Okta Lifecycle Management (LCM)

Okta Lifecycle Management (LCM): Study Notes (Okta Professional + Administrator)

1. What is Lifecycle Management (LCM)?

Okta Lifecycle Management automates user account creation, updates, and deactivation across all integrated systems.

LCM helps organizations:

  • Onboard users quickly

  • Adjust access automatically when roles change

  • Offboard users properly to reduce risk

  • Avoid manual errors that create security gaps

  • Manage user access across HR systems, directories, and apps

This is a core exam topic — expect questions on provisioning flows, JML, and upstream/downstream sources.

2. JML (Joiner–Mover–Leaver) Process

This model represents the entire lifecycle of a user in an organization.

Joiner (Onboarding)

Triggered when a new worker appears in an HR system or directory.

LCM automatically:

  • Creates the user in Okta

  • Fills their Okta profile with upstream attributes (department, title, etc.)

  • Assigns the user to Okta groups

  • Provisions the user into apps based on group membership

Important exam point:
If a profile is sourced from an upstream system, you cannot manually edit those attributes in Okta.

Mover (Role Change)

Triggered when a user’s attributes (like department or title) change in HR or a directory.

LCM automatically:

  • Updates the Okta user profile

  • Changes their group membership

  • Deprovisions apps they no longer need

  • Provisions apps required for the new role

Exam tip: Group rules + provisioning rules determine which apps are removed or added.

Leaver (Offboarding)

Triggered when HR/de-directory marks a user as terminated.

LCM automatically:

  • Deactivates the Okta account

  • Deprovisions the user from apps

  • Revokes all access immediately

Critical exam concept:
Deactivation in Okta cascades downstream → users lose access everywhere.

3. User Provisioning Concepts

Provisioning = syncing user accounts between Okta and an app.

Provisioning handles:

  • Create

  • Update

  • Deactivate

  • Reactivate
    depending on the integration.

Provisioning happens in two directions:

Upstream Apps (Send data into Okta)

These systems are the source of truth for user attributes.

Examples:

  • HR systems (Workday, SuccessFactors)

  • Directory services (AD, LDAP)

When a profile is sourced from upstream:

  • Okta cannot modify sourced attributes

  • Okta only consumes (imports) changes

  • Group rules and app assignments are driven by these attributes

Exam keyword: Profile Mastering = when an app becomes the attribute source.

Downstream Apps (Receive data from Okta)

These apps get provisioning actions from Okta.

Examples:

  • Salesforce

  • Box

  • Google Workspace

  • Slack

  • ServiceNow

Okta:

  • Creates user accounts in these apps

  • Updates attributes

  • Deactivates accounts when the user is offboarded

4. Provisioning Methods

Okta supports two main provisioning mechanisms:

A. Agent-Based Provisioning

Used for on-premise directories:

Supported agents

  • Active Directory (AD) agent

  • LDAP agent

Characteristics:

  • Installed on a server

  • Maintains a secure outbound connection to Okta

  • Supports authentication, imports, group pushes, and provisioning

Exam note:
AD and LDAP are the only agent-based provisioning methods.

B. API-Based Provisioning

Uses cloud-based API calls to manage users.

Protocols:

  • SCIM (System for Cross-domain Identity Management)

  • Vendor-specific APIs (Salesforce, Box, etc.)

Benefits:

  • No agents or on-prem servers

  • Standardized automation

  • Ideal for cloud applications

Exam must-know:
SCIM enables Create, Update, Deactivate via standardized REST endpoints.

What will the exam test?

Expect questions on:

  • What triggers JML events

  • Upstream vs. downstream definitions

  • What happens when a worker changes department

  • Group rule behavior

  • SCIM vs. agent-based provisioning

  • What Okta can/cannot update when profile mastering is enabled

  • How deactivation impacts downstream apps