Management) enables Create, Update, Deactivate actions via standardized REST endpoints.

What triggers JML events in Okta?

JML events are triggered by changes in the HR system or directories, such as onboarding, role changes, or terminations.

What happens when a worker changes department in Okta?

Their Okta user profile is updated, group membership changes, and apps are provisioned or deprovisioned based on the new role.

What does profile mastering mean in Okta?

Profile mastering refers to an app becoming the attribute source, preventing Okta from modifying sourced attributes.

How does deactivation in Okta impact downstream apps?

Deactivation in Okta cascades downstream, resulting in users losing access everywhere immediately.

What is Okta Lifecycle Management (LCM)?

A system that automates user account creation

What does LCM help organizations do?

Streamline onboarding/offboarding

What are the three stages of the JML process?

Joiner

What triggers the Joiner stage?

A new worker is added to an HR system or directory.

What does LCM do during the Joiner stage?

Creates the Okta user

What triggers the Mover stage?

A worker's role or department changes in the HR system.

What does LCM do during the Mover stage?

Updates user attributes

What triggers the Leaver stage?

A worker is marked as terminated in the HR or directory system.

What does LCM do during the Leaver stage?

Deactivates the Okta user and deprovisions them from all apps.

What is user provisioning?

Syncing user account data between Okta and applications (create

What are upstream apps?

Systems that send user data to Okta

What happens when a profile is sourced from an upstream app?

Attributes become read-only in Okta and can only be edited in the source system.

What are downstream apps?

Applications that receive provisioning instructions from Okta.

What does Okta do for downstream apps?

Creates

What is agent-based provisioning?

Provisioning that uses an on-prem agent like AD or LDAP to sync users between Okta and directories.

Which agents does Okta support for agent-based provisioning?

Active Directory (AD) and LDAP agents.

What is API-based provisioning?

Provisioning using SCIM or vendor APIs over web protocols.

What protocol does SCIM use?

Standard REST APIs for Create

When should SCIM be used?

For cloud apps that support modern API-based provisioning.

What is Profile Mastering?

When an app (usually HR or directory) becomes the authoritative source for user attributes.

What cannot be edited when a profile is mastered upstream?

Any attributes sourced from the master system; they become read-only in Okta.

What determines app access in LCM?

Group membership based on user attributes and group rules.

What does Okta do when a user is deactivated?

Immediately revokes access and deprovisions the user from downstream apps.

What does mover automation prevent?

Stale access by removing apps the user no longer needs.

What does joiner automation ensure?

New users receive correct access and apps on day one without manual provisioning.