During the migration of an application the following steps typically the best path forward. Those steps require the removing of any custom entitlements imported from the downstream application as one of the steps. The following utility flows can be used to accomplish this.
Steps:
Entitlement Migration and Cleanup Steps
removeCustomGrantsPerApp.folder (98.8 KB)
The following steps outline the process for testing entitlement functionality and performing necessary cleanup:
-
Import Users: Initiate a user import from the application.
- Result: Users with existing entitlements will initially appear with only Custom assignments. Bundles, Collections, or Additive Entitlements will not be assigned at this stage.
-
Capture Current State: Document the imported user access:
-
Run a Certification campaign for a user access snapshot, OR
-
Use the Principal Access API to extract all user entitlements.
-
-
Assign Managed Entitlements: Use workflows to assign pre-created bundles and/or individual entitlements that correspond to the imported custom entitlements. The mapping used by customers from existing IGA should guide this assignment if available.
-
Clean Up Custom Entitlements: Execute workflows designed to remove the custom entitlements.
- Note: Upon completion, users should only have Additive Entitlements and/or Bundles assigned.
-
Verify Clean State: Run a subsequent import.
-
Proper Setup: If the setup is correct, the imported users’ entitlements should remain as Additive Entitlements and/or Bundles, with no Custom entitlements showing.
-
Note on Mismatch: If the entitlements do not match 100%, it indicates a discrepancy between the entitlements in the application and those defined in Okta. This discrepancy must be resolved.
-
How to Rectify Entitlement Mismatches:
After an import, if the bundles and/or entitlements granted in Step 3 resulted in new entitlements being assigned, you must correct the assignments:
-
Option A (Full Reset): Remove the user entirely and then re-import them to pull in the user cleanly.
-
Option B (Targeted Removal): Compare the user’s current entitlements against the snapshot or campaign run in Step 3 and manually remove the extra entitlements.
After correction (using Option A or B):
-
Re-apply the correct combinations of entitlements and/or bundles.
-
Re-run the import to check again for any Custom assignments.
-
Repeat this rectification process until all users are imported without any Custom entitlements.