06 - Configure Groups

Question 1

Demo 5:

Demonstrate knowledge of the various methods for activating and deactivating users

Answer 1

Reprovisioning a Deactivated Active Directory Account

Question 2

Demo 5A:

Demonstrate knowledge of the various methods for activating and deactivating users

Answer 2

Activate and Deactivate Users

Question 3

Demo 5B:

Demonstrate knowledge of the various methods for activating and deactivating users

Answer 3

Okta Essentials Module 2: Define Your Users in Okta

Question 4

Demo 5C:

Demonstrate knowledge of the various methods for activating and deactivating users

Answer 4

Okta Technical Consultant Boot Camp: Defining Users

Question 5

What are the 3 types of groups:

Answer 5

a. Okta
b. Directory
c. Application

Question 6

2. What is the difference between Oka group and the other 2 groups:

Answer 6

a. Okta group are created and memberships is managed in Okta

b. The members of Okta groups can be Okta, Directory, or Application-mastered users.

Question 7

What is the difference between Directory group and the other 2 groups:

Answer 7

a. Directory group are created and membership is managed in the external directory service.
b. Only directory-mastered users can be members of directory groups; this is established in the external directory service.
c. Directory groups are copied into Okta
d. If the external directory instance is deactivated or deleted, the associated groups no longer appear in Okta.

Question 8

What is the difference between Application group and the other 2 groups:

Answer 8

a. Application groups are created and membership is managed in the application.
b. Members of application groups are pulled into Okta during application creation.
c. Application groups are copied into Okta.
d. If the application connector is deactivate or deleted, the group no longer appears in Okta.

Question 9

Can you have a duplicate group name from different directories?’

Answer 9

a. Yes

Question 10

Can you have duplicate group names on the same directory?

Answer 10

a. No, For example, you can have an Okta Sales group and an Active Directory Sales group, but you cannot have two Okta Sales groups. Notice that groups can have the same name but a different source. What makes the group unique is the source plus the group name.

Question 11

Can you delete or modify groups in Okta?

Answer 11

a. No, Directory groups are completely managed on the directory service. You cannot delete or modify the group within Okta.

Question 12

What should you do if you need to delete a group in AD?

Answer 12

a. If a group is to be deleted, perform the deletion in Active Directory and run a full import to have the agent push the update to Okta.

Question 13

Do all Applications support groups?

Answer 13

a. No

Question 14

What is the best practice for working with diverse groups of okta and AD groups.

Answer 14

a. For example, if your contractor Sales team is not part of your Active Directory domain, but they require access through Okta to Salesforce, you can create Okta-mastered users and groups for the contractor Sales people.

Question 15

What does Group allow administrators to do?

Answer 15

i. Divide the user base into smaller segments and refine application access and security policies.
ii. People and applications can be members of a group.
iii. People are automatically assigned any applications that are members of a group.

Question 16

What are the 3 types of groups?

Answer 16

i. Okta groups
ii. Directory Groups
iii. Application groups

Question 17

What is entailed in Okta group?

Answer 17

i. OG is created and membership is managed in Okta

ii. The members of OG can be Okta, directory or App-mastered users.

Question 18

What is entailed in Directory Group (DG)

Answer 18

i. DG are created and membrerships is managed in the external services
ii. Only DMU can be members of DG. This is established in the external Directory Service.
iii. DG is copied into Okta
iv. If the external directory instance is deactivated or deleted, the associated group no longer appear in Okta.

Question 19

What is entailed in application group (AG)

Answer 19

i. AG are created and membership is managed in the app.
ii. Members of AG are pulled into Okta during app creation.
iii. AG are copied into Okta
iv. If app connectors is deactivated or deleted, the group no longer appears in Okta.

Question 20

Is creating groups mandatory?

Answer 20

i. No, but you can use groups to segments users in similar job roles or functions

Question 21

Can you associated any user with an Okta Group?

Answer 21

i. Yes– but only DMU can be associated with group defined on the same directory server and application-mastered users can only be associated w groups defined in the application.

Question 22

How are directory groups created?

Answer 22

Directory groups are created on the directory instance and copied into Okta. All directory group changes must be performed on the directory server and pulled into Okta.

Question 23

Okta directory agents are able to copy the directory group information because of

Answer 23

i. The permissions granted to the Okta service account.

Question 24

What happens when you delete or deactivate a directory instance?

Answer 24

If you deactivate or delete a directory instance, these groups no longer appear and the associations to applications are removed.

Question 25

How are application groups created?

Answer 25

a. Application groups are created in the application and copied into Okta, after you have enabled provisioning.

Question 26

22. True/FalseAll application group changes must be performed in the application and pulled into Okta.

Answer 26

i. True

Question 27

True/False. While you can have duplicate group names from different directories, you cannot have duplicate group names on the same directory.

Answer 27

i. True. For example, you can have an Okta Sales group and an Active Directory Sales group, but you cannot have two Okta Sales groups. Notice that groups can have the same name but a different source. What makes the group unique is the source plus the group name.

Question 28

True/False. Okta groups are identified by the Okta icon – you name the groups and (optionally) provide a description.

Answer 28

i. Yes, By default, Okta has an Everyone group which contains all Okta, directory, and application users; regardless of status. Okta groups can be helpful when associating applications with people performing similar roles. For example, you can place all Okta-mastered administrator accounts into a distinct group.

Question 29

What’s the process to creating a group rule to opt someone in or out of an application.

Answer 29

a. Directory > Group
b. See both Okta groups and AD Groups
c. Create “Sales Staff”
d. Create “Marketing Staff”
e. Add people to groups
f. Assoicate apps to this group
g. “Manage Group”
h. Manually add people to groups.
i. Manage my app so I can decide everybody in sales needs access to a certain application therefore assign the app.

Question 30

How to automate so add people to groups and apps.

Answer 30

a. Groups ==> Rules
b. “Add Rule”
c. User attribute or Group membership
d. Expression Builder > Department = Sales assign to “Sales Staff”
e. Activate the rule
f. Anyone in the org qualifies, then they are automatically assigned to this group.
g. Go back and select “Jack” and edit his department to “Sales Staff” so he can qualify (for this example).

Question 31

Oliver has deleted the AD sales group in AD because he is now using rules in Okta to populate the Okta Sales group. When Oli is reviewing the group, he notices that the AD Sales Group is still appearing in Okta. Why is it still appearing in Okta?

Answer 31

a. An import an AD was not processed to reflect this change.